steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

WIP k3s

Browse source
This commit is contained in:
steveej 2024-10-16 18:28:17 +02:00
parent 4c71887ea6
commit bd8630681b
3 changed files with 86 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

42
nix/os/containers/mycelium/flake.nix
View file

@ -1,7 +1,7 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
# nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
@ -102,7 +102,7 @@
imports = [
(modulesPath + "/profiles/minimal.nix")
];
system.stateVersion = "24.05";
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
boot.isContainer = true;
@ -116,22 +116,37 @@
services.nscd.enable = false;
system.nssModules = lib.mkForce [];
systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = true;
systemd.services.console-getty.enable = false;
systemd.sockets.nix-daemon.enable = false;
systemd.services.nix-daemon.enable = false;
systemd.oomd.enable = false;
networking.useDHCP = false;
networking.firewall.enable = false;
# system.build.earlyMountScript =
# lib.mkForce ''
# '';
# system.activationScripts.specialfs =
# lib.mkForce ''
# '';
boot.postBootCommands = ''
ls -lha /run
mkdir -p /run/wrappers
'';
boot.kernelParams = [
"systemd.log_level=debug"
];
# services.udev.enable = false;
# TODO: this is only needed because `/run/current-system` is missing
# environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
systemd.mounts = lib.mkForce [];
fileSystems = lib.mkForce {};
services.mycelium.enable = false;
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
@ -151,17 +166,18 @@
serviceConfig = {
SyslogIdentifier = "testing-credential";
StateDirectory = "testing-credentials";
# DynamicUser = true;
DynamicUser = true;
# User = "tc";
# ProtectHome = true;
# ProtectSystem = true;
LoadCredential = [
"mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
"hosts:/etc/hosts"
];
SetCredential = "nosecret:not secret string";
ProtectSystem = true;
# LoadCredential = [
# "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
while true; do
ls -lha $CREDENTIALS_DIRECTORY
@ -228,6 +244,9 @@
];
volumes = {
# "/var/lib/private/mycelium/key.bin" = {};
# "/run" = {};
# "/tmp" = {};
# "/etc" = {};
};
copyToRoot = [
# self.nixosConfigurations.default.config.system.build.toplevel
@ -312,6 +331,7 @@
nix build --impure .#image
sudo nix2container load ./result
sudo -E nerdctl run --name ${name} --privileged -dt \
--cgroup-manager cgroupfs \
--volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
"nix:0$(readlink result):latest"
'';