nix-config/modules/containers.nix

{
  config,
  nix-config,
  lib,
  pkgs,
  ...
}:

let
  inherit (lib) mkIf;
  inherit (config.modules.system) username;
  inherit (config.boot) enableContainers;

  template = {
    privateNetwork = true;
    ephemeral = true;
    autoStart = true;
    restartIfChanged = false;

    bindMounts = {
      "/mnt" = {
        hostPath = "/home/${username}/containers/wine";
        isReadOnly = false;
      };

      waylandDisplay = rec {
        hostPath = "/run/user/1000";
        mountPoint = hostPath;
      };

      x11Display = rec {
        hostPath = "/tmp/.X11-unix";
        mountPoint = hostPath;
      };

      dri = rec {
        hostPath = "/dev/dri";
        mountPoint = hostPath;
      };
    };

    allowedDevices = [
      {
        modifier = "rw";
        node = "/dev/dri/renderD128";
      }
    ];

    specialArgs = {
      inherit nix-config;
    };
  };
in
{
  systemd.tmpfiles.rules = [ "d /run/user/1000 0700 ${username} users -" ];

  environment.systemPackages = mkIf (pkgs.system == "x86_64-linux") (
    with nix-config.inputs.sakaya.packages.${pkgs.system}; [ sakaya ]
  );

  containers = mkIf enableContainers {
    wine = template // {
      hostAddress = "192.168.100.34";
      localAddress = "192.168.100.49";

      config =
        { ... }:
        {
          imports = [
            ../containers
            ../containers/wine.nix
          ];
        };
    };
  };
}
modules: Format with nixfmt-rfc-style 2024-08-03 20:40:07 +02:00			`{`
			`config,`
			`nix-config,`
			`lib,`
meta: Move sakaya to containers module 2024-09-10 05:08:01 +02:00			`pkgs,`
modules: Format with nixfmt-rfc-style 2024-08-03 20:40:07 +02:00			`...`
			`}:`
chore: Formatting 2023-06-23 21:48:29 +02:00
refactor(containers): Abstract common config This makes it possible to create multiple containers without duplicating code. This may be useful for having an internet container and a no internet container. 2023-08-31 20:08:35 +02:00			`let`
containers: Fix warning when containers are disabled Now it's possible to disable the containers without getting a warning that containers.<name> is being defined. 2024-04-06 14:08:06 +02:00			`inherit (lib) mkIf;`
phone: Move containers config out of container module We should explicitly enable it instead of conditionally disable it. 2024-07-17 11:55:08 +02:00			`inherit (config.modules.system) username;`
containers: Fix warning when containers are disabled Now it's possible to disable the containers without getting a warning that containers.<name> is being defined. 2024-04-06 14:08:06 +02:00			`inherit (config.boot) enableContainers;`
meta: Don't hardcode home directory This is a much better way of handling things. 2024-04-05 01:38:57 +02:00
refactor(containers): Abstract common config This makes it possible to create multiple containers without duplicating code. This may be useful for having an internet container and a no internet container. 2023-08-31 20:08:35 +02:00			`template = {`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`privateNetwork = true;`
containers(wine): Implement impermanence Useful to avoid certain things working due to a certain state, then forgetting what was changed over time. 2023-06-16 20:21:23 +02:00			`ephemeral = true;`
containers(wine): Autostart with tmpfiles This change makes it possible to autostart the wine container without receiving errors and not being able to use /run/user/1000. 2023-08-02 04:21:59 +02:00			`autoStart = true;`
containers: Disable restartIfChanged Makes it possible to use sakaya without worrying about the container automatically restarting on config changes and closing all the wine applications. This was previously part of my personal nixpkgs branch but I turned it into an option that should hopefully be upstreamed soon. 2023-10-11 00:38:13 +02:00			`restartIfChanged = false;`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00
			`bindMounts = {`
meta: Remove variables from containers Modules solve the variable problem in a nicer way. 2023-06-22 17:43:19 +02:00			`"/mnt" = {`
meta: Don't hardcode home directory This is a much better way of handling things. 2024-04-05 01:38:57 +02:00			`hostPath = "/home/${username}/containers/wine";`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`isReadOnly = false;`
			`};`
Make wine container support display output This works, and I was surprised that I needed to change little to nothing at all. 2023-06-03 21:36:26 +02:00
			`waylandDisplay = rec {`
			`hostPath = "/run/user/1000";`
			`mountPoint = hostPath;`
			`};`

			`x11Display = rec {`
			`hostPath = "/tmp/.X11-unix";`
			`mountPoint = hostPath;`
			`};`
containers(wine): Passthrough /dev/dri Enables the wine container to have native graphics performance on the host. 2023-06-16 20:22:57 +02:00
			`dri = rec {`
			`hostPath = "/dev/dri";`
			`mountPoint = hostPath;`
			`};`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`};`

containers(wine): Passthrough /dev/dri Enables the wine container to have native graphics performance on the host. 2023-06-16 20:22:57 +02:00			`allowedDevices = [`
			`{`
			`modifier = "rw";`
			`node = "/dev/dri/renderD128";`
			`}`
			`];`
feat: Simplify imports by importing with specialArgs This change makes it possible to import the modules that are required from the flake inputs in the output modules themselves, thus preventing users from having to manually import those modules. This simplifies things overall and was made possible by the specialArgs option that allowed these flake inputs to be passed into our container. 2024-04-05 15:36:21 +02:00
			`specialArgs = {`
feat: Pass nix-config as self to avoid infinite recursion This change makes it possible to use this nix-config in all the different ways imaginable (containers, bare metal, tests, and as a separate flake input) without running into infinite recursion issues with self. It does this by using a trick similar to JavaScript in which `var self = this;`, thus enabling the usage of "this" (or self, in Nix's case) where it wouldn't otherwise be possible. Note that this only works if the input for this repository is named nix-config. This makes it impractical to combine with multiple configurations that employ the same strategy. 2024-04-05 16:09:51 +02:00			`inherit nix-config;`
feat: Simplify imports by importing with specialArgs This change makes it possible to import the modules that are required from the flake inputs in the output modules themselves, thus preventing users from having to manually import those modules. This simplifies things overall and was made possible by the specialArgs option that allowed these flake inputs to be passed into our container. 2024-04-05 15:36:21 +02:00			`};`
refactor(containers): Abstract common config This makes it possible to create multiple containers without duplicating code. This may be useful for having an internet container and a no internet container. 2023-08-31 20:08:35 +02:00			`};`
chore: Fix formatting 2023-08-31 20:16:29 +02:00			`in`
			`{`
modules: Format with nixfmt-rfc-style 2024-08-03 20:40:07 +02:00			`systemd.tmpfiles.rules = [ "d /run/user/1000 0700 ${username} users -" ];`
refactor(containers): Abstract common config This makes it possible to create multiple containers without duplicating code. This may be useful for having an internet container and a no internet container. 2023-08-31 20:08:35 +02:00
meta: Move sakaya to containers module 2024-09-10 05:08:01 +02:00			`environment.systemPackages = mkIf (pkgs.system == "x86_64-linux") (`
			`with nix-config.inputs.sakaya.packages.${pkgs.system}; [ sakaya ]`
			`);`

phone: Move containers config out of container module We should explicitly enable it instead of conditionally disable it. 2024-07-17 11:55:08 +02:00			`containers = mkIf enableContainers {`
containers: Fix warning when containers are disabled Now it's possible to disable the containers without getting a warning that containers.<name> is being defined. 2024-04-06 14:08:06 +02:00			`wine = template // {`
			`hostAddress = "192.168.100.34";`
			`localAddress = "192.168.100.49";`

modules: Format with nixfmt-rfc-style 2024-08-03 20:40:07 +02:00			`config =`
			`{ ... }:`
			`{`
			`imports = [`
			`../containers`
			`../containers/wine.nix`
			`];`
			`};`
nix: Simplify 2023-06-11 15:51:26 +02:00			`};`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`};`
			`}`