2021-04-28 02:55:09 +00:00
|
|
|
{ lib, config, pkgs, ... }:
|
2014-12-11 21:58:17 +00:00
|
|
|
|
2021-04-28 02:55:09 +00:00
|
|
|
let
|
|
|
|
cfg = config.virtualisation.lxc;
|
2023-08-25 03:00:42 +00:00
|
|
|
in {
|
2014-12-11 21:58:17 +00:00
|
|
|
imports = [
|
2023-08-25 03:00:42 +00:00
|
|
|
./lxc-instance-common.nix
|
2014-12-11 21:58:17 +00:00
|
|
|
];
|
|
|
|
|
2021-04-28 02:55:09 +00:00
|
|
|
options = {
|
|
|
|
virtualisation.lxc = {
|
2023-10-12 03:35:53 +00:00
|
|
|
nestedContainer = lib.mkEnableOption (lib.mdDoc ''
|
|
|
|
Whether this container is configured as a nested container. On LXD containers this is recommended
|
|
|
|
for all containers and is enabled with `security.nesting = true`.
|
|
|
|
'');
|
|
|
|
|
|
|
|
privilegedContainer = lib.mkEnableOption (lib.mdDoc ''
|
|
|
|
Whether this LXC container will be running as a privileged container or not. If set to `true` then
|
|
|
|
additional configuration will be applied to the `systemd` instance running within the container as
|
|
|
|
recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
|
|
|
|
'');
|
2021-04-28 02:55:09 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2021-04-28 02:29:09 +00:00
|
|
|
config = {
|
2021-10-19 14:50:51 +00:00
|
|
|
boot.isContainer = true;
|
|
|
|
boot.postBootCommands =
|
|
|
|
''
|
|
|
|
# After booting, register the contents of the Nix store in the Nix
|
|
|
|
# database.
|
|
|
|
if [ -f /nix-path-registration ]; then
|
|
|
|
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
|
|
|
|
rm /nix-path-registration
|
|
|
|
fi
|
|
|
|
|
|
|
|
# nixos-rebuild also requires a "system" profile
|
|
|
|
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
|
|
|
|
'';
|
|
|
|
|
|
|
|
system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
|
2021-04-28 03:09:30 +00:00
|
|
|
extraArgs = "--owner=0";
|
|
|
|
|
|
|
|
storeContents = [
|
|
|
|
{
|
|
|
|
object = config.system.build.toplevel;
|
|
|
|
symlink = "none";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
contents = [
|
2021-04-28 02:29:09 +00:00
|
|
|
{
|
|
|
|
source = config.system.build.toplevel + "/init";
|
|
|
|
target = "/sbin/init";
|
|
|
|
}
|
2023-01-16 14:50:30 +00:00
|
|
|
# Technically this is not required for lxc, but having also make this configuration work with systemd-nspawn.
|
|
|
|
# Nixos will setup the same symlink after start.
|
|
|
|
{
|
|
|
|
source = config.system.build.toplevel + "/etc/os-release";
|
|
|
|
target = "/etc/os-release";
|
|
|
|
}
|
2021-04-28 03:09:30 +00:00
|
|
|
];
|
2021-04-28 02:29:09 +00:00
|
|
|
|
|
|
|
extraCommands = "mkdir -p proc sys dev";
|
2021-10-19 14:50:51 +00:00
|
|
|
};
|
2021-04-28 02:29:09 +00:00
|
|
|
|
2023-10-12 14:52:05 +00:00
|
|
|
system.build.squashfs = pkgs.callPackage ../../lib/make-squashfs.nix {
|
|
|
|
fileName = "nixos-lxc-image-${pkgs.stdenv.hostPlatform.system}";
|
|
|
|
|
|
|
|
noStrip = true; # keep directory structure
|
|
|
|
comp = "zstd -Xcompression-level 6";
|
|
|
|
|
|
|
|
storeContents = [config.system.build.toplevel];
|
|
|
|
|
|
|
|
pseudoFiles = [
|
|
|
|
"/sbin d 0755 0 0"
|
|
|
|
"/sbin/init s 0555 0 0 ${config.system.build.toplevel}/init"
|
|
|
|
"/dev d 0755 0 0"
|
|
|
|
"/proc d 0555 0 0"
|
|
|
|
"/sys d 0555 0 0"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2023-05-10 15:04:07 +00:00
|
|
|
system.build.installBootLoader = pkgs.writeScript "install-lxd-sbin-init.sh" ''
|
|
|
|
#!${pkgs.runtimeShell}
|
2023-10-17 18:38:37 +00:00
|
|
|
${pkgs.coreutils}/bin/ln -fs "$1/init" /sbin/init
|
2023-05-10 15:04:07 +00:00
|
|
|
'';
|
|
|
|
|
2023-10-12 03:35:53 +00:00
|
|
|
systemd.additionalUpstreamSystemUnits = lib.mkIf cfg.nestedContainer ["systemd-udev-trigger.service"];
|
|
|
|
|
2021-04-28 03:32:50 +00:00
|
|
|
# Add the overrides from lxd distrobuilder
|
2022-11-29 14:16:28 +00:00
|
|
|
# https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
|
|
|
|
systemd.packages = [
|
|
|
|
(pkgs.writeTextFile {
|
|
|
|
name = "systemd-lxc-service-overrides";
|
|
|
|
destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
|
|
|
|
text = ''
|
|
|
|
[Service]
|
|
|
|
ProcSubset=all
|
|
|
|
ProtectProc=default
|
|
|
|
ProtectControlGroups=no
|
|
|
|
ProtectKernelTunables=no
|
|
|
|
NoNewPrivileges=no
|
|
|
|
LoadCredential=
|
2023-08-25 03:00:42 +00:00
|
|
|
'' + lib.optionalString cfg.privilegedContainer ''
|
2022-11-29 14:16:28 +00:00
|
|
|
# Additional settings for privileged containers
|
|
|
|
ProtectHome=no
|
|
|
|
ProtectSystem=no
|
|
|
|
PrivateDevices=no
|
|
|
|
PrivateTmp=no
|
|
|
|
ProtectKernelLogs=no
|
|
|
|
ProtectKernelModules=no
|
|
|
|
ReadWritePaths=
|
|
|
|
'';
|
|
|
|
})
|
|
|
|
];
|
2021-04-28 03:32:50 +00:00
|
|
|
|
2023-08-25 03:00:42 +00:00
|
|
|
system.activationScripts.installInitScript = lib.mkForce ''
|
2021-04-30 22:23:45 +00:00
|
|
|
ln -fs $systemConfig/init /sbin/init
|
|
|
|
'';
|
2021-04-28 02:29:09 +00:00
|
|
|
};
|
2014-12-11 21:58:17 +00:00
|
|
|
}
|