diff options
Diffstat (limited to '')
-rw-r--r-- | nix-modules/.gitignore | 1 | ||||
-rw-r--r-- | nix-modules/Readme.org | 57 | ||||
-rw-r--r-- | nix-modules/docker-nixos-modules.nix | 90 | ||||
-rw-r--r-- | nix-modules/example.nix | 22 |
4 files changed, 170 insertions, 0 deletions
diff --git a/nix-modules/.gitignore b/nix-modules/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix-modules/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix-modules/Readme.org b/nix-modules/Readme.org new file mode 100644 index 0000000..eb314e2 --- /dev/null +++ b/nix-modules/Readme.org @@ -0,0 +1,57 @@ +#+TITLE: NixOS modules in OCI container + +* Idea +Nix makes it easy to build small oci containers (docker/podman) using +its package set, which will contain nothing that isn't absolutely +necessary. + +However, this only applies to packages, not the NixOS module system +that is usually used to generate config files from the Nix language, +which are then wrapped into systemd module files. Unfortunately, +systemd cannot run in docker (and would present a lot of unnecessary +overhead). + +This is an experiment at redefining the NixOS module responsible for +generating the systemd unit files to generate simple shell scripts +that can serve as an entrypoint for the OCI containers instead that +run the same services as they would on NixOS. + +* Running +There's an example running a grafana server in ~example.nix~. Build +it with: + +#+begin_src sh +docker load < $(nix-build example.nix) +#+end_src + +Then run the image name that docker prints out: + +#+begin_src sh +docker run -p 3000:3000 -t grafana:ib6aahrmhqbzk444b8nq384zrg86fzdm +#+end_src + +The full image is about 66MB, compared to 204MB for the official +~grafana/grafana~ image. + +To use this with other modules than grafana, you will have to import +them manually (and hope that these work). A list of all modules can be +found in ~nixpkgs/nixos/modules/module-list.nix~. + +* Caveats +Currently there is only support for: + - systemd.services + - users.users.<name>.home + - assertions + +Everything that cannot be reduced to just these will fail on build, +and some of the things that do may still fail at runtime, since even +the majority of these suboptions will be ignored / have different +semantics than they usually do. + +* Still Todo: + - [ ] safe shutdown: currently, containers will have to be killed and + ignore ~docker stop~ + - [ ] handle systemd tmpdirs + - [ ] make the images multi-layered: one layer for base packages, one + for config files (to avoid redefining the entire container for each + config change) diff --git a/nix-modules/docker-nixos-modules.nix b/nix-modules/docker-nixos-modules.nix new file mode 100644 index 0000000..47107a7 --- /dev/null +++ b/nix-modules/docker-nixos-modules.nix @@ -0,0 +1,90 @@ +{ nixpkgsPath ? <nixpkgs> +, ociconfig +, name +, ...}: + +let + pkgs = import nixpkgsPath {}; + + dummyOption = with pkgs.lib; mkOption { + type = types.attrs; + default = {}; + }; + + systemModule = { lib, config, ... }: { + options = { + toplevel = lib.mkOption { + type = lib.types.str; + }; + + systemd = with lib; { + services = dummyOption; + targets = dummyOption; + timers = dummyOption; + }; + + environment = dummyOption; + users.users = dummyOption; + users.groups = dummyOption; + meta = dummyOption; + + networking.enableIPv6 = lib.mkOption { + type = lib.types.bool; + default = false; + }; + }; + + config._module.args.pkgs = pkgs; + }; + + config = pkgs.lib.evalModules { + modules = [ + systemModule + ociconfig + "${nixpkgsPath}/nixos/modules/misc/assertions.nix" + ]; + }; + +in pkgs.dockerTools.buildImage { + inherit name; + + contents = pkgs.coreutils; + + runAsRoot = (with pkgs.lib; + strings.concatStrings + (mapAttrsToList + (n: u: if u ? createHome && u.createHome then ("mkdir -p ${u.home}\n") else "") + config.config.users.users)); + + config = with pkgs.lib; { + Cmd = pkgs.writeShellScript "main-entrypoint" + (strings.concatStrings + (map (command: "${command}&") + (mapAttrsToList + (name: service: + (pkgs.writeShellScript + "systemd-script-${name}" + '' + #!${pkgs.dash.outPath}/bin/sh + set -ueo pipefail + ${if service ? preStart + then '' + echo ${escapeShellArg name}: running preStart script + ${service.preStart} + '' + else ""} + echo ${name}: starting ... + ${if service ? serviceConfig && service.serviceConfig ? WorkingDirectory + then "cd ${service.serviceConfig.WorkingDirectory}" + else ""} + ${if service ? environment + then (strings.concatStrings + (mapAttrsToList + (n: k: "export ${n}=${escapeShellArg k}\n") + service.environment)) + + service.script + else ""} + '').outPath) + config.config.systemd.services)) + "\n wait"); + }; +} diff --git a/nix-modules/example.nix b/nix-modules/example.nix new file mode 100644 index 0000000..2596df6 --- /dev/null +++ b/nix-modules/example.nix @@ -0,0 +1,22 @@ +{pkgs ? import <nixpkgs> {}, ...}: + +import ./docker-nixos-modules.nix { + name = "grafana"; + nixpkgsPath = <nixpkgs>; + + ociconfig = {pkgs, config, ...}: { + + imports = [ + <nixpkgs/nixos/modules/services/monitoring/grafana.nix> + <nixpkgs/nixos/modules/services/web-servers/nginx/default.nix> + <nixpkgs/nixos/modules/security/acme.nix> + ]; + + services.grafana = { + enable = true; + dataDir = "/data"; + addr = "0.0.0.0"; + }; + + }; +} |