commit feeeba622180e7b42d1eec0089cd6e1776bad7e5 Author: john Date: Mon Nov 25 08:49:13 2024 -0600 Initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..14e1829 --- /dev/null +++ b/README.md @@ -0,0 +1,15 @@ +# nix-docker + +Template for making Nix-based LXC containers in Proxmox to run Docker + +## NFS Mounts + +Needs to be done in a privileged container because AppArmor makes it a pain in the ass + +- [Unprivileged LXC containers](https://pve.proxmox.com/wiki/Unprivileged_LXC_containers) +- [Mount NFS inside LXC containers](https://theorangeone.net/posts/mount-nfs-inside-lxc/) +- [How to allow specific Proxmox LXC containers to mount NFS shares on the network?](https://unix.stackexchange.com/questions/450308/how-to-allow-specific-proxmox-lxc-containers-to-mount-nfs-shares-on-the-network) + +## Docker + +- [Docker on NixOS](https://nixos.wiki/wiki/Docker) \ No newline at end of file diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..16e4b4f --- /dev/null +++ b/configuration.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, modulesPath, ... }: +let + stateVersion = "24.05"; + userName = "myuser"; + repoPath = "/srv/nix-docker"; + unstable = import {}; +in +{ + system.stateVersion = stateVersion; + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + (import "${builtins.fetchTarball https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz}/nixos") + (fetchTarball "https://github.com/nix-community/nixos-vscode-server/tarball/master") + (import ./users.nix { + inherit stateVersion; + inherit userName; + inherit repoPath; + }) + # ./mounts.nix + ]; + + environment.systemPackages = with pkgs; [ + (pkgs.writeShellScriptBin "nrbs" "sudo nixos-rebuild switch") + (pkgs.writeShellScriptBin "nrbsu" "sudo nix-channel --update && sudo nixos-rebuild switch") + bash + busybox + git + eza + gh + ]; + + # For SSH access + services.openssh.enable = true; + + # Networking stuff + services.avahi = { enable = true; nssmdns4 = true; }; + + # https://nixos.wiki/wiki/Docker + virtualisation.docker = { + enable = true; + # https://docs.docker.com/engine/security/rootless/ + # rootless = { + # enable = true; + # setSocketVariable = true; + # }; + }; + services.vscode-server.enable = true; + + system.activationScripts.startup = '' + echo "Starting Nix-Docker container" + ''; + + # Uses rust-based sudo + security.sudo-rs = { + enable = true; + execWheelOnly = false; + wheelNeedsPassword = false; # allows sudo without password for those in the wheel group + }; + +} diff --git a/git.nix b/git.nix new file mode 100644 index 0000000..b166c30 --- /dev/null +++ b/git.nix @@ -0,0 +1,10 @@ +{ repoPath, ... }: +{ + programs.git = { + enable = true; + extraConfig.safe.directory = "${repoPath}"; + extraConfig.credential.helper = "store --file ~/.git-credentials"; + userName = "John Lancaster"; + userEmail = "32917998+jsl12@users.noreply.github.com"; + }; +} \ No newline at end of file diff --git a/users.nix b/users.nix new file mode 100644 index 0000000..b1edf33 --- /dev/null +++ b/users.nix @@ -0,0 +1,21 @@ +{ stateVersion, userName, repoPath, ... }: +{ + users.users.${userName} = { + isNormalUser = true; + extraGroups = [ + "wheel" # needed for sudo without password + "docker" # needed for docker without sudo + ]; + openssh.authorizedKeys.keyFiles = [ + "/root/.ssh/authorized_keys" # should already have your public SSH key inside + ]; + }; + + home-manager = { + useGlobalPkgs = true; + users.${userName} = { + home.stateVersion = stateVersion; + imports = [ (import ./git.nix { inherit repoPath; }) ]; + }; + }; +}