nixpkgs/nixos/modules/virtualisation/proxmox-lxc.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

140 lines
3.5 KiB
Nix
Raw Normal View History

2024-07-20 14:09:09 +00:00
{
config,
pkgs,
lib,
...
}:
2022-02-15 18:14:26 +00:00
with lib;
{
imports = [
../image/file-options.nix
];
2022-02-15 18:14:26 +00:00
options.proxmoxLXC = {
enable = mkOption {
default = true;
type = types.bool;
description = "Whether to enable the Proxmox VE LXC module.";
};
2022-02-15 18:14:26 +00:00
privileged = mkOption {
type = types.bool;
default = false;
description = ''
2022-02-15 18:14:26 +00:00
Whether to enable privileged mounts
'';
};
manageNetwork = mkOption {
type = types.bool;
default = false;
description = ''
2022-02-15 18:14:26 +00:00
Whether to manage network interfaces through nix options
When false, systemd-networkd is enabled to accept network
configuration from proxmox.
'';
};
manageHostName = mkOption {
type = types.bool;
default = false;
description = ''
Whether to manage hostname through nix options
When false, the hostname is picked up from /etc/hostname
populated by proxmox.
'';
};
2022-02-15 18:14:26 +00:00
};
config =
let
cfg = config.proxmoxLXC;
in
mkIf cfg.enable {
system.nixos.tags = [
"proxmox"
"lxc"
];
image.extension = "tar.xz";
image.filePath = "tarball/${config.image.fileName}";
system.build.image = config.system.build.tarball;
2022-02-15 18:14:26 +00:00
system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
fileName = config.image.baseName;
2024-07-20 14:09:09 +00:00
storeContents = [
{
object = config.system.build.toplevel;
symlink = "none";
}
];
2022-02-15 18:14:26 +00:00
2024-07-20 14:09:09 +00:00
contents = [
{
source = config.system.build.toplevel + "/init";
target = "/sbin/init";
}
];
2022-02-15 18:14:26 +00:00
extraCommands = "mkdir -p root etc/systemd/network";
};
boot.postBootCommands = ''
# After booting, register the contents of the Nix store in the Nix
# database.
if [ -f /nix-path-registration ]; then
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
rm /nix-path-registration
fi
# nixos-rebuild also requires a "system" profile
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
'';
2022-02-15 18:14:26 +00:00
boot = {
isContainer = true;
loader.initScript.enable = true;
};
console.enable = true;
2022-02-15 18:14:26 +00:00
networking = mkIf (!cfg.manageNetwork) {
useDHCP = false;
useHostResolvConf = false;
useNetworkd = true;
# pick up hostname from /etc/hostname generated by proxmox
hostName = mkIf (!cfg.manageHostName) (mkForce "");
2022-02-15 18:14:26 +00:00
};
# unprivileged LXCs can't set net.ipv4.ping_group_range
security.wrappers.ping = mkIf (!cfg.privileged) {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iputils.out}/bin/ping";
};
2022-02-15 18:14:26 +00:00
services.openssh = {
enable = mkDefault true;
startWhenNeeded = mkDefault true;
};
systemd = {
2024-07-20 14:09:09 +00:00
mounts = mkIf (!cfg.privileged) [
{
enable = false;
where = "/sys/kernel/debug";
}
];
# By default only starts getty on tty0 but first on LXC is tty1
services."autovt@".unitConfig.ConditionPathExists = [
2024-07-20 14:09:09 +00:00
""
"/dev/%I"
];
# These are disabled by `console.enable` but console via tty is the default in Proxmox
services."getty@tty1".enable = lib.mkForce true;
services."autovt@".enable = lib.mkForce true;
};
2022-02-15 18:14:26 +00:00
};
}