Skip to content

Instantly share code, notes, and snippets.

@davidak

davidak/minimal-target-container-configuration.nix

Last active September 2, 2019 20:57
Show Gist options
  • Save davidak/7d099b7ad4b23f144e4e8fed07e0d4f6 to your computer and use it in GitHub Desktop.
Save davidak/7d099b7ad4b23f144e4e8fed07e0d4f6 to your computer and use it in GitHub Desktop.
Download ZIP
nixos containers
Raw
minimal-target-container-configuration.nix
{ config, lib, pkgs, ... }:
{ #boot.isContainer = true;
networking.useDHCP = lib.mkForce true;
networking.firewall.enable = false;
services = {
openssh.enable = true;
dnsmasq.enable = true;
nginx.enable = true;
};
users.users.admin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
password = "admin";
};
# disable documentation to speed up build
documentation.doc.enable = false;
documentation.enable = false;
documentation.info.enable = false;
documentation.man.enable = false;
documentation.nixos.enable = false;
}
Raw
targets-image-configuration.nix
{ config, pkgs, lib, ... }:
with lib;
let
targetConfig = import ../minimal-target-container/configuration.nix;
target = {
autoStart = true;
timeoutStartSec = "60m";
config = {
imports = [ targetConfig ];
# prevent nixpkgs to get evaluated multiple times
# workaround for https://github.com/NixOS/nixpkgs/issues/65690
nixpkgs.pkgs = lib.mkForce pkgs;
};
privateNetwork = true;
hostBridge = "br0";
};
in
{
boot = {
# Copy System to Ramdisk
kernelParams = [ "copytoram=1" ];
};
# raise limits to support many containers
boot.kernel.sysctl = {
# Fix "Failed to allocate directory watch: Too many open files"
# or "Insufficent watch descriptors available."
"fs.inotify.max_user_instances" = 8192;
#"kern.maxprocperuid" = 65536;
#"kern.maxproc" = 65536;
# Fix full PIDs, check with `lsof -n -l | wc -l` (default 32768)
"kernel.pid_max" = 4194303; # 64-bit max
};
networking = {
hostName = "targets-host";
# eth0 as first interface is more predictable to me than some random string
usePredictableInterfaceNames = false;
bridges = {
br0 = {
interfaces = [ "eth0" ];
};
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [ 19999 ];
allowedUDPPorts = [];
};
useDHCP = true;
};
containers = {
# some magic code that is the equivalent to
# target1 = target;
# target2 = target;
# ...
} // attrsets.genAttrs (map (i: "target${toString i}") (lists.range 1 200)) (_: target);
services.openssh = {
enable = true;
startWhenNeeded = true;
};
users.users.root = {
password = "root";
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9e5B6doLlyFeBJIs2LpJA938HK2/jyITbtD7+xZ5Vw dkleuker" ];
};
# Monitoring
services.netdata = {
enable = true;
config = {
global = {
"default port" = "19999";
"bind to" = "*";
# 1 day
"history" = "86400";
"error log" = "syslog";
"debug log" = "syslog";
};
};
};
systemd.enableCgroupAccounting = true;
# Packages
environment.systemPackages = with pkgs; [ htop micro ];
# disable documentation to speed up build
documentation.doc.enable = false;
documentation.enable = false;
documentation.info.enable = false;
documentation.man.enable = false;
documentation.nixos.enable = false;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.03"; # Did you read the comment?
}
Raw
targets-image.md

targets-image

Host for GVM scan targets as live CD image.

Usage

Create image

This command builds an ISO image and output the path.

nixos-generate -I nixpkgs=https://releases.nixos.org/nixos/19.03/nixos-19.03.173391.0715f2f1a9b/nixexprs.tar.xz -c /home/davidak/code/nixos-config-greenbone/machines/targets-image/configuration.nix -f iso

Set the path of the configuration.nix on your system with -c.

The package definitions (nixpkgs) are pinned to a specific release, so the result is always reproducible.

You need the Nix package manager and nixos-generators for this.

Create bootable USB-Drive

Just use dd or your preferred tool to create a bootable USB-Drive.

sudo dd if=/nix/store/04psn9kk5b7c8pijvpyi331p21szd3jc-nixos.iso/iso/nixos.iso of=/dev/sdX

Use the actual name of your USB-Stick instead of /dev/sdX.

Be carefull with the device you specify since the command will overwrite all data on it!

Boot system

Just plug the USB-Drive into a computer and boot from it!

It will copy the whole system to a ramdisk, so you can unplug it when it's fully started.

You can connect to it with SSH: root:root

Containers

They are automatically started at boot. The complete start take about 7 minutes on an Intel NUC with i5.

Use this command to get the IPs of the containers:

for i in $(nixos-container list); do nixos-container run $i -- ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | tr '\n' ','; done

It outputs a comma separated list that you can put directly into a GSM scan target config!

Monitoring

Netdata: http://IP:19999

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment