9ee30cd9b5
You can now say:
systemd.containers.foo.config =
{ services.openssh.enable = true;
services.openssh.ports = [ 2022 ];
users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-dss ..." ];
};
which defines a NixOS instance with the given configuration running
inside a lightweight container.
You can also manage the configuration of the container independently
from the host:
systemd.containers.foo.path = "/nix/var/nix/profiles/containers/foo";
where "path" is a NixOS system profile. It can be created/updated by
doing:
$ nix-env --set -p /nix/var/nix/profiles/containers/foo \
-f '<nixos>' -A system -I nixos-config=foo.nix
The container configuration (foo.nix) should define
boot.isContainer = true;
to optimise away the building of a kernel and initrd. This is done
automatically when using the "config" route.
On the host, a lightweight container appears as the service
"container-<name>.service". The container is like a regular NixOS
(virtual) machine, except that it doesn't have its own kernel. It has
its own root file system (by default /var/lib/containers/<name>), but
shares the Nix store of the host (as a read-only bind mount). It also
has access to the network devices of the host.
Currently, if the configuration of the container changes, running
"nixos-rebuild switch" on the host will cause the container to be
rebooted. In the future we may want to send some message to the
container so that it can activate the new container configuration
without rebooting.
Containers are not perfectly isolated yet. In particular, the host's
/sys/fs/cgroup is mounted (writable!) in the guest.
67 lines
2.3 KiB
Nix
67 lines
2.3 KiB
Nix
# From an end-user configuration file (`configuration'), build a NixOS
|
|
# configuration object (`config') from which we can retrieve option
|
|
# values.
|
|
|
|
{ system ? builtins.currentSystem
|
|
, pkgs ? null
|
|
, baseModules ? import ../modules/module-list.nix
|
|
, extraArgs ? {}
|
|
, modules
|
|
, check ? true
|
|
, prefix ? []
|
|
}:
|
|
|
|
let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; in
|
|
|
|
rec {
|
|
|
|
# Merge the option definitions in all modules, forming the full
|
|
# system configuration.
|
|
inherit (pkgs.lib.evalModules {
|
|
inherit prefix;
|
|
modules = modules ++ baseModules;
|
|
args = extraArgs;
|
|
check = check && options.environment.checkConfigurationOptions.value;
|
|
}) config options;
|
|
|
|
# These are the extra arguments passed to every module. In
|
|
# particular, Nixpkgs is passed through the "pkgs" argument.
|
|
extraArgs = extraArgs_ // {
|
|
inherit pkgs modules baseModules;
|
|
modulesPath = ../modules;
|
|
pkgs_i686 = import ./nixpkgs.nix { system = "i686-linux"; };
|
|
utils = import ./utils.nix pkgs;
|
|
};
|
|
|
|
# Import Nixpkgs, allowing the NixOS option nixpkgs.config to
|
|
# specify the Nixpkgs configuration (e.g., to set package options
|
|
# such as firefox.enableGeckoMediaPlayer, or to apply global
|
|
# overrides such as changing GCC throughout the system), and the
|
|
# option nixpkgs.system to override the platform type. This is
|
|
# tricky, because we have to prevent an infinite recursion: "pkgs"
|
|
# is passed as an argument to NixOS modules, but the value of "pkgs"
|
|
# depends on config.nixpkgs.config, which we get from the modules.
|
|
# So we call ourselves here with "pkgs" explicitly set to an
|
|
# instance that doesn't depend on nixpkgs.config.
|
|
pkgs =
|
|
if pkgs_ != null
|
|
then pkgs_
|
|
else import ./nixpkgs.nix (
|
|
let
|
|
system = if nixpkgsOptions.system != "" then nixpkgsOptions.system else system_;
|
|
nixpkgsOptions = (import ./eval-config.nix {
|
|
inherit system extraArgs modules prefix;
|
|
# For efficiency, leave out most NixOS modules; they don't
|
|
# define nixpkgs.config, so it's pointless to evaluate them.
|
|
baseModules = [ ../modules/misc/nixpkgs.nix ];
|
|
pkgs = import ./nixpkgs.nix { system = system_; config = {}; };
|
|
check = false;
|
|
}).config.nixpkgs;
|
|
in
|
|
{
|
|
inherit system;
|
|
inherit (nixpkgsOptions) config;
|
|
});
|
|
|
|
}
|