From 565ee07812ff8663e2159155bd8eee29034c7855 Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte@vanpetegem.me>
Date: Wed, 23 Dec 2020 11:52:22 +0100
Subject: [PATCH] Manage data-access container declaratively

---
 containers/data-access/config.nix        |  23 +++++++++++++++++
 containers/data-access/config.secret.nix | Bin 0 -> 4248 bytes
 containers/data-access/default.nix       |  30 +++++++++++++++++++++++
 containers/data-access/secret.nix        | Bin 0 -> 270 bytes
 flake.lock                               |   6 ++---
 machines/urithiru/default.nix            |   1 +
 machines/urithiru/secret.nix             | Bin 1309 -> 1277 bytes
 modules/default.nix                      |  18 +++++++++++---
 8 files changed, 72 insertions(+), 6 deletions(-)
 create mode 100644 containers/data-access/config.nix
 create mode 100644 containers/data-access/config.secret.nix
 create mode 100644 containers/data-access/default.nix
 create mode 100644 containers/data-access/secret.nix

diff --git a/containers/data-access/config.nix b/containers/data-access/config.nix
new file mode 100644
index 00000000..f98849e6
--- /dev/null
+++ b/containers/data-access/config.nix
@@ -0,0 +1,23 @@
+{ pkgs, ... }: {
+
+  imports = [
+    ./config.secret.nix
+  ];
+
+  users.users.data = {
+    isNormalUser = true;
+    home = "/home/data";
+    description = "Data Access";
+    uid = 1000;
+    group = "users";
+  };
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+    hostKeys = [
+      { bits = 4096; path = "/var/secrets/ssh_host_rsa_key"; type = "rsa"; }
+      { path = "/var/secrets/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+  };
+}
diff --git a/containers/data-access/config.secret.nix b/containers/data-access/config.secret.nix
new file mode 100644
index 0000000000000000000000000000000000000000..c3261cfeed0bedb2234f40fe589c80ecf5551376
GIT binary patch
literal 4248
zcmZQ@_Y83kiVO&0h}o28CaJC&X_RqmjX_}8ySTWp-+%p*YJw(73H@oz|NNSfWs!@d
zD%+p$3Cl&Zw#E6e9ka{wYWc>qt+gm$cwvrqdTY#CmR}rGH|KfJ{=1iDrn6+%l&foY
zzN;~@`>i`oAnZ}XRZorB_9^o(xCm%GG395g{rTYREi=KHyZtWIKU@Ctd8+d%pE)e^
zSvy*k&V1nfd|+8$n$Uvi+b14pZDCe6b=Egnbl?5Rv|TaEZ?)Ezyxq$(@6Cko>Nh9s
zWRed$eJ)_JY5eAGc@?J{1m@p(mBe!J)}s%>v)67vC!{>VNJe>Gr`g*$Rn7Uk*M6})
z5a?lY+_cw2^yV6O`FnB<`h8j*6Vg8XEVTMKRVYWYL3?w5R_S9!jgm%<^15h+=kcs8
z=eX^wUgb_*X1&E|+O;cHhhrSh+xMEf&VKNVRpFAqNpXRi?ggK}Kk@|9OJ;7ozgBr|
z?h3KFhG~n{c)Co!U3$%y$-JxYjbJ%zP1wrPNT#)hx<A&XF?_xM`gUIB;k6$F3Ky50
zju+S?@^P-lDyQfQ2c~r%nrAmy@3drCsk}=wJ*nvZr7{E0g$^&f-W<2|U~;&elJaoR
z71y{ot<Ua?r3Nle`xa}t>%6S^<<{nFTQy&FJxN$_@Ug04?sc`RuT$FIWk@ycm1Hqx
zotPcfeLXw(e(#zz#feh?Pu~x^CZ%U5;pls?|M?a1Bl8VEESjj2QReeuXGP@}p_ghE
z-G|SytUZ=!_V$WLFw>PEyW)g1OKz;}{}ydE&F-tmv;6=3N<~{PEs;Fywcv_Q^z)kx
zW~-%CWquqE6aV6JH`e6Qs$;L$%Wr=-_g}d|N?=Ruvky}qHtQc)xhhcg;u_nl*4f`*
zPS<=D>2A4E&*;}{?T~WCf4^qf^WJ#o!Lp9&*k*S}6PNq{_b)rVDWd8XGiPuCH&6e~
zHM}OVS>9eRD&6uv)Ma+1Uy<5kJi+q%<wJHePaQeN=JeC&*6FnAU+$dk)82D@L5Y)f
z(z=z`&c!PpC^V{hd~MPDoBLg}PKlSlmDSpRCCS-y=aYN4i@z@4`E3`cn~t$~VBoF8
zORe^C&-t?Kkw4eh52i<Cf=_Fn&lLMp&vwYb_hV>w*sSyJ3sRaE=H6PZzgdc*%h#y2
zYED|i)=<GC7aU!0*w5tgWB(w2_w|P#st2@={Wr}~GB@_Pto-FhRG>mdangZJ8)D+E
z-t}#LIB()o=|vBZtL=PicX0h#{ls3anA@>>N1}_lI{*EWZ7i>`ol~`?sj}zwn--}<
zQw!f!w%mVS|JuC%Z?t&!t5gZY)@2t{EX#jp&YBlj|72y!3dgI-MP_`rjT_wqGW^7A
z%`cqc>*iazR3pgp1j{moiK`4tt}OhOw&=x;HT;vl?K)-uQR+e9si_D3PTHICEYDfB
z=e&Z4bWQiutemYqpIR2oopA7&$Rv($5e#O>;>x(*36yI%pEtTzAQ^V^)SKdCElTXC
z{jQrWy4u`xHfL@2L8j)!OauNShfSwwWZp{c>9U{yJSe?$?Y`WpHig{rS}rPX-(>h+
z1;nkX-FD*(t7|~(wOjkGCOb-ShVP!6!u#uARoZp4$;a<}iP^A6pHp}LB&Mu$;gjVH
zy#J}rRy>h?)tlK+tN-vWUO{V>sa01UAGc*OuKbr9`tsZAASK-=UZN#0985gdm6)h|
zT>H2u^}ci8rb=dc#!orB<g<*$ubcZbE1X&3)N`Hn)Z(DzJJT)W-DKYCKb{n^M=`U?
znaymf+T*>h{igp`PTG+vVZNRHpP$R=^4l+un0~%jztYe{iP34kz@nW~(&sNdzr@!m
z{ZQWPQ|!k--G3Vw!<{3yP%bd%T9mi#%l%4|c^v1>Sa>x>^MThzwZy<kNvV^@r@S`K
zyl0>tBIWX`{=Z}gcYxT$ldE~7-ur2Nx7t3rG<QN?iHAbt3XuoFZGpia5#J;a-MSrk
ze$u3qemy%}?Q2Bm{;6tYW-++Ub7*}%WAD2IrFqWWRcc@Mw}j15?KA4=IC+vu_d)xO
zjWhQyj9jdCx}|&T@hkKGs+`<?f5MZ~9T{2w9Tj7a=l}kl>{O>}cQrgDjd|Cv2c?Ql
z4|px-z2uEZX)jjzT79F|o~3M0v)YM@>e!MmK^Ivsp7>L}qc-9D{mv;u%y)my37`K$
zHtwO2{*H!j(Uy=`m8ZPz{3|zyo-F*ifamn}ElXbdEUgN)-(B-$RnKXstt|82FK&|j
z^61Ny+*ctxcdfJ8rxT{ZEw=5nd(!8I&SSrLBstuUMSM>&et76K>!Y?6+Q*~p_HewL
z7x>lA-sS#+iM&6PX8yTjsi_&EZZlacg7w-8Im0Cdae91*KAmKIpTOb6T77>0ynJ_y
z$A6wZ|0{MnK6C$_J*{DjZ~n-en7L>3B&*t=Il@a!sv~cFycZO1u`cCi(1&$>%G#x;
z7i4EVa%RsyIMMim%$|-T+k5s26_~$YvuA0~=EF`7{$HQRmKTd2nU=8qb3!<qLTJd_
zy$^lgJkFCTw|AagIEi_K@d1rLX606uLV|y%Hr|+_%jT_e?wV-MtH3=6FJJmS_lx0;
zoBuBGpWL_Dph$45kiygda}4({Vz`|4c(qQYgj|*`A5+Iy#(lo2IzPImxu~?TJuNT&
zuEb+wUnQ{R%c*{mMR!?tNi2K6<7V}-hP}`4%0F3n|G$p&rHT`OShX~^+~?RMqZxbr
zvvzOlG}hX8=FxUWYwC>E4u5&@YBlTQtA&rX1r^?POUj%x=`J;H(_3`$*PWd)7x%_q
z`}Nv%_npW-hVMBhEuT^jzs>bdJmYlxvwMTZq{9bJNVtYbJ!07QdDi@pcasu3*X@q1
z6u!z~`aSeO->VIMrlzl1_wt%u*l_Un65b{4M_2y%$~oy>W^IjkXt8mn^ql{d-&fTf
za;vV{d$r}yhxWY{5v-n3$G)$&+AOp&%<EiNWRb<q)AMINy0{}P_~Wbpyh~@lGGlDJ
zVb82+#XVh1B=Ty0+K;oP+uu%$&;3>OZdP2%MniwyPg34hA`cnmYO6SVxJ4(N-oA|U
zbxLkPg`CU>_iZPwW_neh-k^V#(fsT>#Z_t7%jbophM9z4-4kKDhj0Cy3ky?yCO9Uw
zZ#4aLBe(CQ2e0ENZ-#<Z#&*#cxBO4aer~e0vwhd$noHH^3O8QPaEf--U!{1Mwd%pS
zbfp)0(~WwL38nQ;t!`DFo_o|sgYVFk9U0G0oYdysc=&Xt-QB6jwG`?)cl^DTz;`0g
zXk!qU&iuOyPXB6R#J39dTzHUre#)MU>eEW!{@(RC%wtL1(WSEwnf<kpdnhQpyW{Gi
z&WEg580&r3Z`Ry*inEMw?a`YS!k^3@s{Fs!=E-(JTwdK&CgQ^LO);mF<IGR)G`+F(
zgt2j|fZq)ngTF#c4{7v&{Bto#^Yg|dCc1IgrylwBusx!`y!P#d6Fq@E(o^Ezys2w4
zTChn&Z}Z&}mX`mG54}EKEdJQ$!FJ+E((bNY$F>r`$Vcgqw{mRa_0foa8YCsXp8fS>
zlW)0)Klrz8YrVQF`PGJ{Y>Tt4P9OZ&w1hohgZ<anFFchO3%Ty_*?VW_>i5X3XKHRc
z>>(%ZnRlQt<<gVy4?32{e*WV9GsZTb$=mn;?1+z9_Ivj2Js2Gu+*7{qmi(J<cP|U?
zy1H8Md7g<!tAIMMR(`Vhg`m}w?*3J<)z9;>Uj6#u<TTBIkIW$ge-buqH@~#>XGGxJ
zw3K<5<vv+-=7vQ5S*={w(sKFlIW7%1-wl`7f6b1yyV?{cyOlrv<R`7|nk(-mrwXeo
zZppFG)(&@)wbJ);-6`W-UY~Ge$Kgah_T#18W&8bF7VNdU^DLfgo~Lnc;QSL)Z$=+o
zb8F33iATNx&FVKSJX{SdZOW3Edy;A&6qz41Rqfx+sS{N6EI;jrgjJgblO4PA@v>VI
zT?Ml?KP?Gzv359^=+B+^Ml5&Yb%DCmi!9Gv2%i4ia>)`Mr#relo|WvDNdoTz+}E)0
zUbbiV3>^*)*Y&yo7KY1Suir9l*P|)YYR@Yc+`M%!asCySkeJniKiY5HemditCg&p$
zQ7#p!9JZB<&o^aEuDyDC>6ws-hpU^r&(FN^P*CLW+}OAW0@9Wl|5@BGJ#E?cC5(T2
z_AQ_Nho0WHsrt7?*t9W;|L7Nijb=+ex2TmF>Ew1!d;K9q>(_=wf14$jIG)Zr`Q?G_
zo(pqdwx3?*9%I(_Q$1j(zv+z`Pi}o?wS2SlaNC1$(|A@ssi*tj><)YvTys1xt#R*)
z$Gi64%BXs|YWi*Qh)oBk@8Wsixh3>VimcI{MNfr2x93=`(YQb1>=)iiO%73$x3fm+
zoH2LiWjXh;|9PaphwiUShdhf<8Q9cKU4F)F=fsb>Y>OGUJ^cNt>ePYfax=F5oxUJY
zc<Ek&if{Z0775x8z3k=riw^Kd?BQ=_D=yuc8*Dwp-c@YvgW9HK(WdFzW=?N1{E}Q>
zPq_SkRYg(LuD@&4)iq6Rj$Yo~P`-M}*+ccoMGF|NMBJM;HQ|zB@ba|k>3eQ>$;cTQ
z9_2qKa^-bK#)bvrnh_dTO*iRR%<QSY7ko5B@#KTA(&1m;Pf?do<9g7?FRSo#q2bx@
zy;1ee?`No_sBEe@;IN|h@z0A-GFl|mto5AiS8^TgpZCdpIzy$W*#o7?#y$&Eeg<lI
zDM<C}aC%(0Ep}9~;<mvlj{csxL7qLge6nx1Z&<tbTLEuV;Eg#OJls!Y&RY@@uyS9?
zT7?6de9NVlF5UXr{mMTn5uW>x7a!@~v)ip&XZyPemaeK3_fM_+vb(NiQm-bXm(J^b
z&sHv7$mgWV`1nY|tSf;$rL}?Y9wZnwi_YnK@#?X`xkRJAeY=w`sk)XY_i{YQdR_RZ
z?}P7>PoXK2ZJ%E#zRKCk9`a2#AmQeFgEw0%r)KTRi9cW)d?~bHuA7LvgwB)|Y&W>o
zuHBXY#4apkcWc|nr7083?fK^9YMcEvY^mL*RkGYEJ3V;%Ej#y6C)-@sZSwae{I^>F
z+*o&|>MR$_f#|(gZ&d3(S;!%(!=a%0W&L6i=6MENAJ<h}SlAwM?3kBb`Q)dOMIym#
zrE8oH{xncO9?zaEQuUz!_l9?=eQHzk?;hT}Kk=jc{S9ev!lL>EOJg*0weK0TGuSn2
zU*5JTC+G3x2?CMU65an5t3$<pwyc;JAj!@7V$*}Uxi-#R^J=CS*q^XnDP<fkS8yV$
zd3n|SxUb9A)tj$$XTIi8)sz1!b6529!sz3ds&_XE-gVmj|7^N=C)cWncV-o@mt<1%
zu<mt;yJb*NQZJD7|Fn(P&ZVpW<kff`7HHe-FZI04WvAx5A6j=$ALsO%ru#g0-|^)v
zrPG5Zgm9*ZReX4SZPCwT3WjXryWY-cpY~UZRrX~shs&BzpI%LpV!U<6Xz5}BSq8o*
zK4(|=M;~h4J&~d8@wD&k@!~JqLk+iO@iV_^?M_^hW%QgsV%PWePj@8ntTcTq%lCEN
z=l6Hk#~La)8rOc_xkTOK`>XF;p4VBp^2-Tt-h6`hi{+tji&iwQOWpNCJo<&>yZgpo
zYoAz`NS4m>b&55$s<IZWxTzpKt?0IQ#-mSXx_r2@f@f|moiOR(V%ev%MLhR6c$i+c
z(^#9s-rid{mt9nuxmI;inSO@1l)#KYi)!^F7k>qOS+`hKh0!E1Zh=nCtVxDzk{<`e
zPW#=nGV#gYqS;&fe@$HHry0Y{v_&Dxq4$Tu@9ClJ9@dT()&kLt+DqTfd)>2FU9S1i
zt?a%_MJ)4HO3Zq<u2*brW}EYs6RYYZzByOCFHCi*i!N|2+jroqT<x{QsfBT7*V?i+
Nv*o57nY}LQAOL(FLSO&@

literal 0
HcmV?d00001

diff --git a/containers/data-access/default.nix b/containers/data-access/default.nix
new file mode 100644
index 00000000..49288bd5
--- /dev/null
+++ b/containers/data-access/default.nix
@@ -0,0 +1,30 @@
+{ config, ... }:
+
+{
+  imports = [ ./secret.nix ];
+
+  config = {
+    chvp.hasContainers = true;
+
+    containers.data-access = {
+      ephemeral = true;
+      autoStart = true;
+      bindMounts = {
+        "/home/data/data" = {
+          hostPath = "/srv/data";
+          isReadOnly = false;
+        };
+        "/var/secrets" = {
+          hostPath = "${config.chvp.dataPrefix}/var/secrets/data-access";
+          isReadOnly = true;
+        };
+      };
+      privateNetwork = true;
+      hostAddress = "192.168.100.10";
+      hostAddress6 = "fc00::1";
+      localAddress = "192.168.100.11";
+      localAddress6 = "fc00::2";
+      config = import ./config.nix;
+    };
+  };
+}
diff --git a/containers/data-access/secret.nix b/containers/data-access/secret.nix
new file mode 100644
index 0000000000000000000000000000000000000000..b305e899b903c626a0ba7a54a1a06a72f91169b6
GIT binary patch
literal 270
zcmZQ@_Y83kiVO&05V5<I)VpxU+H9rMFCK8|?ULo(!18+0uc()qyZ^k@J$tgqQ|Oca
znnGzkK~cN+PdjQB+_}`RzV7d$KjJ&v<FX~LSZ_ESao5E1c5}~%qaP-vZR>egD}3Zf
z>to)GJxb4b)y`C&D~>N;IMMXYWo9`CR?dp4ZD)R8{lhccV@ar4NhMc;$kB|&RS)OA
z)}MK0-z%?l4T(;<&6?9TdOg_Q6VGS5g+=DjES_1<wjIpdYh(8L+llx+P5jL13XeZ6
zIA@-vdHaX<t~MdhvZrOM5<8Dgy~gTwj3=ht@4+gm-;sB|t_;oHcOZTKs@;p7MMQ;O
gmnHYO7#MGvnCu)ccYKoU_3mWrnB9B-pMQ7_035i8DgXcg

literal 0
HcmV?d00001

diff --git a/flake.lock b/flake.lock
index 830a1413..1b4d87ff 100644
--- a/flake.lock
+++ b/flake.lock
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1608506894,
-        "narHash": "sha256-G2TNqzJunVXcC2sQEvtLOUs5QpI6f2y4Ben//HLQkh8=",
+        "lastModified": 1608593447,
+        "narHash": "sha256-kPpoSldJMLKS8hdhxj4rnsRZb4f8ZzaiQFjYTuZm4mU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2b1892e646f2e48591c53b3293622720e1a3bdca",
+        "rev": "2901044520fbed466eea8b91df55183297eacd47",
         "type": "github"
       },
       "original": {
diff --git a/machines/urithiru/default.nix b/machines/urithiru/default.nix
index 3cec9883..161606e5 100644
--- a/machines/urithiru/default.nix
+++ b/machines/urithiru/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./hardware.nix
     ./secret.nix
+    ../../containers/data-access
   ];
 
   time.timeZone = "Europe/Berlin";
diff --git a/machines/urithiru/secret.nix b/machines/urithiru/secret.nix
index 34a34a43d26f51028f672d9a45a2545b674cd89c..2d6da5f4fca5a62f206ee3a61ddef0f8a914ac8c 100644
GIT binary patch
literal 1277
zcmZQ@_Y83kiVO&02s>f=U~!yE$}Wl9TKZA@4Bk5Y-MQxE^XbQ4y}Xns^7O3rGt)!I
zAB7f9JI}mn)2BU2EE|q(7M<ak$QE4k*8j`dLl0%F7_L1i+%Ni*caq=7_(%CQk<W_%
zO}jU@n0*?@Vu=mMbKgDfz1(wZR?owOnd-v%Kgwot-IyiQ$oXT{lTWfy4u=vJ3oqOG
z-cR+!(lUXQ-mH6G@4lp<U|(DqYZ4%DeEQsVj^lS6roUay{JEL&K$pCd<t)RS*U#Qf
z^Iwy)?TA72mD^7(_w!9HJ;wHL<7}rt1_wK*+HrTqAD+XXROZ!p?_1mrcDZYZI#YbE
zoXFch%OEx1{E4ckhR&``<&BG~gPd;PV&pe1TjVWZYxH66bU*Hmk&Itg$7a>9(^wz3
zv4*+&bNCda|C2k{+_s!(E10Ke?j6MObj`lj!jlmf9%!ukDkQMy#FN~V?OVG9-TM|s
z-7=fhq!G@~p!G@5UZ~>ICdnLmD<Op?kpcI*PQCqBD?8=xvCUVmK5_Z0d1Q`$@yv69
zEa?RwN(AR`KO<ih5%6TQCfEFpeKU%D-$?E4j&5^1`zr6}_XRTpRnJNNvYZ|xXc*@(
z>x$t-?w{X3JeJ&ddjGfD538lNFt8VRZ+6OMpK2c89(Hu=m)1GyEa?w&{EueOj`*rR
zZws&B@r!S^ezB{2%3HZ_D=$m_jF;{eueB7Hq#U)=n%<Ok;_`cuvoCG<{P*5jr&Bhg
zE#Zi7=GrrJ!#4Twhp}x>Sl4>nJTq+RyS9QwPh37Mtg(|6Ts~VuM50J;)hzb75aw5>
zjh;rj9=Si+I=Mx8m!SQ%(rcTPw(W{qc)Na%uOD0X5B-bQ2ilMDz5i|#`ON>U=BpE~
zZ_nQnf0ylYt#1{pV%P4>(>s5tbiVj;+l<4@{ik_fe?r$mx4kL97q7^aTX->jVT@&P
z{O`_)@`h>?@z3nFySIlOO%KnSd$aY|lMB<|KGS?x!0xzK*ePi4Tt|=2vtECqGmfoY
zaP4x7`-&YK?q6N^h5x6@rq6}@oVn9qiQhZ2F3zFJY}z))(*f@u_~ksZloFU!d8$?6
zsjB5FH_HGCF`m>Wxvb`;UD;1$r@Oz8URLSW^EvkT`ki%3KPG3Ec*bM|d4FvbJJcH9
z%=Xpg`3ITlGmO=rZ2Nat^uSyFgh#s73|Dj5xde{ioyov9+5HS-S--(M-uj>q5-;~m
zjS?-?p6-+Xwnb;Xof4-_!>a9T=J%agqOw9R$KuTwUoCfuvdg<Tb~G({o|!N3P+e()
zq>bZ;z4I1L`!vs?A;oX=j2oUuqmBz)o@RY-{Rxgw`&9j=@-n^FXOraU`o_YVyz}9`
zxJN5$E!Y>Qekt(sSGgY-lJHgK%4uu1NiABew|>kyX`IgAz_&!**m2kWS5v0Nu^s4W
zd0ne>`hF}s*Scq}lUGTdzN3CjLf=Tts>S%YHSes=ZZ<4$l;WI^Z+ZNNHD&qT=K+m9
z$<_IPAEa6OF4=nRyY@8Evlr*5To-=u_KuDV+qB7FvOYgi;{QG=Y1iaO+*(TyF$Ef4
zxv}}|&EH%nIk&NYT&|$m$v@}QbgTH8X>!atweg?qJbXGXU!H96#!_hUbK`;)ODB9Z
z-|=A6>?gVHrD5M?c5L8?UAxY3;r@i(AKO}9Oex5pp1D>!_R-gcy_eN&cD<L&I@R}S
zdTrRzc!j&~TG?t3xBS_lp2+u@PjixX@gtEap9$N$C!F}bS&>WprYKL?tdPpYh2pPc
E0lt}k#sB~S

literal 1309
zcmZQ@_Y83kiVO&0h~t@1x1hykZREj&XSCF7-X6WoV4SA*Z{-UAp4}qhT=|w|e64@l
z4E|1ExX$?InMZq`DnzY4(6X@K`DTOYlc0l(-yFEC;;{ZQ=Z?ejpLxrkDKxL_s|h)h
zHS5Z)DceszvgzM>BQAQ?Ym5AS?tXK9o_5$gdT`R&H}pTtg4W*_X6#C@XH8d#aeefM
zKmVi1*Dr~`w>`V;liquid4ui0mCtR~>&s4A_d-tM5ZmPTXM2`??FpVyzV142?>U#?
z31XbHJ)2XGHQZo1_P;&){j8e54r1!5td}HDRRtaCmRn-ya`^j?8&7>qkB0JgX-!@5
zf4PF{^XAIj$KpZ4A+pbdXWEyX<-585hEDH1b6r)QndY(AwkYX!UbZ^g9m#WR%6GNA
z_WsMtM!6RkKVH4d<^Cd<&>N+?-)%bc9({MLIk9egzDR-oor!Zp|M0MJ#x=f8Zi<~2
zWg{rn^<J~gYl{ePs42(Biv9XchPl(KOU}&PEcZ0?HBaE3-)qh<j<uGFztMXpULiW`
z?-~9dx>57%+l0%U4U9L+vdwBL(MhVGc)4J1+9K`6cbAlInWpvSy^XT+q`3<WxBEVQ
zlCiryI=)_2c$4J8BK}7+Q;%L?%{?w*<g6jq_pL|gZcuvP9>(4K+gHm*dz(b;ITtq1
zQmN6y_3i8pa+X(8eWrbzbZ&>>MW?)p$LoqGOs{6#J<m+Msk1+?-8nIF=evsj_vvvu
z1?m%wmrv1WUmh!H;jLu%RAoVG=8GVaZN|ahy81FJJAOxBGI(khIOE}D5BX1*9^dpU
zvhU~NuWFimC;1$oNJyrd`>I#VIR5)y6E9|sn^duI=IcPg<z<5Fjb6M`ZTrp=Vc7X)
zjfVf8g}nxi&%545@^qQ6ohJR|lFF%^O*3A+;mbezTW9@}U2~p1S{}q}vH8Tq9Y@=I
zdT%#6%6!T;*nUX3%OLS&R)XKLpBIW9oj0`!yvh1<JmdG;sqs-0a`vC<_PEt^>g_VY
zO-+}tsb+`%75H8pCEdEf*7IP{!yAIJZxps#?KR*sPPLto^lVyn!SD8MR(&#>^S$FN
zqr2VL=|rz|_`r1UONO5Q8aB&66E~f%jNh^QRK-Gh6UGYmV=W*0O%lHTt$BVVbDMhH
z&2NGt-F*{yt)o;<q_V3Eo%UR}E%t5Ak<$krH8n|V3M}EAAXsGQw_V_Od9s_b%R7x0
zokHvGrrM4(g)_q*{ylMiUVuzz$ke-Ex%BJAr6*=ch5dWfkZm9PXx`@&F2{Lx{;04B
z37M*Bb>N&(M1Q^wXXwE>>}%~G`+iZ4|I06I$G>Y`;D*#sG74vN4l9QzF3I+`cz5J{
z>1i$xp9-f5h39_iyg2*eta1PA#^Vwf)l~nR{|Ohh464|_$f&L2-(3YC>woF2u2K&#
z%qV4Wn5%D@<N36y=)C>;sp~msCe)hqNX~i_{8v+P@*O?lDK9?EE)L%ycIZT9j;{9e
z0_}q9E0&e?Y>L@#99NSd_~4&GSjhJ?*?e+dHhWy2xH@(72FagV;G+`plE3!QyB{7=
zED1$Rrr2uEI5*Ys)2b}jm4%|qxpX~eaVlyRelL)}xZp<Z!!?VRdGjZDAH7sN?Lv?L
zs`Ni!ulzXuU_y2@bKUG0U(0HF&F?Gzw_T_e5qKlj)}nzsvpU^-n_1_c(l_z4@24>C
ze)U17k0mr>Mp>ll1?krut4~k+b=~xy^sz}#CI77cTbFlXgX-lI>NozFzKe_fbh31#
g@~^~rjqX`LBtvCgc8MN%sr#ji-)!Gy*5~HM0N3z_aR2}S

diff --git a/modules/default.nix b/modules/default.nix
index c2d03c6e..eab0ffbf 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -40,6 +40,11 @@
       default = false;
       example = true;
     };
+
+    hasContainers = lib.mkOption {
+      default = false;
+      example = true;
+    };
   };
 
   config = {
@@ -61,6 +66,11 @@
       ripgrep
     ];
 
+    console = {
+      font = "Lat2-Terminus16";
+      keyMap = "us";
+    };
+
     i18n = {
       defaultLocale = "en_IE.UTF-8";
       extraLocaleSettings = {
@@ -68,9 +78,11 @@
       };
     };
 
-    console = {
-      font = "Lat2-Terminus16";
-      keyMap = "us";
+    networking.nat = lib.mkIf config.chvp.hasContainers {
+      enable = true;
+      enableIPv6 = true;
+      internalInterfaces = [ "ve-+" ];
+      externalInterface = "eno3";
     };
 
     users = {