From 533691247de217854f72179742fd89e0307f6663 Mon Sep 17 00:00:00 2001 From: materus Date: Tue, 15 Oct 2024 23:45:46 +0200 Subject: [PATCH] materusPC: init archlinux nspawn container --- .../host/materusPC/containers/arch.nix | 98 +++++++++++++++++++ .../host/materusPC/containers/default.nix | 3 + 2 files changed, 101 insertions(+) create mode 100644 configurations/host/materusPC/containers/arch.nix diff --git a/configurations/host/materusPC/containers/arch.nix b/configurations/host/materusPC/containers/arch.nix new file mode 100644 index 0000000..c18c770 --- /dev/null +++ b/configurations/host/materusPC/containers/arch.nix @@ -0,0 +1,98 @@ +{ config, pkgs, lib, ... }: +let + mainMirror = "https://ftp.icm.edu.pl/pub/Linux/dist/archlinux"; + extraMirrors = [ ]; + getty = [ 5 6 ]; + ttys = [ 5 6 7 8 ] ++ getty; + + startPkgs = lib.strings.concatStringsSep " " [ "base" "base-devel" "dbus" "less" "nano" "bash-completion" ]; + scripts = { + preStart = pkgs.writeShellScript "arch-pre-start" '' + if [ ! -d "/var/lib/machines/archlinux" ]; then + export PATH=''${PATH:+''${PATH}:}${lib.strings.makeBinPath (with pkgs; [ wget coreutils-full gnutar zstd ]) } + + ARCH_IMAGE=$(mktemp) + trap 'rm $ARCH_IMAGE' EXIT + + wget "${mainMirror}/iso/latest/archlinux-bootstrap-x86_64.tar.zst" -O $ARCH_IMAGE + mkdir -p /var/lib/machines/archlinux + trap 'rm -rf /var/lib/machines/archlinux' ERR + + tar -xaf $ARCH_IMAGE -C "/var/lib/machines/archlinux" --strip-components=1 --numeric-owner + printf 'Server = %s/$repo/os/$arch\n' "${mainMirror}" > /var/lib/machines/archlinux/etc/pacman.d/mirrorlist + rm "/var/lib/machines/archlinux/etc/resolv.conf" + + [ -f "/var/lib/machines/archlinux/etc/securetty" ] && \ + printf 'pts/%d\n' $(seq 0 10) >>"/var/lib/machines/archlinux/etc/securetty" + + systemd-machine-id-setup --root="/var/lib/machines/archlinux" + systemd-nspawn -q --settings=false --system-call-filter=@sandbox -D "/var/lib/machines/archlinux" /bin/sh -c " + export PATH=/bin + pacman-key --init && pacman-key --populate + pacman -Rs --noconfirm arch-install-scripts + pacman -Sy --noconfirm --needed ${startPkgs} + pacman -Syu --noconfirm + + systemctl disable getty@tty1.service + ${lib.strings.concatStringsSep "\n" (lib.lists.forEach getty (x: "systemctl enable getty@tty${builtins.toString x}.service"))} + + + " + fi + ''; + }; +in +{ + systemd.nspawn."archlinux" = { + enable = true; + execConfig = { + Boot = true; + SystemCallFilter = [ "@known" ]; + Timezone = "bind"; + Capability = "all"; + PrivateUsers="no"; + }; + + filesConfig = { + BindReadOnly = [ + "/etc/resolv.conf:/etc/resolv.conf" + + "/nix" + + "/run/current-system" + "/run/booted-system" + "/run/opengl-driver" + "/run/opengl-driver-32" + + ]; + Bind = [ + "/:/run/host-root" + + "/run/udev" + + "/dev/input" + "/dev/shm" + "/dev/kfd" + "/dev/dri" + "/dev/tty" + "/dev/tty0" + + "/tmp/.X11-unix" + + /materus + + ] ++ lib.lists.forEach ttys (x: "/dev/tty${builtins.toString x}"); + }; + networkConfig = { + Private = false; + }; + }; + systemd.services."systemd-nspawn@archlinux" = { + enable = true; + preStart = "${scripts.preStart}"; + overrideStrategy = "asDropin"; + serviceConfig = { + DeviceAllow = [ "char-tty rwm" "char-input rwm" "char-drm rwm" ]; + }; + }; +} diff --git a/configurations/host/materusPC/containers/default.nix b/configurations/host/materusPC/containers/default.nix index 58e96ce..e997ef4 100644 --- a/configurations/host/materusPC/containers/default.nix +++ b/configurations/host/materusPC/containers/default.nix @@ -1,5 +1,8 @@ {...}: { + imports = [ + ./arch.nix + ]; virtualisation.lxc.enable = true; virtualisation.lxc.lxcfs.enable = true; virtualisation.lxd.enable = false;