shared-public-infra/modules/bagel-container.nix

# Stateful/mutable container used for Bagel (tm) related infra (mostly
# rebuilding nixpkgs a lot).
#
# System image is stored at /var/lib/machines/bagel.
{
  systemd.nspawn.bagel = {
    execConfig = {
      Boot = true;
      Ephemeral = false;
      PrivateUsers = true;
      NotifyReady = true;
      LinkJournal = "try-guest";
    };

    networkConfig = {
      Bridge = "wan-br";
      VirtualEthernetExtra = "vb-bagel-v4:host1";
    };
  };

  systemd.services."systemd-nspawn@bagel" = {
    wantedBy = [ "machines.target" ];
    wants = [ "network.target" ];
    after = [ "network.target" ];
    overrideStrategy = "asDropin";
  };

  systemd.network.networks."20-vb-bagel-v4" = {
    matchConfig.Name = "vb-bagel-v4";
    networkConfig.Address = [ "172.16.100.1/24" ];
    networkConfig.IPMasquerade = true;
  };

  # Configure a local Nix builder account, since getting sandboxing and KVM
  # working inside the container will be tricky.
  users.users.bagel-builder = {
    isSystemUser = true;
    group = "nogroup";
    home = "/var/empty";
    shell = "/bin/sh";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"
    ];
  };
  nix.settings.trusted-users = [ "bagel-builder" ];
}
modules: add bagel-container 2024-06-23 12:13:53 +00:00			`# Stateful/mutable container used for Bagel (tm) related infra (mostly`
			`# rebuilding nixpkgs a lot).`
			`#`
			`# System image is stored at /var/lib/machines/bagel.`
			`{`
			`systemd.nspawn.bagel = {`
			`execConfig = {`
			`Boot = true;`
			`Ephemeral = false;`
			`PrivateUsers = true;`
			`NotifyReady = true;`
			`LinkJournal = "try-guest";`
			`};`

			`networkConfig = {`
			`Bridge = "wan-br";`
bagel-container: provide IPv4 NAT for outbound access 2024-06-23 18:24:46 +00:00			`VirtualEthernetExtra = "vb-bagel-v4:host1";`
modules: add bagel-container 2024-06-23 12:13:53 +00:00			`};`
			`};`

			`systemd.services."systemd-nspawn@bagel" = {`
			`wantedBy = [ "machines.target" ];`
			`wants = [ "network.target" ];`
			`after = [ "network.target" ];`
			`overrideStrategy = "asDropin";`
			`};`
bagel-container: provide IPv4 NAT for outbound access 2024-06-23 18:24:46 +00:00
			`systemd.network.networks."20-vb-bagel-v4" = {`
			`matchConfig.Name = "vb-bagel-v4";`
			`networkConfig.Address = [ "172.16.100.1/24" ];`
			`networkConfig.IPMasquerade = true;`
			`};`
bagel-container: provision a user with Nix store perms for remote builds 2024-06-24 18:54:42 +00:00
			`# Configure a local Nix builder account, since getting sandboxing and KVM`
			`# working inside the container will be tricky.`
			`users.users.bagel-builder = {`
			`isSystemUser = true;`
			`group = "nogroup";`
			`home = "/var/empty";`
			`shell = "/bin/sh";`
			`openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvUT9YBig9LQPHgypIBHQuC32XqDKxlFZ2CfgDi0ZKx"`
			`];`
			`};`
			`nix.settings.trusted-users = [ "bagel-builder" ];`
modules: add bagel-container 2024-06-23 12:13:53 +00:00			`}`