Initial commit

README.md

@@ -0,0 +1,15 @@
+# nix-docker
+
+Template for making Nix-based LXC containers in Proxmox to run Docker
+
+## NFS Mounts
+
+Needs to be done in a privileged container because AppArmor makes it a pain in the ass
+
+- [Unprivileged LXC containers](https://pve.proxmox.com/wiki/Unprivileged_LXC_containers)
+- [Mount NFS inside LXC containers](https://theorangeone.net/posts/mount-nfs-inside-lxc/)
+- [How to allow specific Proxmox LXC containers to mount NFS shares on the network?](https://unix.stackexchange.com/questions/450308/how-to-allow-specific-proxmox-lxc-containers-to-mount-nfs-shares-on-the-network)
+
+## Docker
+
+- [Docker on NixOS](https://nixos.wiki/wiki/Docker)

configuration.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, modulesPath, ... }:
+let
+  stateVersion = "24.05";
+  userName = "myuser";
+  repoPath = "/srv/nix-docker";
+  unstable = import <nixos-unstable> {};
+in
+{
+  system.stateVersion = stateVersion;
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    (import "${builtins.fetchTarball https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz}/nixos")
+    (fetchTarball "https://github.com/nix-community/nixos-vscode-server/tarball/master")
+    (import ./users.nix {
+      inherit stateVersion;
+      inherit userName;
+      inherit repoPath;
+    })
+    # ./mounts.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    (pkgs.writeShellScriptBin "nrbs" "sudo nixos-rebuild switch")
+    (pkgs.writeShellScriptBin "nrbsu" "sudo nix-channel --update && sudo nixos-rebuild switch")
+    bash
+    busybox
+    git
+    eza
+    gh
+  ];
+
+  # For SSH access
+  services.openssh.enable = true;
+
+  # Networking stuff
+  services.avahi = { enable = true; nssmdns4 = true; };
+
+  # https://nixos.wiki/wiki/Docker
+  virtualisation.docker = {
+    enable = true;
+    # https://docs.docker.com/engine/security/rootless/
+    # rootless = {
+    #   enable = true;
+    #   setSocketVariable = true;
+    # };
+  };
+  services.vscode-server.enable = true;
+  
+  system.activationScripts.startup = ''
+    echo "Starting Nix-Docker container"
+  '';
+
+  # Uses rust-based sudo
+  security.sudo-rs = {
+    enable = true;
+    execWheelOnly = false;
+    wheelNeedsPassword = false; # allows sudo without password for those in the wheel group
+  };
+
+}

git.nix

@@ -0,0 +1,10 @@
+{ repoPath, ... }:
+{
+  programs.git = {
+    enable = true;
+    extraConfig.safe.directory = "${repoPath}";
+    extraConfig.credential.helper = "store --file ~/.git-credentials";
+    userName = "John Lancaster";
+    userEmail = "32917998+jsl12@users.noreply.github.com";
+  };
+}

users.nix

@@ -0,0 +1,21 @@
+{ stateVersion, userName, repoPath, ... }:
+{
+  users.users.${userName} = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"   # needed for sudo without password
+      "docker"  # needed for docker without sudo
+    ];
+    openssh.authorizedKeys.keyFiles = [
+      "/root/.ssh/authorized_keys" # should already have your public SSH key inside
+    ];
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+    users.${userName} = {
+      home.stateVersion = stateVersion;
+      imports = [ (import ./git.nix { inherit repoPath; }) ];
+    };
+  };
+}