dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/sfh: Working containers
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 44m19s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan
2024-06-30 01:52:52 +01:00
parent 9ac63220d5
commit 7e2dfc21c6
69 changed files with 1107 additions and 994 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
nixos/modules/containers.nix
View File

@@ -1,6 +1,6 @@
{ lib, pkgs, options, config, systems, ... }:
let
inherit (builtins) attrNames attrValues all hashString toJSON;
inherit (builtins) attrNames attrValues all hashString toJSON any;
inherit (lib)
groupBy' mapAttrsToList optionalString optional concatMapStringsSep filterAttrs mkOption mkDefault mkIf mkMerge;
inherit (lib.my) mkOpt' mkBoolOpt';
@@ -98,6 +98,7 @@ let
};
networking = {
bridge = mkOpt' (nullOr str) null "Network bridge to connect to.";
macVLAN = mkOpt' (nullOr str) null "Network interface to make MACVLAN interface from.";
};
};
};
@@ -115,13 +116,17 @@ in
assertion = config.systemd.network.enable;
message = "Containers currently require systemd-networkd!";
}
{
assertion = all (i: i.networking.bridge == null || i.networking.macVLAN == null) (attrValues cfg.instances);
message = "Only bridge OR MACVLAN can be set";
}
];
# TODO: Better security
my.firewall.trustedInterfaces =
mapAttrsToList
(n: _: "ve-${n}")
(filterAttrs (_: c: c.networking.bridge == null) cfg.instances);
(filterAttrs (_: c: c.networking.bridge == null && c.networking.macVLAN == null) cfg.instances);
systemd = mkMerge (mapAttrsToList (n: c: {
nspawn."${n}" = {
@@ -154,6 +159,8 @@ in
};
networkConfig = if (c.networking.bridge != null) then {
Bridge = c.networking.bridge;
} else if (c.networking.macVLAN != null) then {
MACVLAN = "${c.networking.macVLAN}:host0";
} else {
VirtualEthernet = true;
};