From d1cca3b029a8fdc3637ca5b67729e0b2b081b276 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Mon, 22 Mar 2021 23:37:25 +0100
Subject: [PATCH] nixos-powered lxc container

---
 flake.nix                           |   1 +
 nix/nixos-module/default.nix        |   2 +-
 nix/nixos-module/defaults.nix       |   2 +
 nix/nixos-module/lxc-containers.nix | 100 ++++++++++++++++++++++++++++
 4 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 nix/nixos-module/lxc-containers.nix

diff --git a/flake.nix b/flake.nix
index de5dcf8..6512ea7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -18,6 +18,7 @@
           modules = [ self.nixosModule ];
           specialArgs.hostName = name;
           specialArgs.lib = self.lib;
+          specialArgs.self = self;
         };
     in
     {
diff --git a/nix/nixos-module/default.nix b/nix/nixos-module/default.nix
index 5c42239..500aaa6 100644
--- a/nix/nixos-module/default.nix
+++ b/nix/nixos-module/default.nix
@@ -12,7 +12,7 @@ in {
     ../lib/config/options.nix
   ]
   ++ optionals (hostConfig.role == "server") [
-    #./lxc-containers.nix
+    ./lxc-containers.nix
   ]
   ++ optionals (hostConfig.role == "container") [
     ./container.nix
diff --git a/nix/nixos-module/defaults.nix b/nix/nixos-module/defaults.nix
index d4f60cc..bea0fba 100644
--- a/nix/nixos-module/defaults.nix
+++ b/nix/nixos-module/defaults.nix
@@ -11,4 +11,6 @@
   ];
 
   networking.hostName = hostName;
+
+  users.users.root.initialHashedPassword = "";
 }
diff --git a/nix/nixos-module/lxc-containers.nix b/nix/nixos-module/lxc-containers.nix
new file mode 100644
index 000000000..bb68c28
--- /dev/null
+++ b/nix/nixos-module/lxc-containers.nix
@@ -0,0 +1,100 @@
+{ hostName, self, config, lib, pkgs, ... }:
+
+let
+  # ctHosts =
+  #   lib.filterAttrs (_: { role, model, location, ... }:
+  #     role == "container" &&
+  #     model == "lxc" &&
+  #     location == hostName
+  #   ) config.site.hosts;
+
+  pillar = self.lib.saltPillarFor hostName;
+  containers =
+    # TODO: remove 1 line
+    lib.filterAttrs (ctName: _: ctName == "upstream1") (
+      if pillar ? containers then pillar.containers else {}
+    );
+  enabled = containers != {};
+
+  mkRootfs = ctName:
+    pkgs.runCommandLocal "rootfs_${ctName}" {
+      src = self.nixosConfigurations.${ctName}.config.system.build.toplevel;
+    } ''
+      set -x
+      mkdir -p $out/{bin,dev,etc,home,mnt,nix/store,nix/var,proc,root,run,sys,tmp,var,usr}
+      ln -s $src/init $out/
+      ln -s $src/etc $out/etc/static
+    '';
+in
+{
+  virtualisation.lxc = lib.mkIf enabled {
+    enable = true;
+    systemConfig = ''
+      lxc.lxcpath = /etc/lxc/containers
+
+      # lxc.rootfs.backend = zfs
+      # lxc.bdev.zfs.root = vault/sys/atom/var/lib/lxc
+    '';
+  };
+
+  environment.systemPackages = [ pkgs.lxc ];
+
+  environment.etc =
+    builtins.foldl' (etc: ctName: etc // {
+      "lxc/containers/${ctName}/rootfs" = {
+        source = mkRootfs ctName;
+      };
+      "lxc/containers/${ctName}/config" = {
+        enable = true;
+        source =
+          let
+            inherit (containers.${ctName}) interface;
+          in builtins.trace ctName builtins.toFile "${ctName}.conf" ''
+            # For lxcfs and sane defaults
+            lxc.include = /etc/lxc/common.conf
+
+            lxc.uts.name = ${ctName}
+            # Handled by lxc@.service
+            lxc.start.auto = 0
+            # config.system.build.toplevel
+            lxc.rootfs.path = /etc/lxc/containers/${ctName}/rootfs
+            lxc.init.cmd = "/init"
+
+            lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
+            lxc.mount.entry = none nix/var tmpfs defaults 0 0
+            lxc.mount.entry = none bin tmpfs defaults 0 0
+            #lxc.mount.entry = none dev tmpfs defaults 0 0
+            lxc.mount.entry = none root tmpfs defaults 0 0
+            lxc.mount.entry = none tmp tmpfs defaults 0 0
+            lxc.mount.entry = none var tmpfs defaults 0 0
+            lxc.mount.entry = none home tmpfs defaults 0 0
+            lxc.mount.entry = none usr tmpfs defaults 0 0
+            lxc.mount.entry = none run tmpfs defaults 0 0
+            lxc.mount.entry = none etc tmpfs defaults 0 0
+            lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
+
+            lxc.autodev = 1
+            lxc.tty.max = 0
+
+            lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
+            lxc.apparmor.profile = unchanged
+            security.privileged = false
+
+            lxc.cgroup.memory.limit_in_bytes = 1G
+            lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
+
+            # tuntap
+            lxc.cgroup.devices.allow = c 10:200 rw
+
+            lxc.net.0.type = veth
+            lxc.net.0.flags = up
+            lxc.net.0.veth.mode = bridge
+            lxc.net.0.veth.pair = test
+            lxc.net.0.link = virbr0
+            lxc.net.0.hwaddr = 00:23:de:ad:be:ef
+          '';
+      };
+    }) {
+      "lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
+    } (builtins.attrNames containers);
+}