forked from zentralwerk/network
nixos-powered lxc container
This commit is contained in:
parent
8a8f1ec6da
commit
d1cca3b029
|
@ -18,6 +18,7 @@
|
||||||
modules = [ self.nixosModule ];
|
modules = [ self.nixosModule ];
|
||||||
specialArgs.hostName = name;
|
specialArgs.hostName = name;
|
||||||
specialArgs.lib = self.lib;
|
specialArgs.lib = self.lib;
|
||||||
|
specialArgs.self = self;
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
|
@ -12,7 +12,7 @@ in {
|
||||||
../lib/config/options.nix
|
../lib/config/options.nix
|
||||||
]
|
]
|
||||||
++ optionals (hostConfig.role == "server") [
|
++ optionals (hostConfig.role == "server") [
|
||||||
#./lxc-containers.nix
|
./lxc-containers.nix
|
||||||
]
|
]
|
||||||
++ optionals (hostConfig.role == "container") [
|
++ optionals (hostConfig.role == "container") [
|
||||||
./container.nix
|
./container.nix
|
||||||
|
|
|
@ -11,4 +11,6 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = hostName;
|
networking.hostName = hostName;
|
||||||
|
|
||||||
|
users.users.root.initialHashedPassword = "";
|
||||||
}
|
}
|
||||||
|
|
100
nix/nixos-module/lxc-containers.nix
Normal file
100
nix/nixos-module/lxc-containers.nix
Normal file
|
@ -0,0 +1,100 @@
|
||||||
|
{ hostName, self, config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
# ctHosts =
|
||||||
|
# lib.filterAttrs (_: { role, model, location, ... }:
|
||||||
|
# role == "container" &&
|
||||||
|
# model == "lxc" &&
|
||||||
|
# location == hostName
|
||||||
|
# ) config.site.hosts;
|
||||||
|
|
||||||
|
pillar = self.lib.saltPillarFor hostName;
|
||||||
|
containers =
|
||||||
|
# TODO: remove 1 line
|
||||||
|
lib.filterAttrs (ctName: _: ctName == "upstream1") (
|
||||||
|
if pillar ? containers then pillar.containers else {}
|
||||||
|
);
|
||||||
|
enabled = containers != {};
|
||||||
|
|
||||||
|
mkRootfs = ctName:
|
||||||
|
pkgs.runCommandLocal "rootfs_${ctName}" {
|
||||||
|
src = self.nixosConfigurations.${ctName}.config.system.build.toplevel;
|
||||||
|
} ''
|
||||||
|
set -x
|
||||||
|
mkdir -p $out/{bin,dev,etc,home,mnt,nix/store,nix/var,proc,root,run,sys,tmp,var,usr}
|
||||||
|
ln -s $src/init $out/
|
||||||
|
ln -s $src/etc $out/etc/static
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
virtualisation.lxc = lib.mkIf enabled {
|
||||||
|
enable = true;
|
||||||
|
systemConfig = ''
|
||||||
|
lxc.lxcpath = /etc/lxc/containers
|
||||||
|
|
||||||
|
# lxc.rootfs.backend = zfs
|
||||||
|
# lxc.bdev.zfs.root = vault/sys/atom/var/lib/lxc
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.lxc ];
|
||||||
|
|
||||||
|
environment.etc =
|
||||||
|
builtins.foldl' (etc: ctName: etc // {
|
||||||
|
"lxc/containers/${ctName}/rootfs" = {
|
||||||
|
source = mkRootfs ctName;
|
||||||
|
};
|
||||||
|
"lxc/containers/${ctName}/config" = {
|
||||||
|
enable = true;
|
||||||
|
source =
|
||||||
|
let
|
||||||
|
inherit (containers.${ctName}) interface;
|
||||||
|
in builtins.trace ctName builtins.toFile "${ctName}.conf" ''
|
||||||
|
# For lxcfs and sane defaults
|
||||||
|
lxc.include = /etc/lxc/common.conf
|
||||||
|
|
||||||
|
lxc.uts.name = ${ctName}
|
||||||
|
# Handled by lxc@.service
|
||||||
|
lxc.start.auto = 0
|
||||||
|
# config.system.build.toplevel
|
||||||
|
lxc.rootfs.path = /etc/lxc/containers/${ctName}/rootfs
|
||||||
|
lxc.init.cmd = "/init"
|
||||||
|
|
||||||
|
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
|
||||||
|
lxc.mount.entry = none nix/var tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none bin tmpfs defaults 0 0
|
||||||
|
#lxc.mount.entry = none dev tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none root tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none tmp tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none var tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none home tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none usr tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none run tmpfs defaults 0 0
|
||||||
|
lxc.mount.entry = none etc tmpfs defaults 0 0
|
||||||
|
lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
|
||||||
|
|
||||||
|
lxc.autodev = 1
|
||||||
|
lxc.tty.max = 0
|
||||||
|
|
||||||
|
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
|
||||||
|
lxc.apparmor.profile = unchanged
|
||||||
|
security.privileged = false
|
||||||
|
|
||||||
|
lxc.cgroup.memory.limit_in_bytes = 1G
|
||||||
|
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
|
||||||
|
|
||||||
|
# tuntap
|
||||||
|
lxc.cgroup.devices.allow = c 10:200 rw
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.veth.mode = bridge
|
||||||
|
lxc.net.0.veth.pair = test
|
||||||
|
lxc.net.0.link = virbr0
|
||||||
|
lxc.net.0.hwaddr = 00:23:de:ad:be:ef
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}) {
|
||||||
|
"lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
|
||||||
|
} (builtins.attrNames containers);
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user