depot/third_party/nixpkgs/nixos/modules/virtualisation/lxc-container.nix
Default email 0d9fc34957 Project import generated by Copybara.
GitOrigin-RevId: 5ed481943351e9fd354aeb557679624224de38d5
2023-01-20 11:41:00 +01:00

215 lines
7 KiB
Nix

{ lib, config, pkgs, ... }:
with lib;
let
templateSubmodule = { ... }: {
options = {
enable = mkEnableOption (lib.mdDoc "this template");
target = mkOption {
description = lib.mdDoc "Path in the container";
type = types.path;
};
template = mkOption {
description = lib.mdDoc ".tpl file for rendering the target";
type = types.path;
};
when = mkOption {
description = lib.mdDoc "Events which trigger a rewrite (create, copy)";
type = types.listOf (types.str);
};
properties = mkOption {
description = lib.mdDoc "Additional properties";
type = types.attrs;
default = {};
};
};
};
toYAML = name: data: pkgs.writeText name (generators.toYAML {} data);
cfg = config.virtualisation.lxc;
templates = if cfg.templates != {} then let
list = mapAttrsToList (name: value: { inherit name; } // value)
(filterAttrs (name: value: value.enable) cfg.templates);
in
{
files = map (tpl: {
source = tpl.template;
target = "/templates/${tpl.name}.tpl";
}) list;
properties = listToAttrs (map (tpl: nameValuePair tpl.target {
when = tpl.when;
template = "${tpl.name}.tpl";
properties = tpl.properties;
}) list);
}
else { files = []; properties = {}; };
in
{
imports = [
../installer/cd-dvd/channel.nix
../profiles/clone-config.nix
../profiles/minimal.nix
];
options = {
virtualisation.lxc = {
templates = mkOption {
description = lib.mdDoc "Templates for LXD";
type = types.attrsOf (types.submodule (templateSubmodule));
default = {};
example = literalExpression ''
{
# create /etc/hostname on container creation. also requires networking.hostName = "" to be set
"hostname" = {
enable = true;
target = "/etc/hostname";
template = builtins.toFile "hostname.tpl" "{{ container.name }}";
when = [ "create" ];
};
# create /etc/nixos/hostname.nix with a configuration for keeping the hostname applied
"hostname-nix" = {
enable = true;
target = "/etc/nixos/hostname.nix";
template = builtins.toFile "hostname-nix.tpl" "{ ... }: { networking.hostName = \"{{ container.name }}\"; }";
# copy keeps the file updated when the container is changed
when = [ "create" "copy" ];
};
# copy allow the user to specify a custom configuration.nix
"configuration-nix" = {
enable = true;
target = "/etc/nixos/configuration.nix";
template = builtins.toFile "configuration-nix" "{{ config_get(\"user.user-data\", properties.default) }}";
when = [ "create" ];
};
};
'';
};
privilegedContainer = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether this LXC container will be running as a privileged container or not. If set to `true` then
additional configuration will be applied to the `systemd` instance running within the container as
recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
'';
};
};
};
config = {
boot.isContainer = true;
boot.postBootCommands =
''
# After booting, register the contents of the Nix store in the Nix
# database.
if [ -f /nix-path-registration ]; then
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
rm /nix-path-registration
fi
# nixos-rebuild also requires a "system" profile
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
'';
system.build.metadata = pkgs.callPackage ../../lib/make-system-tarball.nix {
contents = [
{
source = toYAML "metadata.yaml" {
architecture = builtins.elemAt (builtins.match "^([a-z0-9_]+).+" (toString pkgs.system)) 0;
creation_date = 1;
properties = {
description = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} ${pkgs.system}";
os = "${config.system.nixos.distroId}";
release = "${config.system.nixos.codeName}";
};
templates = templates.properties;
};
target = "/metadata.yaml";
}
] ++ templates.files;
};
# TODO: build rootfs as squashfs for faster unpack
system.build.tarball = pkgs.callPackage ../../lib/make-system-tarball.nix {
extraArgs = "--owner=0";
storeContents = [
{
object = config.system.build.toplevel;
symlink = "none";
}
];
contents = [
{
source = config.system.build.toplevel + "/init";
target = "/sbin/init";
}
# Technically this is not required for lxc, but having also make this configuration work with systemd-nspawn.
# Nixos will setup the same symlink after start.
{
source = config.system.build.toplevel + "/etc/os-release";
target = "/etc/os-release";
}
];
extraCommands = "mkdir -p proc sys dev";
};
# Add the overrides from lxd distrobuilder
# https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
systemd.packages = [
(pkgs.writeTextFile {
name = "systemd-lxc-service-overrides";
destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
text = ''
[Service]
ProcSubset=all
ProtectProc=default
ProtectControlGroups=no
ProtectKernelTunables=no
NoNewPrivileges=no
LoadCredential=
'' + optionalString cfg.privilegedContainer ''
# Additional settings for privileged containers
ProtectHome=no
ProtectSystem=no
PrivateDevices=no
PrivateTmp=no
ProtectKernelLogs=no
ProtectKernelModules=no
ReadWritePaths=
'';
})
];
# Allow the user to login as root without password.
users.users.root.initialHashedPassword = mkOverride 150 "";
system.activationScripts.installInitScript = mkForce ''
ln -fs $systemConfig/init /sbin/init
'';
# Some more help text.
services.getty.helpLine =
''
Log in as "root" with an empty password.
'';
# Containers should be light-weight, so start sshd on demand.
services.openssh.enable = mkDefault true;
services.openssh.startWhenNeeded = mkDefault true;
# As this is intended as a standalone image, undo some of the minimal profile stuff
environment.noXlibs = false;
documentation.enable = true;
documentation.nixos.enable = true;
services.logrotate.enable = true;
};
}