forked from zhaofengli/nixos-openvz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nixos.nix
86 lines (77 loc) · 2.84 KB
/
nixos.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
{ lib, pkgs, config, ... }:
let
# With most out-of-box templates, OpenVZ automatically runs a set of bash scripts
# in the guest container every boot to customize the system (setting hostname, IP
# addresses, etc.). We can't run them in NixOS, but they have to be successfully
# executed for the container to boot :(
#
# Here we use an ugly hack to silently ignore the scripts. Note that `vzctl enter`
# as well as the "Serial Console" feature in SolusVM also hard-depend on /bin/bash.
binBashWrapper = pkgs.writeShellScript "bash" ''
if [[ "$(${pkgs.coreutils}/bin/tr -d '\0' </proc/1/cmdline)" == *"vzctl"* ]]; then
# PID 1 is vzctl - Refuse to run OpenVZ provider script
exit 0
fi
exec ${pkgs.bashInteractive}/bin/bash "$@"
'';
in {
boot.isContainer = true;
boot.loader.initScript.enable = true;
boot.specialFileSystems."/run/keys".fsType = lib.mkForce "tmpfs";
boot.postBootCommands = ''
# After booting, register the contents of the Nix store in the Nix
# database.
if [ -f /nix-path-registration ]; then
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
rm /nix-path-registration
fi
# nixos-rebuild also requires a "system" profile
if [ ! -e /nix/var/nix/profiles/system ]; then
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
fi
# Create /dev/net/tun. It is done automatically in most cases, but for some
# hosts it's not there.
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
'';
systemd.extraConfig = ''
[Service]
ProtectProc=default
ProtectControlGroups=no
ProtectKernelTunables=no
'';
# systemd-udev-trigger.service is suppressed when boot.isContainer is true.
# This is required for networkd to work properly.
#
# We manually create an identical unit under a different name to avoid
# conflict.
systemd.services.systemd-udev-trigger-ovz = {
description = "Coldplug All udev Devices";
after = [ "systemd-udevd-kernel.socket" "systemd-udevd-control.socket" ];
wants = [ "systemd-udevd.service" ];
wantedBy = [ "sysinit.target" ];
unitConfig = {
DefaultDependencies = "no";
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = [
"-udevadm trigger --type=subsystems --action=add"
"-udevadm trigger --type=devices --action=add"
];
};
};
networking.useHostResolvConf = false;
networking.firewall.package = lib.mkDefault pkgs.iptables-legacy;
system.build.binBashWrapper = binBashWrapper;
system.activationScripts.injectOpenVzScripts = ''
mkdir -p /sbin
if [ ! -f /sbin/init ]; then
ln -sf $systemConfig/init /sbin/init
fi
ln -sf ${pkgs.quota}/bin/quotaon /sbin/quotaon
ln -sf ${binBashWrapper} /bin/bash
touch /fastboot
'';
}