experiment with k3s + nix-snapshotter

2024-06-13 16:42:55 +02:00 · 2024-06-13 16:42:55 +02:00 · f986a8300d
commit f986a8300d
parent 1533077234
6 changed files with 593 additions and 4 deletions
--- a/nix/os/devices/steveej-x13s/configuration.nix
+++ b/nix/os/devices/steveej-x13s/configuration.nix
@ -9,6 +9,12 @@
  system,
  ...
 }: {
+  nixpkgs.overlays = [
+    (final: previous: {
+      # inherit (nodeFlake.inputs.nixpkgs-systemd256.legacyPackages.${system}) systemd systemdMinimal;
+    })
+  ];
+
  nixos-x13s = {
    enable = true;
    # TODO: use hardware address
@ -86,6 +92,8 @@
      sops.secrets.builder-private-key = {};
      nix.distributedBuilds = true;
      nix.buildMachines = [
+        # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@sj-bm-hostkey0.dev.infra.holochain.org?ssh-key=/run/secrets/builder-private-key'
+
        {
          hostName = "sj-bm-hostkey0.dev.infra.holochain.org";
          sshUser = "nix-remote-builder";
@ -147,6 +155,40 @@
    ../../snippets/radicale.nix

    ../../snippets/holo-zerotier.nix
+
+    {
+      # (1) Import nixos module.
+      imports = [
+        nodeFlake.inputs.nix-snapshotter.nixosModules.default
+      ];
+
+      # (2) Add overlay.
+      nixpkgs.overlays = [nodeFlake.inputs.nix-snapshotter.overlays.default];
+
+      # (3) Enable service.
+      virtualisation.containerd = {
+        enable = true;
+        k3sIntegration = false;
+        nixSnapshotterIntegration = true;
+
+        # TODO: understand if this has an influence on the systemd LoadCredential issue
+        settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true;
+      };
+      services.nix-snapshotter = {
+        enable = true;
+      };
+
+      # (4) Add a containerd CLI like nerdctl.
+      environment.systemPackages = [
+        pkgs.nerdctl
+        nodeFlake.inputs.nix-snapshotter.packages.${system}.nix-snapshotter
+      ];
+
+      services.k3s = {
+        enable = false;
+        setKubeConfig = true;
+      };
+    }
  ];

  networking.hostName = nodeName;
@ -228,11 +270,11 @@

  # android on linux
  virtualisation.waydroid.enable = false;
-  virtualisation.podman.enable = true;
-  virtualisation.podman.dockerCompat = true;
-
  hardware.ledger.enable = true;

+  virtualisation.containers.enable = true;
+  virtualisation.podman.enable = true;
+
  nix.settings.substituters = [
    "https://nixos-x13s.cachix.org"
  ];
--- a/nix/os/devices/steveej-x13s/flake.lock
+++ b/nix/os/devices/steveej-x13s/flake.lock
@ -70,7 +70,44 @@
        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
      }
    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nix-snapshotter",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1704152458,
+        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
@ -194,9 +231,31 @@
        "type": "github"
      }
    },
+    "nix-snapshotter": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717948701,
+        "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=",
+        "owner": "yu-re-ka",
+        "repo": "nix-snapshotter",
+        "rev": "c10b066a4b1bb3451507c141636014e3335e579e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "yu-re-ka",
+        "repo": "nix-snapshotter",
+        "type": "github"
+      }
+    },
    "nixos-x13s": {
      "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
@ -297,6 +356,7 @@
        "home-manager": "home-manager",
        "mobile-nixos": "mobile-nixos",
        "mycelium": "mycelium",
+        "nix-snapshotter": "nix-snapshotter",
        "nixos-x13s": "nixos-x13s",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable": "nixpkgs-unstable"
--- a/nix/os/devices/steveej-x13s/flake.nix
+++ b/nix/os/devices/steveej-x13s/flake.nix
@ -27,6 +27,12 @@
      url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git";
      flake = false;
    };
+
+    nix-snapshotter = {
+      url = "github:yu-re-ka/nix-snapshotter";
+      # url = "github:pdtpartners/nix-snapshotter";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = {