experimenting with nixos modules in oci containers

See the Readme.org file for what this is.

4 files changed, 170 insertions, 0 deletions

diff --git a/nix-modules/.gitignore b/nix-modules/.gitignore
new file mode 100644
index 0000000..b2be92b
--- /dev/null
+++ b/nix-modules/.gitignore
@@ -0,0 +1 @@
+result
diff --git a/nix-modules/Readme.org b/nix-modules/Readme.org
new file mode 100644
index 0000000..eb314e2
--- /dev/null
+++ b/nix-modules/Readme.org
@@ -0,0 +1,57 @@
+#+TITLE: NixOS modules in OCI container
+
+* Idea
+Nix makes it easy to build small oci containers (docker/podman) using
+its package set, which will contain nothing that isn't absolutely
+necessary.
+
+However, this only applies to packages, not the NixOS module system
+that is usually used to generate config files from the Nix language,
+which are then wrapped into systemd module files. Unfortunately,
+systemd cannot run in docker (and would present a lot of unnecessary
+overhead).
+
+This is an experiment at redefining the NixOS module responsible for
+generating the systemd unit files to generate simple shell scripts
+that can serve as an entrypoint for the OCI containers instead that
+run the same services as they would on NixOS.
+
+* Running
+There's an example running a grafana server in ~example.nix~. Build
+it with:
+
+#+begin_src sh
+docker load < $(nix-build example.nix)
+#+end_src
+
+Then run the image name that docker prints out:
+
+#+begin_src sh
+docker run -p 3000:3000 -t grafana:ib6aahrmhqbzk444b8nq384zrg86fzdm
+#+end_src
+
+The full image is about 66MB, compared to 204MB for the official
+~grafana/grafana~ image.
+
+To use this with other modules than grafana, you will have to import
+them manually (and hope that these work). A list of all modules can be
+found in ~nixpkgs/nixos/modules/module-list.nix~.
+
+* Caveats
+Currently there is only support for:
+ - systemd.services
+ - users.users.<name>.home
+ - assertions
+
+Everything that cannot be reduced to just these will fail on build,
+and some of the things that do may still fail at runtime, since even
+the majority of these suboptions will be ignored / have different
+semantics than they usually do.
+
+* Still Todo:
+ - [ ] safe shutdown: currently, containers will have to be killed and
+   ignore ~docker stop~
+ - [ ] handle systemd tmpdirs
+ - [ ] make the images multi-layered: one layer for base packages, one
+   for config files (to avoid redefining the entire container for each
+   config change)
diff --git a/nix-modules/docker-nixos-modules.nix b/nix-modules/docker-nixos-modules.nix
new file mode 100644
index 0000000..47107a7
--- /dev/null
+++ b/nix-modules/docker-nixos-modules.nix
@@ -0,0 +1,90 @@
+{ nixpkgsPath ? <nixpkgs>
+, ociconfig
+, name
+, ...}:
+
+let
+  pkgs = import nixpkgsPath {};
+
+  dummyOption = with pkgs.lib; mkOption {
+    type = types.attrs;
+    default = {};
+  };
+
+  systemModule = { lib, config, ... }: {
+    options = {
+      toplevel = lib.mkOption {
+        type = lib.types.str;
+      };
+
+      systemd = with lib; {
+        services = dummyOption;
+        targets = dummyOption;
+        timers = dummyOption;
+      };
+
+      environment = dummyOption;
+      users.users = dummyOption;
+      users.groups = dummyOption;
+      meta = dummyOption;
+
+      networking.enableIPv6 = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+      };
+    };
+
+    config._module.args.pkgs = pkgs;
+  };
+
+  config = pkgs.lib.evalModules {
+    modules = [
+      systemModule
+      ociconfig
+      "${nixpkgsPath}/nixos/modules/misc/assertions.nix"
+    ];
+  };
+
+in pkgs.dockerTools.buildImage {
+  inherit name;
+
+  contents = pkgs.coreutils;
+
+  runAsRoot = (with pkgs.lib;
+    strings.concatStrings
+      (mapAttrsToList
+        (n: u: if u ? createHome && u.createHome then ("mkdir -p ${u.home}\n") else "")
+        config.config.users.users));
+
+  config = with pkgs.lib; {
+    Cmd = pkgs.writeShellScript "main-entrypoint"
+      (strings.concatStrings
+      (map (command: "${command}&")
+      (mapAttrsToList
+      (name: service:
+        (pkgs.writeShellScript
+          "systemd-script-${name}"
+          ''
+            #!${pkgs.dash.outPath}/bin/sh
+            set -ueo pipefail
+            ${if service ? preStart
+              then ''
+                echo ${escapeShellArg name}: running preStart script
+                ${service.preStart}
+              ''
+              else ""}
+            echo ${name}: starting ...
+            ${if service ? serviceConfig && service.serviceConfig ? WorkingDirectory
+              then "cd ${service.serviceConfig.WorkingDirectory}"
+              else ""}
+            ${if service ? environment
+              then (strings.concatStrings
+                    (mapAttrsToList
+                      (n: k: "export ${n}=${escapeShellArg k}\n")
+                        service.environment))
+                   + service.script
+              else ""}
+          '').outPath)
+        config.config.systemd.services)) + "\n wait");
+  };
+}
diff --git a/nix-modules/example.nix b/nix-modules/example.nix
new file mode 100644
index 0000000..2596df6
--- /dev/null
+++ b/nix-modules/example.nix
@@ -0,0 +1,22 @@
+{pkgs ? import <nixpkgs> {}, ...}:
+
+import ./docker-nixos-modules.nix {
+  name = "grafana";
+  nixpkgsPath = <nixpkgs>;
+
+  ociconfig = {pkgs, config, ...}: {
+
+    imports = [
+      <nixpkgs/nixos/modules/services/monitoring/grafana.nix>
+      <nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
+      <nixpkgs/nixos/modules/security/acme.nix>
+    ];
+
+    services.grafana = {
+      enable = true;
+      dataDir = "/data";
+      addr = "0.0.0.0";
+    };
+
+  };
+}