mirror of
https://github.com/CHN-beta/nixos.git
synced 2026-01-12 04:59:23 +08:00
Compare commits
1 Commits
71c4426e53
...
docker
| Author | SHA1 | Date | |
|---|---|---|---|
| a069e7b15e |
6
flake.lock
generated
6
flake.lock
generated
@@ -941,11 +941,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs_4": {
|
"nixpkgs_4": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1694882942,
|
"lastModified": 1694926133,
|
||||||
"narHash": "sha256-J99E0D5LQn8gMWm9r3lGAvPDF7vHyzMxvyHfo3HmXhs=",
|
"narHash": "sha256-WhYl7OMx0+QBzavtLQwghN1cZGmqfeWsZpmk9zJLkjs=",
|
||||||
"owner": "CHN-beta",
|
"owner": "CHN-beta",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "8eebdf8cffabee8bfb9b054759a5569dbd6de551",
|
"rev": "92dee91f11ade35b4f668c9d604e6375d15978d8",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|||||||
@@ -6,8 +6,8 @@ inputs:
|
|||||||
{
|
{
|
||||||
user = mkOption { type = types.nonEmptyStr; default = inputs.config._module.args.name; };
|
user = mkOption { type = types.nonEmptyStr; default = inputs.config._module.args.name; };
|
||||||
image = mkOption { type = types.package; };
|
image = mkOption { type = types.package; };
|
||||||
imageName =
|
# imageName =
|
||||||
mkOption { type = types.nonEmptyStr; default = with inputs.config.image; (imageName + ":" + imageTag); };
|
# mkOption { type = types.nonEmptyStr; default = with inputs.config.image; (imageName + ":" + imageTag); };
|
||||||
ports = mkOption
|
ports = mkOption
|
||||||
{
|
{
|
||||||
type = types.listOf (types.oneOf
|
type = types.listOf (types.oneOf
|
||||||
@@ -33,38 +33,34 @@ inputs:
|
|||||||
inherit (builtins) listToAttrs map concatLists;
|
inherit (builtins) listToAttrs map concatLists;
|
||||||
inherit (inputs.localLib) attrsToList;
|
inherit (inputs.localLib) attrsToList;
|
||||||
inherit (inputs.config.nixos.services) docker;
|
inherit (inputs.config.nixos.services) docker;
|
||||||
|
users = inputs.lib.lists.unique (map (container: container.value.user) (attrsToList docker));
|
||||||
in mkIf (docker != {})
|
in mkIf (docker != {})
|
||||||
{
|
{
|
||||||
virtualisation.oci-containers.containers = listToAttrs (map
|
nixos.virtualization.docker.enable = true;
|
||||||
(container:
|
users =
|
||||||
{
|
{
|
||||||
name = "${container.name}";
|
users = listToAttrs (map
|
||||||
value =
|
(user:
|
||||||
{
|
{
|
||||||
image = container.value.imageName;
|
name = user;
|
||||||
imageFile = container.value.image;
|
value =
|
||||||
ports = map
|
{
|
||||||
(port:
|
isSystemUser = true;
|
||||||
(
|
group = user;
|
||||||
if builtins.typeOf port == "int" then toString port
|
autoSubUidGidRange = true;
|
||||||
else ("${port.value.hostIp}:${toString port.value.hostPort}"
|
home = "/run/docker-rootless/${user}";
|
||||||
+ ":${toString port.value.containerPort}/${port.value.protocol}")
|
};
|
||||||
))
|
})
|
||||||
container.value.ports;
|
users);
|
||||||
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
|
groups = listToAttrs (map (user: { name = user; value = {}; }) users);
|
||||||
environmentFiles =
|
};
|
||||||
if builtins.typeOf container.value.environmentFile == "bool" && container.value.environmentFile
|
|
||||||
then [ inputs.config.sops.templates."${container.name}.env".path ]
|
|
||||||
else if builtins.typeOf container.value.environmentFile == "bool" then []
|
|
||||||
else [ container.value.environmentFile ];
|
|
||||||
};
|
|
||||||
})
|
|
||||||
(attrsToList docker));
|
|
||||||
systemd =
|
systemd =
|
||||||
{
|
{
|
||||||
services = listToAttrs (concatLists (map
|
tmpfiles.rules = map (user: "d /run/docker-rootless/${user} 0755 ${user} ${user}") users;
|
||||||
(container: let user = container.value.user; in
|
services = listToAttrs
|
||||||
[
|
(
|
||||||
|
(map
|
||||||
|
(user:
|
||||||
{
|
{
|
||||||
name = "docker-${user}-daemon";
|
name = "docker-${user}-daemon";
|
||||||
value = let originalService = inputs.config.systemd.user.services.docker; in
|
value = let originalService = inputs.config.systemd.user.services.docker; in
|
||||||
@@ -76,58 +72,82 @@ inputs:
|
|||||||
{
|
{
|
||||||
User = user;
|
User = user;
|
||||||
Group = user;
|
Group = user;
|
||||||
# AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
# from https://www.reddit.com/r/NixOS/comments/158azri/changing_user_slices_cgroup_controllers
|
||||||
|
Delegate = "memory pids cpu cpuset";
|
||||||
ExecStart = originalService.serviceConfig.ExecStart
|
ExecStart = originalService.serviceConfig.ExecStart
|
||||||
+ " -H unix:///var/run/docker-rootless/${user}/docker.sock";
|
+ " -H unix:///var/run/docker-rootless/${user}/docker.sock";
|
||||||
};
|
};
|
||||||
unitConfig = { inherit (originalService.unitConfig) StartLimitInterval; };
|
unitConfig = { inherit (originalService.unitConfig) StartLimitInterval; };
|
||||||
};
|
};
|
||||||
}
|
})
|
||||||
|
users)
|
||||||
|
++ (map
|
||||||
|
(container:
|
||||||
{
|
{
|
||||||
name = "docker-${container.name}";
|
name = "docker-${container.name}";
|
||||||
value =
|
value =
|
||||||
{
|
{
|
||||||
requires = [ "docker-${user}-daemon.service" ];
|
requires = [ "docker-${container.value.user}-daemon.service" ];
|
||||||
after = [ "docker-${user}-daemon.service" ];
|
after = [ "docker-${container.value.user}-daemon.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
path = [ inputs.config.virtualisation.docker.rootless.package ];
|
||||||
environment =
|
environment =
|
||||||
{
|
{
|
||||||
XDG_RUNTIME_DIR = "/run/docker-rootless/${user}";
|
XDG_RUNTIME_DIR = "/run/docker-rootless/${container.value.user}";
|
||||||
DOCKER_HOST = "unix:///run/docker-rootless/${user}/docker.sock";
|
DOCKER_HOST = "unix:///run/docker-rootless/${container.value.user}/docker.sock";
|
||||||
};
|
};
|
||||||
serviceConfig =
|
serviceConfig =
|
||||||
{
|
{
|
||||||
User = user;
|
Type = "simple";
|
||||||
Group = user;
|
RemainAfterExit = true;
|
||||||
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
User = container.value.user;
|
||||||
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
Group = container.value.user;
|
||||||
|
ExecStart = inputs.pkgs.writeShellScript "docker-${container.name}.start"
|
||||||
|
''
|
||||||
|
docker rm -f ${container.name} || true
|
||||||
|
echo "loading image"
|
||||||
|
docker load -i ${container.value.image}
|
||||||
|
echo "load finish"
|
||||||
|
docker image ls
|
||||||
|
${
|
||||||
|
builtins.concatStringsSep " \\\n"
|
||||||
|
(
|
||||||
|
[
|
||||||
|
"docker run --rm --name=${container.name}"
|
||||||
|
"--add-host=host.docker.internal:host-gateway"
|
||||||
|
]
|
||||||
|
++ (
|
||||||
|
if (builtins.typeOf container.value.environmentFile) == "string"
|
||||||
|
then [ "--env-file ${container.value.environmentFile}" ]
|
||||||
|
else if container.value.environmentFile
|
||||||
|
then [ "--env-file ${inputs.config.sops.templates."${container.name}.env".path}" ]
|
||||||
|
else []
|
||||||
|
)
|
||||||
|
++ (map
|
||||||
|
(port: "-p ${port}")
|
||||||
|
(map
|
||||||
|
(port:
|
||||||
|
if builtins.typeOf port == "int" then toString port
|
||||||
|
else "${port.value.hostIp}:${toString port.value.hostPort}"
|
||||||
|
+ ":${toString port.value.containerPort}/${port.value.protocol}"
|
||||||
|
)
|
||||||
|
container.value.ports))
|
||||||
|
++ [ "${container.value.image.imageName}:${container.value.image.imageTag}" ]
|
||||||
|
)
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
ExecStop = inputs.pkgs.writeShellScript "docker-${container.name}.stop"
|
||||||
|
''
|
||||||
|
docker stop ${container.name}
|
||||||
|
docker system prune --volumes --force
|
||||||
|
'';
|
||||||
|
# CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||||
|
# AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
})
|
||||||
])
|
(attrsToList docker))
|
||||||
(attrsToList docker)));
|
);
|
||||||
tmpfiles.rules = map
|
|
||||||
(container: with container.value; "d /run/docker-rootless/${user} 0755 ${user} ${user}")
|
|
||||||
(attrsToList docker);
|
|
||||||
};
|
|
||||||
nixos.virtualization.docker.enable = true;
|
|
||||||
users =
|
|
||||||
{
|
|
||||||
users = listToAttrs (map
|
|
||||||
(container:
|
|
||||||
{
|
|
||||||
name = container.value.user;
|
|
||||||
value =
|
|
||||||
{
|
|
||||||
isSystemUser = true;
|
|
||||||
group = container.value.user;
|
|
||||||
autoSubUidGidRange = true;
|
|
||||||
home = "/run/docker-rootless/${container.value.user}";
|
|
||||||
};
|
|
||||||
})
|
|
||||||
(attrsToList docker));
|
|
||||||
groups = listToAttrs (map
|
|
||||||
(container: { name = container.value.user; value = {}; })
|
|
||||||
(attrsToList docker));
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,6 +31,7 @@ inputs:
|
|||||||
{
|
{
|
||||||
features.buildkit = true;
|
features.buildkit = true;
|
||||||
dns = [ "1.1.1.1" ];
|
dns = [ "1.1.1.1" ];
|
||||||
|
# storage-driver = "overlay2";
|
||||||
storage-driver = "fuse-overlayfs";
|
storage-driver = "fuse-overlayfs";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user