nix-config/config/lxc-container.nix

{ hostRegistry, config, pkgs, lib, modulesPath, ... }:

{
  imports = [
    (modulesPath + "/profiles/minimal.nix")
    (modulesPath + "/profiles/docker-container.nix")
  ];

  boot = {
    isContainer = true;
    loader = {
      grub.enable = false;
      # /sbin/init
      initScript.enable = true;
    };
  };

  environment.etc."resolv.conf".text = lib.concatMapStrings (ns: ''
    nameserver ${ns}
  '') config.networking.nameservers;

  fileSystems."/" = {
    fsType = "rootfs";
    device = "rootfs";
  };

  nix = {
    useSandbox = false;
    maxJobs = lib.mkDefault 1;
    buildCores = lib.mkDefault 4;
  };

  networking = {
    interfaces.eth0 = {
      useDHCP = false;
      tempAddress = "disabled";
    };
    nameservers = with hostRegistry.hosts.dnscache; [
      ip4
      ip6
      "9.9.9.9"
    ];
    networkmanager.dns = "unbound";
    useDHCP = false;
    useHostResolvConf = false;
    useNetworkd = true;
  };

  services = {
    journalbeat = {
      enable = false;
      tags = [ "container" ];
      extraConfig = ''
        journalbeat.inputs:
          # Paths that should be crawled and fetched. Possible values files and directories.
          # When setting a directory, all journals under it are merged.
          # When empty starts to read from local journal.
          - paths: []
        journalbeat:
          seek_position: cursor
          cursor_seek_fallback: tail
          write_cursor_state: true
          cursor_flush_period: 5s
          clean_field_names: true
          convert_to_numbers: false
          move_metadata_to_field: journal
          default_type: journal
          kernel: true
        output.logstash:
          # Boolean flag to enable or disable the output module.
          enabled: true
          hosts: ["${config.c3d2.hosts.logging.ip4}:5044"]
      '';
    };
    # Required for remote deployment
    openssh.enable = true;
    resolved.enable = false;
  };

  # Create a few files early before packing tarball for Proxmox architecture/OS detection.
  system.extraSystemBuilderCmds = ''
    mkdir -m 0755 -p $out/bin
    ln -s ${pkgs.bash}/bin/bash $out/bin/sh
    mkdir -m 0755 -p $out/sbin
    ln -s ../init $out/sbin/init
  '';

  systemd.network.networks."40-eth0".networkConfig = {
    IPv6AcceptRA = true;
    LinkLocalAddressing = "ipv6";
  };
}
journalbeat: set logging host 2021-10-06 19:12:32 +02:00			`{ hostRegistry, config, pkgs, lib, modulesPath, ... }:`
refactor into lib/lxc-container,shared for grafana 2019-04-01 01:24:54 +02:00
			`{`
Use modulesPath where appropriate 2020-08-04 17:15:07 +02:00			`imports = [`
			`(modulesPath + "/profiles/minimal.nix")`
			`(modulesPath + "/profiles/docker-container.nix")`
			`];`
Systemd breakage 2019-12-03 16:25:24 +01:00
The big format and cleanup 2022-06-12 17:26:32 +02:00			`boot = {`
			`isContainer = true;`
			`loader = {`
			`grub.enable = false;`
			`# /sbin/init`
			`initScript.enable = true;`
			`};`
			`};`

lib/lxc-container: make /etc/resolve.conf nameserver setting multi-line 2021-09-20 22:11:41 +02:00			`environment.etc."resolv.conf".text = lib.concatMapStrings (ns: ''`
			`nameserver ${ns}`
			`'') config.networking.nameservers;`
Systemd breakage 2019-12-03 16:25:24 +01:00
The big format and cleanup 2022-06-12 17:26:32 +02:00			`fileSystems."/" = {`
			`fsType = "rootfs";`
			`device = "rootfs";`
			`};`
activate central logging 2019-07-04 04:23:39 +02:00
The big format and cleanup 2022-06-12 17:26:32 +02:00			`nix = {`
			`useSandbox = false;`
			`maxJobs = lib.mkDefault 1;`
			`buildCores = lib.mkDefault 4;`
lib/lxc-container: net.ipv6.conf.*.use_tempaddr=0 2019-11-03 21:14:31 +01:00			`};`
refactor into lib/lxc-container,shared for grafana 2019-04-01 01:24:54 +02:00
The big format and cleanup 2022-06-12 17:26:32 +02:00			`networking = {`
			`interfaces.eth0 = {`
			`useDHCP = false;`
			`tempAddress = "disabled";`
			`};`
			`nameservers = with hostRegistry.hosts.dnscache; [`
			`ip4`
			`ip6`
			`"9.9.9.9"`
			`];`
			`networkmanager.dns = "unbound";`
			`useDHCP = false;`
			`useHostResolvConf = false;`
			`useNetworkd = true;`
			`};`
activate central logging 2019-07-04 04:23:39 +02:00
The big format and cleanup 2022-06-12 17:26:32 +02:00			`services = {`
			`journalbeat = {`
			`enable = false;`
			`tags = [ "container" ];`
			`extraConfig = ''`
			`journalbeat.inputs:`
			`# Paths that should be crawled and fetched. Possible values files and directories.`
			`# When setting a directory, all journals under it are merged.`
			`# When empty starts to read from local journal.`
			`- paths: []`
			`journalbeat:`
			`seek_position: cursor`
			`cursor_seek_fallback: tail`
			`write_cursor_state: true`
			`cursor_flush_period: 5s`
			`clean_field_names: true`
			`convert_to_numbers: false`
			`move_metadata_to_field: journal`
			`default_type: journal`
			`kernel: true`
			`output.logstash:`
			`# Boolean flag to enable or disable the output module.`
			`enabled: true`
			`hosts: ["${config.c3d2.hosts.logging.ip4}:5044"]`
			`'';`
			`};`
			`# Required for remote deployment`
			`openssh.enable = true;`
			`resolved.enable = false;`
			`};`
refactor into lib/lxc-container,shared for grafana 2019-04-01 01:24:54 +02:00
The big format and cleanup 2022-06-12 17:26:32 +02:00			`# Create a few files early before packing tarball for Proxmox architecture/OS detection.`
Nixfmt everything 2021-02-22 11:45:12 +01:00			`system.extraSystemBuilderCmds = ''`
			`mkdir -m 0755 -p $out/bin`
			`ln -s ${pkgs.bash}/bin/bash $out/bin/sh`
			`mkdir -m 0755 -p $out/sbin`
			`ln -s ../init $out/sbin/init`
			`'';`
refactor into lib/lxc-container,shared for grafana 2019-04-01 01:24:54 +02:00
The big format and cleanup 2022-06-12 17:26:32 +02:00			`systemd.network.networks."40-eth0".networkConfig = {`
			`IPv6AcceptRA = true;`
			`LinkLocalAddressing = "ipv6";`
activate central logging 2019-07-04 04:23:39 +02:00			`};`
refactor into lib/lxc-container,shared for grafana 2019-04-01 01:24:54 +02:00			`}`