mirror of
https://github.com/CHN-beta/nixos.git
synced 2026-01-12 04:19:22 +08:00
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| a069e7b15e |
6
flake.lock
generated
6
flake.lock
generated
@@ -941,11 +941,11 @@
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1694882942,
|
||||
"narHash": "sha256-J99E0D5LQn8gMWm9r3lGAvPDF7vHyzMxvyHfo3HmXhs=",
|
||||
"lastModified": 1694926133,
|
||||
"narHash": "sha256-WhYl7OMx0+QBzavtLQwghN1cZGmqfeWsZpmk9zJLkjs=",
|
||||
"owner": "CHN-beta",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8eebdf8cffabee8bfb9b054759a5569dbd6de551",
|
||||
"rev": "92dee91f11ade35b4f668c9d604e6375d15978d8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
@@ -6,8 +6,8 @@ inputs:
|
||||
{
|
||||
user = mkOption { type = types.nonEmptyStr; default = inputs.config._module.args.name; };
|
||||
image = mkOption { type = types.package; };
|
||||
imageName =
|
||||
mkOption { type = types.nonEmptyStr; default = with inputs.config.image; (imageName + ":" + imageTag); };
|
||||
# imageName =
|
||||
# mkOption { type = types.nonEmptyStr; default = with inputs.config.image; (imageName + ":" + imageTag); };
|
||||
ports = mkOption
|
||||
{
|
||||
type = types.listOf (types.oneOf
|
||||
@@ -33,38 +33,34 @@ inputs:
|
||||
inherit (builtins) listToAttrs map concatLists;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.config.nixos.services) docker;
|
||||
users = inputs.lib.lists.unique (map (container: container.value.user) (attrsToList docker));
|
||||
in mkIf (docker != {})
|
||||
{
|
||||
virtualisation.oci-containers.containers = listToAttrs (map
|
||||
(container:
|
||||
{
|
||||
name = "${container.name}";
|
||||
value =
|
||||
nixos.virtualization.docker.enable = true;
|
||||
users =
|
||||
{
|
||||
users = listToAttrs (map
|
||||
(user:
|
||||
{
|
||||
image = container.value.imageName;
|
||||
imageFile = container.value.image;
|
||||
ports = map
|
||||
(port:
|
||||
(
|
||||
if builtins.typeOf port == "int" then toString port
|
||||
else ("${port.value.hostIp}:${toString port.value.hostPort}"
|
||||
+ ":${toString port.value.containerPort}/${port.value.protocol}")
|
||||
))
|
||||
container.value.ports;
|
||||
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
|
||||
environmentFiles =
|
||||
if builtins.typeOf container.value.environmentFile == "bool" && container.value.environmentFile
|
||||
then [ inputs.config.sops.templates."${container.name}.env".path ]
|
||||
else if builtins.typeOf container.value.environmentFile == "bool" then []
|
||||
else [ container.value.environmentFile ];
|
||||
};
|
||||
})
|
||||
(attrsToList docker));
|
||||
name = user;
|
||||
value =
|
||||
{
|
||||
isSystemUser = true;
|
||||
group = user;
|
||||
autoSubUidGidRange = true;
|
||||
home = "/run/docker-rootless/${user}";
|
||||
};
|
||||
})
|
||||
users);
|
||||
groups = listToAttrs (map (user: { name = user; value = {}; }) users);
|
||||
};
|
||||
systemd =
|
||||
{
|
||||
services = listToAttrs (concatLists (map
|
||||
(container: let user = container.value.user; in
|
||||
[
|
||||
tmpfiles.rules = map (user: "d /run/docker-rootless/${user} 0755 ${user} ${user}") users;
|
||||
services = listToAttrs
|
||||
(
|
||||
(map
|
||||
(user:
|
||||
{
|
||||
name = "docker-${user}-daemon";
|
||||
value = let originalService = inputs.config.systemd.user.services.docker; in
|
||||
@@ -76,58 +72,82 @@ inputs:
|
||||
{
|
||||
User = user;
|
||||
Group = user;
|
||||
# AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
# from https://www.reddit.com/r/NixOS/comments/158azri/changing_user_slices_cgroup_controllers
|
||||
Delegate = "memory pids cpu cpuset";
|
||||
ExecStart = originalService.serviceConfig.ExecStart
|
||||
+ " -H unix:///var/run/docker-rootless/${user}/docker.sock";
|
||||
};
|
||||
unitConfig = { inherit (originalService.unitConfig) StartLimitInterval; };
|
||||
};
|
||||
}
|
||||
})
|
||||
users)
|
||||
++ (map
|
||||
(container:
|
||||
{
|
||||
name = "docker-${container.name}";
|
||||
value =
|
||||
{
|
||||
requires = [ "docker-${user}-daemon.service" ];
|
||||
after = [ "docker-${user}-daemon.service" ];
|
||||
requires = [ "docker-${container.value.user}-daemon.service" ];
|
||||
after = [ "docker-${container.value.user}-daemon.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ inputs.config.virtualisation.docker.rootless.package ];
|
||||
environment =
|
||||
{
|
||||
XDG_RUNTIME_DIR = "/run/docker-rootless/${user}";
|
||||
DOCKER_HOST = "unix:///run/docker-rootless/${user}/docker.sock";
|
||||
XDG_RUNTIME_DIR = "/run/docker-rootless/${container.value.user}";
|
||||
DOCKER_HOST = "unix:///run/docker-rootless/${container.value.user}/docker.sock";
|
||||
};
|
||||
serviceConfig =
|
||||
{
|
||||
User = user;
|
||||
Group = user;
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
Type = "simple";
|
||||
RemainAfterExit = true;
|
||||
User = container.value.user;
|
||||
Group = container.value.user;
|
||||
ExecStart = inputs.pkgs.writeShellScript "docker-${container.name}.start"
|
||||
''
|
||||
docker rm -f ${container.name} || true
|
||||
echo "loading image"
|
||||
docker load -i ${container.value.image}
|
||||
echo "load finish"
|
||||
docker image ls
|
||||
${
|
||||
builtins.concatStringsSep " \\\n"
|
||||
(
|
||||
[
|
||||
"docker run --rm --name=${container.name}"
|
||||
"--add-host=host.docker.internal:host-gateway"
|
||||
]
|
||||
++ (
|
||||
if (builtins.typeOf container.value.environmentFile) == "string"
|
||||
then [ "--env-file ${container.value.environmentFile}" ]
|
||||
else if container.value.environmentFile
|
||||
then [ "--env-file ${inputs.config.sops.templates."${container.name}.env".path}" ]
|
||||
else []
|
||||
)
|
||||
++ (map
|
||||
(port: "-p ${port}")
|
||||
(map
|
||||
(port:
|
||||
if builtins.typeOf port == "int" then toString port
|
||||
else "${port.value.hostIp}:${toString port.value.hostPort}"
|
||||
+ ":${toString port.value.containerPort}/${port.value.protocol}"
|
||||
)
|
||||
container.value.ports))
|
||||
++ [ "${container.value.image.imageName}:${container.value.image.imageTag}" ]
|
||||
)
|
||||
}
|
||||
'';
|
||||
ExecStop = inputs.pkgs.writeShellScript "docker-${container.name}.stop"
|
||||
''
|
||||
docker stop ${container.name}
|
||||
docker system prune --volumes --force
|
||||
'';
|
||||
# CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
# AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
|
||||
};
|
||||
};
|
||||
}
|
||||
])
|
||||
(attrsToList docker)));
|
||||
tmpfiles.rules = map
|
||||
(container: with container.value; "d /run/docker-rootless/${user} 0755 ${user} ${user}")
|
||||
(attrsToList docker);
|
||||
};
|
||||
nixos.virtualization.docker.enable = true;
|
||||
users =
|
||||
{
|
||||
users = listToAttrs (map
|
||||
(container:
|
||||
{
|
||||
name = container.value.user;
|
||||
value =
|
||||
{
|
||||
isSystemUser = true;
|
||||
group = container.value.user;
|
||||
autoSubUidGidRange = true;
|
||||
home = "/run/docker-rootless/${container.value.user}";
|
||||
};
|
||||
})
|
||||
(attrsToList docker));
|
||||
groups = listToAttrs (map
|
||||
(container: { name = container.value.user; value = {}; })
|
||||
(attrsToList docker));
|
||||
})
|
||||
(attrsToList docker))
|
||||
);
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -31,6 +31,7 @@ inputs:
|
||||
{
|
||||
features.buildkit = true;
|
||||
dns = [ "1.1.1.1" ];
|
||||
# storage-driver = "overlay2";
|
||||
storage-driver = "fuse-overlayfs";
|
||||
};
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user