2021-03-22 23:37:25 +01:00
|
|
|
{ hostName, self, config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
containers =
|
|
|
|
|
# TODO: remove 1 line
|
|
|
|
|
lib.filterAttrs (ctName: _: ctName == "upstream1") (
|
2021-03-23 00:40:40 +01:00
|
|
|
lib.filterAttrs (_: { role, model, location, ... }:
|
|
|
|
|
role == "container" &&
|
|
|
|
|
model == "lxc" &&
|
|
|
|
|
location == hostName
|
|
|
|
|
) config.site.hosts
|
2021-03-22 23:37:25 +01:00
|
|
|
);
|
2021-03-23 00:40:40 +01:00
|
|
|
|
2021-03-22 23:37:25 +01:00
|
|
|
enabled = containers != {};
|
|
|
|
|
|
2021-03-23 00:27:32 +01:00
|
|
|
netConfig = ctName: interfaces:
|
|
|
|
|
let
|
|
|
|
|
config = map (netName:
|
|
|
|
|
let
|
|
|
|
|
ifData = interfaces.${netName};
|
|
|
|
|
in {
|
|
|
|
|
type = ifData.type;
|
2021-03-25 00:34:48 +01:00
|
|
|
name = netName;
|
2021-03-23 00:27:32 +01:00
|
|
|
flags = "up";
|
|
|
|
|
hwaddr = if ifData ? hwaddr
|
|
|
|
|
then ifData.hwaddr
|
|
|
|
|
else "0A:14:48:01:26:00";
|
|
|
|
|
} // (lib.optionalAttrs (ifData.type == "veth") {
|
|
|
|
|
veth.pair = "${ctName}-${netName}";
|
|
|
|
|
veth.mode = "bridge";
|
2021-03-24 22:23:09 +01:00
|
|
|
link = "${netName}";
|
2021-03-23 00:27:32 +01:00
|
|
|
}) // (lib.optionalAttrs (ifData.type == "phys") {
|
2021-03-24 22:23:09 +01:00
|
|
|
link = "ext-${netName}";
|
2021-03-23 00:27:32 +01:00
|
|
|
})
|
|
|
|
|
) (builtins.attrNames interfaces);
|
|
|
|
|
|
|
|
|
|
serialize = name: x:
|
|
|
|
|
if builtins.isString x
|
|
|
|
|
then "${name} = ${x}\n"
|
|
|
|
|
else if builtins.isAttrs x
|
|
|
|
|
then builtins.concatStringsSep "" (
|
|
|
|
|
map (n: serialize "${name}.${n}" x.${n}) (builtins.attrNames x)
|
|
|
|
|
)
|
|
|
|
|
else if builtins.isList x
|
|
|
|
|
then
|
|
|
|
|
let
|
|
|
|
|
enumerate = xs: n:
|
|
|
|
|
if xs == []
|
|
|
|
|
then []
|
|
|
|
|
else [ {
|
|
|
|
|
e = builtins.head xs;
|
|
|
|
|
i = n;
|
|
|
|
|
} ] ++ enumerate (builtins.tail xs) (n + 1);
|
|
|
|
|
in
|
|
|
|
|
builtins.concatStringsSep "" (
|
|
|
|
|
map ({ e, i }: serialize "${name}.${toString i}" e) (enumerate x 0)
|
|
|
|
|
)
|
|
|
|
|
else throw "Invalid data in lxc net config: ${lib.generators.toPretty {} x}";
|
|
|
|
|
in
|
2021-03-23 00:40:40 +01:00
|
|
|
serialize "lxc.net" config;
|
2021-03-22 23:37:25 +01:00
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
virtualisation.lxc = lib.mkIf enabled {
|
|
|
|
|
enable = true;
|
|
|
|
|
systemConfig = ''
|
|
|
|
|
lxc.lxcpath = /etc/lxc/containers
|
|
|
|
|
|
|
|
|
|
# lxc.rootfs.backend = zfs
|
|
|
|
|
# lxc.bdev.zfs.root = vault/sys/atom/var/lib/lxc
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = [ pkgs.lxc ];
|
|
|
|
|
|
|
|
|
|
environment.etc =
|
|
|
|
|
builtins.foldl' (etc: ctName: etc // {
|
|
|
|
|
"lxc/containers/${ctName}/rootfs" = {
|
2021-03-22 23:47:19 +01:00
|
|
|
source = self.packages.x86_64-linux."${ctName}-rootfs";
|
2021-03-22 23:37:25 +01:00
|
|
|
};
|
|
|
|
|
"lxc/containers/${ctName}/config" = {
|
|
|
|
|
enable = true;
|
|
|
|
|
source =
|
|
|
|
|
let
|
2021-03-23 00:27:32 +01:00
|
|
|
inherit (containers.${ctName}) interfaces;
|
2021-03-23 00:40:40 +01:00
|
|
|
in builtins.toFile "${ctName}.conf" ''
|
2021-03-22 23:37:25 +01:00
|
|
|
# For lxcfs and sane defaults
|
|
|
|
|
lxc.include = /etc/lxc/common.conf
|
|
|
|
|
|
|
|
|
|
lxc.uts.name = ${ctName}
|
|
|
|
|
# Handled by lxc@.service
|
|
|
|
|
lxc.start.auto = 0
|
|
|
|
|
lxc.rootfs.path = /etc/lxc/containers/${ctName}/rootfs
|
|
|
|
|
lxc.init.cmd = "/init"
|
|
|
|
|
|
|
|
|
|
lxc.mount.entry = /nix/store nix/store none bind,ro 0 0
|
|
|
|
|
lxc.mount.entry = none nix/var tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none bin tmpfs defaults 0 0
|
|
|
|
|
#lxc.mount.entry = none dev tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none root tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none tmp tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none var tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none home tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none usr tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none run tmpfs defaults 0 0
|
|
|
|
|
lxc.mount.entry = none etc tmpfs defaults 0 0
|
|
|
|
|
lxc,mount.auto = proc:mixed sys:ro cgroup:mixed
|
|
|
|
|
|
|
|
|
|
lxc.autodev = 1
|
|
|
|
|
lxc.tty.max = 0
|
|
|
|
|
|
|
|
|
|
lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
|
|
|
|
|
lxc.apparmor.profile = unchanged
|
|
|
|
|
security.privileged = false
|
|
|
|
|
|
|
|
|
|
lxc.cgroup.memory.limit_in_bytes = 1G
|
|
|
|
|
lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M
|
|
|
|
|
|
|
|
|
|
# tuntap
|
|
|
|
|
lxc.cgroup.devices.allow = c 10:200 rw
|
|
|
|
|
|
2021-03-23 00:27:32 +01:00
|
|
|
${netConfig ctName interfaces}
|
2021-03-22 23:37:25 +01:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}) {
|
|
|
|
|
"lxc/common.conf".source = "${pkgs.lxc}/share/lxc/config/common.conf";
|
|
|
|
|
} (builtins.attrNames containers);
|
2021-03-24 23:42:49 +01:00
|
|
|
|
|
|
|
|
systemd.targets.lxc-containers = {
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
wants = map (ctName: "lxc@${ctName}.service") (builtins.attrNames containers);
|
|
|
|
|
};
|
|
|
|
|
systemd.services."lxc@" = {
|
|
|
|
|
description = "LXC container '%i'";
|
|
|
|
|
wants = [ "systemd-networkd.service" ];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "simple";
|
|
|
|
|
ExecStart = "${pkgs.lxc}/bin/lxc-start -F -C -n %i";
|
|
|
|
|
ExecStop = "${pkgs.lxc}/bin/lxc-stop -n %i";
|
|
|
|
|
KillMode = "mixed";
|
|
|
|
|
OOMPolicy = "kill";
|
|
|
|
|
Restart = "always";
|
|
|
|
|
RestartSec = "5s";
|
|
|
|
|
};
|
|
|
|
|
};
|
2021-03-22 23:37:25 +01:00
|
|
|
}
|
