Merge pull request #26 from hercules-ci/images-with-dockertools
Images with dockertools
This commit is contained in:
commit
15386e5145
11 changed files with 259 additions and 14 deletions
|
@ -20,7 +20,15 @@ let
|
||||||
} ''
|
} ''
|
||||||
export NIX_LOG_DIR=$PWD
|
export NIX_LOG_DIR=$PWD
|
||||||
export NIX_STATE_DIR=$PWD
|
export NIX_STATE_DIR=$PWD
|
||||||
nix-instantiate --option sandbox false --readonly-mode --eval --expr "$optionsExpr" --xml --strict >$out
|
nix-instantiate \
|
||||||
|
--option sandbox false \
|
||||||
|
--readonly-mode \
|
||||||
|
--eval \
|
||||||
|
--expr "$optionsExpr" \
|
||||||
|
--xml \
|
||||||
|
--strict \
|
||||||
|
--show-trace \
|
||||||
|
>$out
|
||||||
'';
|
'';
|
||||||
|
|
||||||
optionsDocBook = runCommand "options-db.xml" {} ''
|
optionsDocBook = runCommand "options-db.xml" {} ''
|
||||||
|
@ -61,7 +69,7 @@ let
|
||||||
declarations = map (d: "src/nix" + (lib.strings.removePrefix (toString ${src}) (toString d))) opt.declarations;
|
declarations = map (d: "src/nix" + (lib.strings.removePrefix (toString ${src}) (toString d))) opt.declarations;
|
||||||
};
|
};
|
||||||
inherit (pkgs) lib;
|
inherit (pkgs) lib;
|
||||||
composition = pkgs.callPackage ${src}/eval-service.nix {} { modules = []; host = {}; };
|
composition = pkgs.callPackage ${src}/eval-service.nix {} { modules = []; host = {}; name = abort "The manual's service options section must not depend on the service name."; };
|
||||||
in map fixPaths (lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList composition.options))
|
in map fixPaths (lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList composition.options))
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
28
src/arion
28
src/arion
|
@ -163,6 +163,32 @@ do_build() {
|
||||||
--show-trace \
|
--show-trace \
|
||||||
--attr 'config.build.dockerComposeYaml' \
|
--attr 'config.build.dockerComposeYaml' \
|
||||||
>/dev/null ;
|
>/dev/null ;
|
||||||
|
|
||||||
|
echo 1>&2 "Ensuring required images are loaded..."
|
||||||
|
jq -r <"$docker_compose_yaml" \
|
||||||
|
'.["x-arion"].images | map(" - " + .imageName + ":" + .imageTag) | join("\n")'
|
||||||
|
eval "$(
|
||||||
|
jq -r '.["docker-compose"]["x-arion"].images as $images
|
||||||
|
| .["existing-images"] as $loaded
|
||||||
|
| $images
|
||||||
|
| map(
|
||||||
|
if $loaded[.imageName + ":" + .imageTag]
|
||||||
|
then ""
|
||||||
|
else "docker load <" + .image + ";" end
|
||||||
|
)
|
||||||
|
| join("\n")
|
||||||
|
' <<EOF
|
||||||
|
{
|
||||||
|
"docker-compose": $(cat $docker_compose_yaml),
|
||||||
|
"existing-images": {
|
||||||
|
$(docker images \
|
||||||
|
--filter "dangling=false" \
|
||||||
|
--format '"{{.Repository}}:{{.Tag}}": true,')
|
||||||
|
"": false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -184,7 +210,7 @@ To get started:
|
||||||
To see deployment-wide configuration
|
To see deployment-wide configuration
|
||||||
type config. and hit TAB
|
type config. and hit TAB
|
||||||
To see the services
|
To see the services
|
||||||
type config.docker-compose.services TAB or ENTER
|
type config.docker-compose.evaluatedServices TAB or ENTER
|
||||||
To bring the top-level Nixpkgs attributes into scope
|
To bring the top-level Nixpkgs attributes into scope
|
||||||
type :a (config._module.args.pkgs) // { inherit config; }
|
type :a (config._module.args.pkgs) // { inherit config; }
|
||||||
|
|
||||||
|
|
|
@ -20,6 +20,7 @@ let
|
||||||
argsModule
|
argsModule
|
||||||
./modules/composition/docker-compose.nix
|
./modules/composition/docker-compose.nix
|
||||||
./modules/composition/host-environment.nix
|
./modules/composition/host-environment.nix
|
||||||
|
./modules/composition/images.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
argsModule = {
|
argsModule = {
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
|
|
||||||
{ modules, host }:
|
{ modules, host, name }:
|
||||||
let
|
let
|
||||||
composite = lib.evalModules {
|
composite = lib.evalModules {
|
||||||
check = true;
|
check = true;
|
||||||
|
@ -12,6 +12,7 @@ let
|
||||||
./modules/service/docker-compose-service.nix
|
./modules/service/docker-compose-service.nix
|
||||||
./modules/service/host-store.nix
|
./modules/service/host-store.nix
|
||||||
./modules/service/host.nix
|
./modules/service/host.nix
|
||||||
|
./modules/service/image.nix
|
||||||
./modules/service/nixos.nix
|
./modules/service/nixos.nix
|
||||||
./modules/service/nixos-init.nix
|
./modules/service/nixos-init.nix
|
||||||
];
|
];
|
||||||
|
@ -21,6 +22,7 @@ let
|
||||||
key = ./docker-compose.nix;
|
key = ./docker-compose.nix;
|
||||||
config._module.args.pkgs = lib.mkForce pkgs;
|
config._module.args.pkgs = lib.mkForce pkgs;
|
||||||
config.host = host;
|
config.host = host;
|
||||||
|
config.service.name = name;
|
||||||
};
|
};
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
*/
|
*/
|
||||||
{ pkgs, lib, config, ... }:
|
{ pkgs, lib, config, ... }:
|
||||||
let
|
let
|
||||||
evalService = name: modules: (pkgs.callPackage ../../eval-service.nix {} { inherit modules; inherit (config) host; }).config.build.service;
|
evalService = name: modules: pkgs.callPackage ../../eval-service.nix {} { inherit name modules; inherit (config) host; };
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -33,14 +33,20 @@ in
|
||||||
type = with lib.types; attrsOf (coercedTo unspecified (a: [a]) (listOf unspecified));
|
type = with lib.types; attrsOf (coercedTo unspecified (a: [a]) (listOf unspecified));
|
||||||
description = "A attribute set of service configurations. A service specifies how to run an image. Each of these service configurations is specified using modules whose options are described in the Service Options section.";
|
description = "A attribute set of service configurations. A service specifies how to run an image. Each of these service configurations is specified using modules whose options are described in the Service Options section.";
|
||||||
};
|
};
|
||||||
|
docker-compose.evaluatedServices = lib.mkOption {
|
||||||
|
type = lib.types.attrsOf lib.types.attrs;
|
||||||
|
description = "Attribute set of evaluated service configurations.";
|
||||||
|
readOnly = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
config = {
|
config = {
|
||||||
build.dockerComposeYaml = pkgs.writeText "docker-compose.yaml" config.build.dockerComposeYamlText;
|
build.dockerComposeYaml = pkgs.writeText "docker-compose.yaml" config.build.dockerComposeYamlText;
|
||||||
build.dockerComposeYamlText = builtins.toJSON (config.docker-compose.raw);
|
build.dockerComposeYamlText = builtins.toJSON (config.docker-compose.raw);
|
||||||
|
|
||||||
|
docker-compose.evaluatedServices = lib.mapAttrs evalService config.docker-compose.services;
|
||||||
docker-compose.raw = {
|
docker-compose.raw = {
|
||||||
version = "3";
|
version = "3.4";
|
||||||
services = lib.mapAttrs evalService config.docker-compose.services;
|
services = lib.mapAttrs (k: c: c.config.build.service) config.docker-compose.evaluatedServices;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
36
src/nix/modules/composition/images.nix
Normal file
36
src/nix/modules/composition/images.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{ pkgs, lib, config, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib.types) listOf package unspecified;
|
||||||
|
|
||||||
|
serviceImages =
|
||||||
|
lib.mapAttrs addDetails (
|
||||||
|
lib.filterAttrs filterFunction config.docker-compose.evaluatedServices
|
||||||
|
);
|
||||||
|
|
||||||
|
filterFunction = _serviceName: service:
|
||||||
|
service.config.image.nixBuild;
|
||||||
|
|
||||||
|
addDetails = _serviceName: service:
|
||||||
|
let
|
||||||
|
inherit (service.config) build;
|
||||||
|
in {
|
||||||
|
image = build.image.outPath;
|
||||||
|
imageName = build.imageName or service.image.name;
|
||||||
|
imageTag =
|
||||||
|
if build.image.imageTag != ""
|
||||||
|
then build.image.imageTag
|
||||||
|
else lib.head (lib.strings.splitString "-" (baseNameOf build.image.outPath));
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
build.imagesToLoad = lib.mkOption {
|
||||||
|
type = listOf unspecified;
|
||||||
|
description = "List of dockerTools image derivations.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
build.imagesToLoad = lib.attrValues serviceImages;
|
||||||
|
docker-compose.raw.x-arion.images = config.build.imagesToLoad;
|
||||||
|
};
|
||||||
|
}
|
|
@ -19,6 +19,6 @@
|
||||||
systemd.services.systemd-logind.enable = false;
|
systemd.services.systemd-logind.enable = false;
|
||||||
systemd.services.console-getty.enable = false;
|
systemd.services.console-getty.enable = false;
|
||||||
|
|
||||||
systemd.sockets.nix-daemon.enable = false;
|
systemd.sockets.nix-daemon.enable = lib.mkDefault false;
|
||||||
systemd.services.nix-daemon.enable = false;
|
systemd.services.nix-daemon.enable = lib.mkDefault false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,13 +10,19 @@ let
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
inherit (types) listOf nullOr attrsOf str either int bool;
|
inherit (types) listOf nullOr attrsOf str either int bool;
|
||||||
|
|
||||||
|
link = url: text:
|
||||||
|
''<link xlink:href="${url}">${text}</link>'';
|
||||||
dockerComposeRef = fragment:
|
dockerComposeRef = fragment:
|
||||||
''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>'';
|
''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>'';
|
||||||
dockerComposeKitchenSink = ''
|
dockerComposeKitchenSink = ''
|
||||||
Analogous to the <code>docker run</code> counterpart.
|
Analogous to the <code>docker run</code> counterpart.
|
||||||
|
|
||||||
${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
|
${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
|
||||||
|
cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
|
@ -33,6 +39,14 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
service.name = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = ''
|
||||||
|
The name of the service - <code><name></code> in the composition-level <code>docker-compose.services.<name></code>
|
||||||
|
'';
|
||||||
|
readOnly = true;
|
||||||
|
};
|
||||||
|
|
||||||
service.volumes = mkOption {
|
service.volumes = mkOption {
|
||||||
type = listOf types.unspecified;
|
type = listOf types.unspecified;
|
||||||
default = [];
|
default = [];
|
||||||
|
@ -81,6 +95,16 @@ in
|
||||||
default = [];
|
default = [];
|
||||||
description = dockerComposeRef "depends_on";
|
description = dockerComposeRef "depends_on";
|
||||||
};
|
};
|
||||||
|
service.devices = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
See ${link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
|
||||||
|
"<code>docker run --device</code> documentation"}
|
||||||
|
|
||||||
|
${dockerComposeRef "devices"}
|
||||||
|
'';
|
||||||
|
};
|
||||||
service.links = mkOption {
|
service.links = mkOption {
|
||||||
type = listOf str;
|
type = listOf str;
|
||||||
default = [];
|
default = [];
|
||||||
|
@ -145,6 +169,24 @@ in
|
||||||
default = null;
|
default = null;
|
||||||
description = dockerComposeRef "stop_signal";
|
description = dockerComposeRef "stop_signal";
|
||||||
};
|
};
|
||||||
|
service.capabilities = mkOption {
|
||||||
|
type = attrsOf (nullOr bool);
|
||||||
|
default = {};
|
||||||
|
example = { ALL = true; SYS_ADMIN = false; NET_ADMIN = false; };
|
||||||
|
description = ''
|
||||||
|
Enable/disable linux capabilities, or pick Docker's default.
|
||||||
|
|
||||||
|
Setting a capability to <code>true</code> means that it will be
|
||||||
|
"added". Setting it to <code>false</code> means that it will be "dropped".
|
||||||
|
${dockerComposeRef "cap_add-cap_drop"}
|
||||||
|
|
||||||
|
Omitted and <code>null</code> capabilities will therefore be set
|
||||||
|
according to Docker's ${
|
||||||
|
link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
|
||||||
|
"default list of capabilities."
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config.build.service = {
|
config.build.service = {
|
||||||
|
@ -155,10 +197,16 @@ in
|
||||||
;
|
;
|
||||||
} // lib.optionalAttrs (config.service.build.context != null) {
|
} // lib.optionalAttrs (config.service.build.context != null) {
|
||||||
inherit (config.service) build;
|
inherit (config.service) build;
|
||||||
|
} // lib.optionalAttrs (cap_add != []) {
|
||||||
|
inherit cap_add;
|
||||||
|
} // lib.optionalAttrs (cap_drop != []) {
|
||||||
|
inherit cap_drop;
|
||||||
} // lib.optionalAttrs (config.service.command != null) {
|
} // lib.optionalAttrs (config.service.command != null) {
|
||||||
inherit (config.service) command;
|
inherit (config.service) command;
|
||||||
} // lib.optionalAttrs (config.service.depends_on != []) {
|
} // lib.optionalAttrs (config.service.depends_on != []) {
|
||||||
inherit (config.service) depends_on;
|
inherit (config.service) depends_on;
|
||||||
|
} // lib.optionalAttrs (config.service.devices != []) {
|
||||||
|
inherit (config.service) devices;
|
||||||
} // lib.optionalAttrs (config.service.entrypoint != null) {
|
} // lib.optionalAttrs (config.service.entrypoint != null) {
|
||||||
inherit (config.service) entrypoint;
|
inherit (config.service) entrypoint;
|
||||||
} // lib.optionalAttrs (config.service.env_file != []) {
|
} // lib.optionalAttrs (config.service.env_file != []) {
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) mkOption types mkIf;
|
inherit (lib) mkOption types mkIf;
|
||||||
|
escape = s: lib.replaceStrings ["$"] ["$$"] s;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
|
@ -23,11 +24,13 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = mkIf config.service.useHostStore {
|
config = mkIf config.service.useHostStore {
|
||||||
|
image.nixBuild = false; # no need to build and load
|
||||||
service.image = "arion-base";
|
service.image = "arion-base";
|
||||||
service.build.context = "${../../../arion-image}";
|
service.build.context = "${../../../arion-image}";
|
||||||
service.volumes = [
|
service.volumes = [
|
||||||
"${config.host.nixStorePrefix}/nix/store:/nix/store"
|
"${config.host.nixStorePrefix}/nix/store:/nix/store"
|
||||||
"${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system"
|
"${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system"
|
||||||
] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
|
] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
|
||||||
|
service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or []));
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
115
src/nix/modules/service/image.nix
Normal file
115
src/nix/modules/service/image.nix
Normal file
|
@ -0,0 +1,115 @@
|
||||||
|
{ pkgs, lib, config, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) types mkOption;
|
||||||
|
inherit (types) attrsOf listOf nullOr package str unspecified bool;
|
||||||
|
|
||||||
|
# TODO: dummy-config is a useless layer. Nix 2.3 will let us inspect
|
||||||
|
# the string context instead, so we can avoid this.
|
||||||
|
contentsList = config.image.contents ++ [
|
||||||
|
(pkgs.writeText "dummy-config.json" (builtins.toJSON config.image.rawConfig))
|
||||||
|
];
|
||||||
|
|
||||||
|
builtImage = pkgs.dockerTools.buildLayeredImage {
|
||||||
|
inherit (config.image)
|
||||||
|
name
|
||||||
|
contents
|
||||||
|
;
|
||||||
|
config = config.image.rawConfig;
|
||||||
|
maxLayers = 100;
|
||||||
|
|
||||||
|
# TODO: allow use of image's Nix package instead
|
||||||
|
# TODO: option to disable db generation
|
||||||
|
extraCommands = ''
|
||||||
|
echo "Generating the nix database..."
|
||||||
|
echo "Warning: only the database of the deepest Nix layer is loaded."
|
||||||
|
echo " If you want to use nix commands in the container, it would"
|
||||||
|
echo " be better to only have one layer that contains a nix store."
|
||||||
|
export NIX_REMOTE=local?root=$PWD
|
||||||
|
${pkgs.nix}/bin/nix-store --load-db < ${pkgs.closureInfo {rootPaths = contentsList;}}/registration
|
||||||
|
mkdir -p nix/var/nix/gcroots/docker/
|
||||||
|
for i in ${lib.concatStringsSep " " contentsList}; do
|
||||||
|
ln -s $i nix/var/nix/gcroots/docker/$(basename $i)
|
||||||
|
done;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
build.image = mkOption {
|
||||||
|
type = nullOr package;
|
||||||
|
description = ''
|
||||||
|
Docker image derivation to be <code>docker load</code>ed.
|
||||||
|
'';
|
||||||
|
internal = true;
|
||||||
|
};
|
||||||
|
build.imageName = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Derived from build.image";
|
||||||
|
internal = true;
|
||||||
|
};
|
||||||
|
build.imageTag = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "Derived from build.image";
|
||||||
|
internal = true;
|
||||||
|
};
|
||||||
|
image.nixBuild = mkOption {
|
||||||
|
type = bool;
|
||||||
|
description = ''
|
||||||
|
Whether to build this image with Nixpkgs'
|
||||||
|
<code>dockerTools.buildLayeredImage</code>
|
||||||
|
and then load it with <code>docker load</code>.
|
||||||
|
'';
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
image.name = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = config.service.name;
|
||||||
|
defaultText = lib.literalExample "config.service.name";
|
||||||
|
description = ''
|
||||||
|
A human readable name for the docker image.
|
||||||
|
|
||||||
|
Shows up in the <code>docker ps</code> output in the
|
||||||
|
<code>IMAGE</code> column, among other places.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
image.contents = mkOption {
|
||||||
|
type = listOf package;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
Top level paths in the container.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
image.rawConfig = mkOption {
|
||||||
|
type = attrsOf unspecified;
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
This is a low-level fallback for when a container option has not
|
||||||
|
been modeled in the Arion module system.
|
||||||
|
|
||||||
|
This attribute set does not have an appropriate merge function.
|
||||||
|
Please use the specific <code>image</code> options instead.
|
||||||
|
|
||||||
|
Run-time configuration of the container. A full list of the
|
||||||
|
options are available at in the <link xlink:href="https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions">Docker Image Specification
|
||||||
|
v1.2.0</link>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
image.command = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
build.image = builtImage;
|
||||||
|
build.imageName = config.build.image.imageName;
|
||||||
|
build.imageTag =
|
||||||
|
if config.build.image.imageTag != ""
|
||||||
|
then config.build.image.imageTag
|
||||||
|
else lib.head (lib.strings.splitString "-" (baseNameOf config.build.image.outPath));
|
||||||
|
|
||||||
|
service.image = lib.mkDefault "${config.build.imageName}:${config.build.imageTag}";
|
||||||
|
image.rawConfig.Cmd = config.image.command;
|
||||||
|
};
|
||||||
|
}
|
|
@ -23,15 +23,15 @@ in
|
||||||
../nixos/container-systemd.nix
|
../nixos/container-systemd.nix
|
||||||
(pkgs.path + "/nixos/modules/profiles/minimal.nix")
|
(pkgs.path + "/nixos/modules/profiles/minimal.nix")
|
||||||
];
|
];
|
||||||
service.command = [ "${config.nixos.build.toplevel}/init" ];
|
image.command = [ "${config.nixos.build.toplevel}/init" ];
|
||||||
service.environment.container = "docker";
|
service.environment.container = "docker";
|
||||||
service.volumes = [
|
service.volumes = [
|
||||||
"/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
"/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||||
];
|
];
|
||||||
service.tmpfs = [
|
service.tmpfs = [
|
||||||
"/tmp"
|
"/tmp:exec,mode=777"
|
||||||
"/run"
|
"/run" # noexec is fine because exes should be symlinked from elsewhere anyway
|
||||||
"/run/wrappers"
|
"/run/wrappers" # noexec breaks this intentionally
|
||||||
];
|
];
|
||||||
service.stop_signal = "SIGRTMIN+3";
|
service.stop_signal = "SIGRTMIN+3";
|
||||||
service.tty = true;
|
service.tty = true;
|
||||||
|
|
Loading…
Reference in a new issue