96 lines
3.2 KiB
Nix
96 lines
3.2 KiB
Nix
|
{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
|
||
|
|
||
|
let
|
||
|
mkIPv4 = index: local:
|
||
|
"192.168.${if local then "100" else "101"}.${toString index}";
|
||
|
mkIPv6 = index: local:
|
||
|
"fd00::${if local then "100" else "101"}:${toString index}";
|
||
|
|
||
|
evalConfig = nixosConfig: (nixosSystem {
|
||
|
inherit (config.nixpkgs) system;
|
||
|
modules = [
|
||
|
nixosConfig
|
||
|
modules.nopersist
|
||
|
profiles.container
|
||
|
{ nixpkgs.pkgs = lib.mkForce pkgs; }
|
||
|
];
|
||
|
specialArgs = {
|
||
|
inherit modules sources;
|
||
|
};
|
||
|
}).config.system.build.toplevel;
|
||
|
|
||
|
in {
|
||
|
options.hacc.containers = with lib.options;
|
||
|
mkOption {
|
||
|
description = ''
|
||
|
hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
|
||
|
- they automatically get an IPv4/IPv6 address assigned
|
||
|
(note that these are not guaranteed to be stable across config changes,
|
||
|
so please use {option}`containers.<name>.hostAddress` & friends to
|
||
|
reference them elsewhere)
|
||
|
- they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
|
||
|
- they are evaluated with our own version of {nix}`evalConfig`, which includes a
|
||
|
couple more modules by default, use our version of `nixpkgs`, and includes the
|
||
|
{nix}`profiles.containers` profile setting sane defaults for containers.
|
||
|
'';
|
||
|
default = { };
|
||
|
type = with lib.types;
|
||
|
types.attrsOf (types.submodule {
|
||
|
options = {
|
||
|
bindToPersist = mkOption {
|
||
|
default = true;
|
||
|
type = types.bool;
|
||
|
description =
|
||
|
"Wether to mount /persist/containers/<name> at /persist into this container.";
|
||
|
};
|
||
|
|
||
|
bindSecrets = mkOption {
|
||
|
default = false;
|
||
|
type = types.bool;
|
||
|
description =
|
||
|
"Whether to mount /run/secrets/<name> at /secrets into this container.";
|
||
|
};
|
||
|
|
||
|
config = mkOption {
|
||
|
type = types.unspecified;
|
||
|
description =
|
||
|
"The container's config, to be evaluated with our own {nix}`evalConfig`.";
|
||
|
};
|
||
|
};
|
||
|
});
|
||
|
};
|
||
|
|
||
|
# wrapped into imap1, which enumerates the containers; IP addresses are then
|
||
|
# simply assigned based on the order the containers are in the list.
|
||
|
config.containers = lib.mkMerge (lib.imap1
|
||
|
(index: { name, value }: let container = value; in {
|
||
|
${name} = {
|
||
|
hostAddress = mkIPv4 index false;
|
||
|
localAddress = mkIPv4 index true;
|
||
|
hostAddress6 = mkIPv6 index false;
|
||
|
localAddress6 = mkIPv6 index true;
|
||
|
|
||
|
privateNetwork = true;
|
||
|
autoStart = true;
|
||
|
ephemeral = true;
|
||
|
|
||
|
bindMounts = lib.mkMerge [
|
||
|
(lib.mkIf container.bindToPersist {
|
||
|
"/persist" = {
|
||
|
hostPath = "/persist/containers/${name}";
|
||
|
isReadOnly = false;
|
||
|
};
|
||
|
})
|
||
|
(lib.mkIf container.bindSecrets {
|
||
|
"/secrets" = {
|
||
|
hostPath = "/run/secrets/${name}";
|
||
|
isReadOnly = true;
|
||
|
};
|
||
|
})
|
||
|
];
|
||
|
|
||
|
path = evalConfig container.config;
|
||
|
};
|
||
|
}) (lib.attrsToList config.hacc.containers));
|
||
|
}
|