2022-03-22 18:13:17 +01:00
|
|
|
{ self, config, lib, pkgs, ... }:
|
2021-03-22 23:37:25 +01:00
|
|
|
|
|
|
|
|
let
|
2021-04-10 14:52:13 +02:00
|
|
|
# Containers that are run on this host
|
2021-03-22 23:37:25 +01:00
|
|
|
containers =
|
2021-08-20 21:37:43 +02:00
|
|
|
lib.filterAttrs (_: { role, model, ... }:
|
2021-03-23 00:40:40 +01:00
|
|
|
role == "container" &&
|
2021-08-20 21:37:43 +02:00
|
|
|
model == "lxc"
|
2021-04-06 18:36:46 +02:00
|
|
|
) config.site.hosts;
|
2021-03-23 00:40:40 +01:00
|
|
|
|
2021-03-22 23:37:25 +01:00
|
|
|
enabled = containers != {};
|
|
|
|
|
|
2021-04-10 14:52:13 +02:00
|
|
|
# User-facing script to build/update container NixOS systems
|
2021-04-06 18:36:46 +02:00
|
|
|
build-script = pkgs.writeScriptBin "build-container" ''
|
|
|
|
|
#! ${pkgs.runtimeShell} -e
|
|
|
|
|
|
|
|
|
|
if [ -z "$1" ]; then
|
|
|
|
|
echo "Usage: $0 [containers ...]"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
mkdir -p /nix/var/nix/gcroots/lxc
|
|
|
|
|
|
|
|
|
|
for c in $@; do
|
2021-04-30 22:38:57 +02:00
|
|
|
unset SYSTEM
|
|
|
|
|
|
|
|
|
|
case "$c" in
|
|
|
|
|
${builtins.concatStringsSep "\n" (
|
|
|
|
|
map (ctName: ''
|
|
|
|
|
${ctName})
|
|
|
|
|
echo Using prebuilt system for container $c
|
|
|
|
|
SYSTEM=${self.packages.x86_64-linux."${ctName}-rootfs"}
|
2023-06-05 01:17:05 +02:00
|
|
|
CONFIG=${self.packages.x86_64-linux."${ctName}-lxc-config"}
|
2021-04-30 22:38:57 +02:00
|
|
|
;;
|
|
|
|
|
'') (
|
|
|
|
|
builtins.attrNames (
|
|
|
|
|
lib.filterAttrs (_: { prebuilt, ... }: prebuilt)
|
|
|
|
|
containers
|
|
|
|
|
))
|
|
|
|
|
)}
|
|
|
|
|
*)
|
|
|
|
|
echo Building $c
|
|
|
|
|
nix build -o /nix/var/nix/gcroots/lxc/$c zentralwerk-network#$c-rootfs
|
|
|
|
|
SYSTEM=$(readlink /nix/var/nix/gcroots/lxc/$c)
|
2023-06-05 01:17:05 +02:00
|
|
|
nix build -o /nix/var/nix/gcroots/lxc/$c.config zentralwerk-network#$c-lxc-config
|
|
|
|
|
CONFIG=$(readlink /nix/var/nix/gcroots/lxc/$c.config)
|
2021-04-30 22:38:57 +02:00
|
|
|
;;
|
|
|
|
|
esac
|
2021-04-06 18:36:46 +02:00
|
|
|
|
|
|
|
|
echo Installing $c
|
|
|
|
|
for d in \
|
|
|
|
|
bin dev etc home mnt \
|
|
|
|
|
nix/store nix/var \
|
|
|
|
|
proc root run sys tmp var usr ; \
|
|
|
|
|
do
|
|
|
|
|
mkdir -p /var/lib/lxc/$c/rootfs/$d
|
|
|
|
|
done
|
|
|
|
|
ln -fs $SYSTEM/init /var/lib/lxc/$c/rootfs/init
|
2023-06-05 01:17:05 +02:00
|
|
|
ln -fs $CONFIG /var/lib/lxc/$c/config
|
2021-11-18 16:58:32 +01:00
|
|
|
done
|
2021-04-06 18:36:46 +02:00
|
|
|
|
2021-11-18 16:58:32 +01:00
|
|
|
# Activate all the desired container after all of them are
|
|
|
|
|
# built
|
|
|
|
|
set +e
|
|
|
|
|
for c in $@; do
|
2021-04-06 18:36:46 +02:00
|
|
|
active=$(systemctl is-active lxc@$c)
|
|
|
|
|
if [[ "$active" = active ]] ; then
|
|
|
|
|
echo Activating $c
|
2021-05-01 03:04:14 +02:00
|
|
|
systemctl reload lxc@$c || (
|
|
|
|
|
echo Reload failed. Restarting $c
|
|
|
|
|
systemctl restart lxc@$c
|
|
|
|
|
)
|
2021-04-06 18:36:46 +02:00
|
|
|
else
|
|
|
|
|
echo Starting $c
|
|
|
|
|
systemctl start lxc@$c
|
|
|
|
|
fi
|
|
|
|
|
done
|
2021-11-18 16:58:32 +01:00
|
|
|
set -e
|
2021-04-06 18:36:46 +02:00
|
|
|
'';
|
2021-08-20 21:39:00 +02:00
|
|
|
|
|
|
|
|
enable-script = pkgs.writeScriptBin "enable-containers" ''
|
|
|
|
|
touch /etc/start-containers
|
|
|
|
|
systemctl start lxc-containers.target
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
disable-script = pkgs.writeScriptBin "disable-containers" ''
|
|
|
|
|
rm /etc/start-containers
|
|
|
|
|
systemctl stop lxc-containers.target lxc@\*.service
|
|
|
|
|
'';
|
2021-03-22 23:37:25 +01:00
|
|
|
in
|
|
|
|
|
{
|
2021-07-14 19:01:24 +02:00
|
|
|
boot.kernel.sysctl = lib.mkIf enabled {
|
2021-06-18 20:20:04 +02:00
|
|
|
"fs.inotify.max_queued_events" = 1048576;
|
|
|
|
|
"fs.inotify.max_user_instances" = 1048576;
|
|
|
|
|
"fs.inotify.max_user_watches" = 1048576;
|
|
|
|
|
"vm.max_map_count" = 262144;
|
|
|
|
|
"kernel.dmesg_restrict" = 1;
|
|
|
|
|
"net.ipv4.neigh.default.gc_thresh3" = 8192;
|
|
|
|
|
"net.ipv6.neigh.default.gc_thresh3" = 8192;
|
|
|
|
|
"kernel.keys.maxkeys" = 2000;
|
|
|
|
|
};
|
|
|
|
|
|
2021-03-22 23:37:25 +01:00
|
|
|
virtualisation.lxc = lib.mkIf enabled {
|
|
|
|
|
enable = true;
|
|
|
|
|
systemConfig = ''
|
2023-06-05 01:17:05 +02:00
|
|
|
lxc.lxcpath = /var/lib/lxc
|
2021-03-22 23:37:25 +01:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-08-20 21:39:00 +02:00
|
|
|
environment.systemPackages = [
|
|
|
|
|
# `lxc-attach` et al
|
2021-11-20 00:43:32 +01:00
|
|
|
pkgs.lxc build-script
|
2021-08-20 21:39:00 +02:00
|
|
|
# User scripts
|
|
|
|
|
enable-script disable-script
|
|
|
|
|
];
|
2021-03-22 23:37:25 +01:00
|
|
|
|
2023-06-05 01:17:05 +02:00
|
|
|
environment.etc."lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
|
2021-03-24 23:42:49 +01:00
|
|
|
|
2021-04-10 14:52:13 +02:00
|
|
|
# Systemd service template for LXC containers
|
2021-03-24 23:42:49 +01:00
|
|
|
systemd.services."lxc@" = {
|
|
|
|
|
description = "LXC container '%i'";
|
2021-04-04 22:57:44 +02:00
|
|
|
after = [ "network.target" ];
|
2021-08-20 21:39:00 +02:00
|
|
|
unitConfig.ConditionPathExists = [
|
|
|
|
|
"/var/lib/lxc/%i/rootfs/init"
|
|
|
|
|
"/etc/start-containers"
|
|
|
|
|
];
|
2021-11-20 00:43:32 +01:00
|
|
|
serviceConfig = with pkgs; {
|
2021-03-24 23:42:49 +01:00
|
|
|
Type = "simple";
|
2021-05-27 01:54:54 +02:00
|
|
|
ExecStart = "${lxc}/bin/lxc-start -F -C -n %i";
|
|
|
|
|
ExecStop = "${lxc}/bin/lxc-stop -n %i";
|
2021-03-27 03:43:19 +01:00
|
|
|
ExecReload =
|
|
|
|
|
let
|
2021-11-20 00:43:32 +01:00
|
|
|
script = writeScript "reload-lxc-container.sh" ''
|
|
|
|
|
#! ${runtimeShell} -e
|
2021-03-27 03:43:19 +01:00
|
|
|
|
2021-04-04 20:00:40 +02:00
|
|
|
SYSTEM=$(dirname $(readlink /var/lib/lxc/$1/rootfs/init))
|
2021-05-27 01:54:54 +02:00
|
|
|
exec ${lxc}/bin/lxc-attach -n $1 $SYSTEM/bin/switch-to-configuration switch
|
2021-03-27 03:43:19 +01:00
|
|
|
'';
|
|
|
|
|
in
|
|
|
|
|
"${script} %i";
|
2021-03-24 23:42:49 +01:00
|
|
|
KillMode = "mixed";
|
|
|
|
|
OOMPolicy = "kill";
|
|
|
|
|
Restart = "always";
|
2021-05-05 20:23:56 +02:00
|
|
|
RestartSec = "1s";
|
2021-03-24 23:42:49 +01:00
|
|
|
};
|
2023-06-04 23:14:47 +02:00
|
|
|
# Prevent restart on host nixos-rebuild switch
|
|
|
|
|
restartIfChanged = false;
|
2021-03-24 23:42:49 +01:00
|
|
|
};
|
2021-03-27 03:43:19 +01:00
|
|
|
|
2021-04-10 14:52:13 +02:00
|
|
|
# Starts all the containers after boot
|
2021-03-27 00:28:03 +01:00
|
|
|
systemd.targets.lxc-containers = {
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2021-04-06 18:36:46 +02:00
|
|
|
wants = map (ctName: "lxc@${ctName}.service")
|
2021-03-27 03:43:19 +01:00
|
|
|
(builtins.attrNames containers);
|
2021-03-27 00:28:03 +01:00
|
|
|
};
|
2021-03-22 23:37:25 +01:00
|
|
|
}
|
