106 lines
2.7 KiB
Nix
106 lines
2.7 KiB
Nix
# system/lxc.nix
|
|
{ config, pkgs, ... }: {
|
|
virtualisation.lxc = {
|
|
enable = true;
|
|
lxcfs.enable = true;
|
|
};
|
|
|
|
security.sudo.extraRules = [{
|
|
groups = [ "labmates" ];
|
|
commands = [
|
|
{ command = "/run/current-system/sw/bin/lxc-attach"; options = [ "NOPASSWD" ]; }
|
|
{ command = "/run/current-system/sw/bin/lxc-start"; options = [ "NOPASSWD" ]; }
|
|
];
|
|
}];
|
|
|
|
networking.networkmanager.unmanaged = [ "br0" ];
|
|
|
|
virtualisation.lxc.systemConfig = ''
|
|
lxc.start.auto = 1
|
|
'';
|
|
|
|
systemd.services.lxc-autostart = {
|
|
description = "LXC autostart containers";
|
|
after = [ "network.target" "lxc.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "${pkgs.lxc}/bin/lxc-autostart";
|
|
ExecStop = "${pkgs.lxc}/bin/lxc-autostart -s";
|
|
};
|
|
};
|
|
|
|
virtualisation.lxc.defaultConfig = ''
|
|
lxc.net.0.type = veth
|
|
lxc.net.0.link = br0
|
|
lxc.net.0.flags = up
|
|
lxc.apparmor.profile = unconfined
|
|
lxc.cgroup.relative = 1
|
|
'';
|
|
|
|
networking.bridges.br0.interfaces = [];
|
|
networking.interfaces.br0.ipv4.addresses = [{
|
|
address = "10.100.0.1";
|
|
prefixLength = 24;
|
|
}];
|
|
|
|
# wildcard masquerade — no need to specify external interface per host
|
|
networking.nat.enable = false;
|
|
networking.nftables.enable = true;
|
|
networking.nftables.tables.lab-nat = {
|
|
family = "ip";
|
|
content = ''
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
ip saddr 10.100.0.0/24 oifname != "br0" masquerade
|
|
}
|
|
'';
|
|
};
|
|
|
|
# IP forwarding
|
|
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
|
|
|
# DHCP for containers on the bridge
|
|
services.dnsmasq = {
|
|
enable = true;
|
|
settings = {
|
|
interface = "br0";
|
|
bind-interfaces = true;
|
|
dhcp-range = "10.100.0.10,10.100.0.200,24h";
|
|
dhcp-option = [ "3,10.100.0.1" "6,8.8.8.8,1.1.1.1" ];
|
|
};
|
|
};
|
|
|
|
# labmates get dropped into their container
|
|
services.openssh.extraConfig = ''
|
|
Match Group labmates
|
|
ForceCommand /run/current-system/sw/bin/lxc-login
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
'';
|
|
|
|
users.groups.labmates = {};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
lxc
|
|
# lxc-templates
|
|
wget
|
|
gnupg
|
|
debootstrap
|
|
bridge-utils
|
|
(writeShellScriptBin "lxc-login" (builtins.readFile ../home/scripts/lxc/lxc-login.sh))
|
|
];
|
|
|
|
environment.etc."lxc/default.conf".text = ''
|
|
lxc.net.0.type = veth
|
|
lxc.net.0.link = br0
|
|
lxc.net.0.flags = up
|
|
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
|
|
lxc.apparmor.profile = unconfined
|
|
'';
|
|
|
|
environment.etc."local/bin/lxc-login".source = ../home/scripts/lxc/lxc-login.sh;
|
|
environment.etc."local/bin/lxc-login".mode = "0755";
|
|
}
|