From 2e2fa3b8f1a8adac437bead887bc88f829f8fa81 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Mon, 9 Dec 2019 22:52:53 +0100
Subject: [PATCH] lxc: progress, nixcloud-webservices

---
 hosts/server7/containers/default.nix |  3 ++-
 lib/lxc/default.nix                  | 36 ++++++++++++++++++----------
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/hosts/server7/containers/default.nix b/hosts/server7/containers/default.nix
index 6403e5af..78efe3c0 100644
--- a/hosts/server7/containers/default.nix
+++ b/hosts/server7/containers/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, ... }:
 
 let
   yggaddr = import ../yggaddr.nix;
@@ -47,6 +47,7 @@ in {
   lxc.containers = {
     trivial = {
       nixos-config = "/tmp/trivial.nix";
+      lxc = {};
     };
   };
 }
diff --git a/lib/lxc/default.nix b/lib/lxc/default.nix
index edd45566..37cf50bd 100644
--- a/lib/lxc/default.nix
+++ b/lib/lxc/default.nix
@@ -1,7 +1,15 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs,
+  ... }:
 with lib;
 
 let
+  nixcloud-webservices = builtins.fetchGit {
+    url = "https://github.com/nixcloud/nixcloud-webservices.git";
+  };
+  nixcloud = (
+    import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
+  ).nixcloud;
+
   profilesDir = "/nix/var/nix/profiles/lxc";
   containers = config.lxc.containers;
   nixPath = config.nix.nixPath;
@@ -37,15 +45,21 @@ in {
   };
 
   config = mkIf (containers != {}) {
-    environment = {
-      systemPackages = [ pkgs.lxc pkgs.apparmor-parser lxc-rootfs ];
-      pathsToLink = [ "/share/lxc" ];
-    };
-    virtualisation.lxc = {
-      enable = true;
-    };
+    virtualisation.lxc.enable = true;
+    environment.systemPackages = [ nixcloud.container ];
 
-    systemd.services =
+    virtualisation.lxc.defaultConfig = ''
+      lxc.id_map = u 0 100000 65536
+      lxc.id_map = g 0 100000 65536
+    '';
+    users.users.root.subGidRanges = [
+      { count = 65536; startGid = 100000; }
+    ];
+    users.users.root.subUidRanges = [
+      { count = 65536; startUid = 100000; }
+    ];
+
+    systemd.services = if true then {} else
       builtins.foldl' (services: name:
         let
           systemDir = "/${profilesDir}/${name}/system";
@@ -59,15 +73,13 @@ in {
               ];
               autodev = 1;
               include = "/run/current-system/sw/share/lxc/config/common.conf";
-              # TODO: userns?
-              # TODO: apparmor?
               apparmor.profile = "generated";
               environment = "TERM=linux";
             };
           };
           config = builtins.getAttr name containers;
           lxcConfig = builtins.toFile "lxc-container-${name}.conf"
-            # TODO: better merging
+            # TODO: more intelligent merging?
             (toLxcConfig (lxcDefaults // config.lxc));
 
           builder = {