commit 7dbd965140e5a1a564c8ceb98126ebe5c22dec16
parent 3e7fd3d55cf6f297dfe45ef3e1777d957def9fbf
Author: Vincent Demeester <vincent@sbr.pm>
Date: Mon, 22 Aug 2022 13:00:12 +0200
systems/wakasu: enable containers
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
10 files changed, 1177 insertions(+), 5 deletions(-)
diff --git a/flake.nix b/flake.nix
@@ -131,6 +131,8 @@
./systems/modules/editors/default.nix
./systems/modules/hardware/default.nix
./systems/modules/profiles/default.flake.nix # TODO: rename
+ ./systems/modules/virtualisation/default.nix
+ ./systems/modules/services/default.nix
# ./systems/modules/hardware/sane-extra-config.nixos.nix
# FIXME: migrate this to elsewhere, or at least split it
# Profiles probably need to go away
@@ -159,7 +161,6 @@
./systems/modules/profiles/virtualization.nix
./systems/modules/profiles/wireguard.server.nix
./systems/modules/profiles/zsh.nix
- ./systems/modules/services/default.nix
sops-nix.nixosModules.sops
envfs.nixosModules.envfs
{
diff --git a/systems/hosts/wakasu.nix b/systems/hosts/wakasu.nix
@@ -78,6 +78,11 @@ in
};
dev = {
enable = true;
+ containers = {
+ enable = true;
+ docker.enable = true;
+ podman.enable = true;
+ };
};
profiles = {
# home = true;
diff --git a/systems/modules/dev/containers.nix b/systems/modules/dev/containers.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+
+let
+ cfg = config.modules.dev.containers;
+ inherit (lib) mkEnableOption mkIf mkMerge mkOption types;
+in
+{
+ options = {
+ modules.dev.containers = {
+ enable = mkEnableOption "Enable dev containers";
+ docker = {
+ enable = mkEnableOption "Enable docker containers";
+ package = mkOption {
+ default = pkgs.docker;
+ description = "docker package to be used";
+ type = types.package;
+ };
+ runcPackage = mkOption {
+ default = pkgs.runc;
+ description = "runc package to be used";
+ type = types.package;
+ };
+ };
+ podman = {
+ enable = mkEnableOption "Enable podman containers";
+ };
+ };
+ };
+ config = mkIf cfg.enable (mkMerge [
+ {
+ virtualisation.containers.enable = true;
+ }
+ (mkIf cfg.docker.enable {
+ virtualisation = {
+ containerd = {
+ enable = true;
+ };
+ buildkitd = {
+ enable = true;
+ settings = {
+ worker.oci = {
+ enabled = false;
+ };
+ worker.containerd = {
+ enabled = true;
+ platforms = [ "linux/amd64" "linux/arm64" ];
+ namespace = "buildkit";
+ };
+ # FIXME: move to home
+ registry = {
+ "r.svc.home:5000" = {
+ http = true;
+ insecure = true;
+ };
+ "r.svc.home" = {
+ http = true;
+ insecure = true;
+ };
+ };
+ };
+ };
+ docker = {
+ enable = true;
+ package = cfg.docker.package;
+ liveRestore = false;
+ storageDriver = "overlay2";
+ daemon.settings = {
+ experimental = true;
+ bip = "172.26.0.1/16";
+ runtimes = {
+ "docker-runc" = {
+ path = "${cfg.docker.runcPackage}/bin/runc";
+ };
+ };
+ default-runtime = "docker-runc";
+ containerd = "/run/containerd/containerd.sock";
+ features = { buildkit = true; };
+ insecure-registries = [ "172.30.0.0/16" "192.168.12.0/16" "massimo.home:5000" "r.svc.home:5000" "r.svc.home" ];
+ seccomp-profile = ./my-seccomp.json;
+ };
+ };
+ };
+ environment.systemPackages = with pkgs; [
+ my.buildx
+ ];
+ networking.firewall.trustedInterfaces = [ "docker0" ];
+ })
+ (mkIf cfg.podman.enable {
+ virtualisation.podman.enable = true;
+ })
+ (mkIf config.modules.profiles.work.redhat {
+ # Red Hat specific setup for virtualisation (buildah, podman, skopeo)
+ virtualisation = {
+ containers = {
+ registries = {
+ search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ];
+ };
+ policy = {
+ default = [{ type = "insecureAcceptAnything"; }];
+ transports = {
+ docker-daemon = {
+ "" = [{ type = "insecureAcceptAnything"; }];
+ };
+ };
+ };
+ };
+ };
+ })
+ ]);
+}
diff --git a/systems/modules/dev/default.nix b/systems/modules/dev/default.nix
@@ -1,5 +1,6 @@
{
imports = [
./base.nix
+ ./containers.nix
];
}
diff --git a/systems/modules/dev/my-seccomp.json b/systems/modules/dev/my-seccomp.json
@@ -0,0 +1,1041 @@
+{
+ "defaultAction": "SCMP_ACT_ERRNO",
+ "defaultErrnoRet": 38,
+ "defaultErrno": "ENOSYS",
+ "archMap": [
+ {
+ "architecture": "SCMP_ARCH_X86_64",
+ "subArchitectures": [
+ "SCMP_ARCH_X86",
+ "SCMP_ARCH_X32"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_AARCH64",
+ "subArchitectures": [
+ "SCMP_ARCH_ARM"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPS64",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPS",
+ "SCMP_ARCH_MIPS64N32"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPS64N32",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPS",
+ "SCMP_ARCH_MIPS64"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPSEL64",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPSEL",
+ "SCMP_ARCH_MIPSEL64N32"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_MIPSEL64N32",
+ "subArchitectures": [
+ "SCMP_ARCH_MIPSEL",
+ "SCMP_ARCH_MIPSEL64"
+ ]
+ },
+ {
+ "architecture": "SCMP_ARCH_S390X",
+ "subArchitectures": [
+ "SCMP_ARCH_S390"
+ ]
+ }
+ ],
+ "syscalls": [
+ {
+ "names": [
+ "bdflush",
+ "io_pgetevents",
+ "kexec_file_load",
+ "kexec_load",
+ "migrate_pages",
+ "move_pages",
+ "nfsservctl",
+ "nice",
+ "oldfstat",
+ "oldlstat",
+ "oldolduname",
+ "oldstat",
+ "olduname",
+ "pciconfig_iobase",
+ "pciconfig_read",
+ "pciconfig_write",
+ "sgetmask",
+ "ssetmask",
+ "swapcontext",
+ "swapoff",
+ "swapon",
+ "sysfs",
+ "uselib",
+ "userfaultfd",
+ "ustat",
+ "vm86",
+ "vm86old",
+ "vmsplice"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {},
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "_llseek",
+ "_newselect",
+ "accept",
+ "accept4",
+ "access",
+ "adjtimex",
+ "alarm",
+ "bind",
+ "brk",
+ "capget",
+ "capset",
+ "chdir",
+ "chmod",
+ "chown",
+ "chown32",
+ "clock_adjtime",
+ "clock_adjtime64",
+ "clock_getres",
+ "clock_getres_time64",
+ "clock_gettime",
+ "clock_gettime64",
+ "clock_nanosleep",
+ "clock_nanosleep_time64",
+ "clone",
+ "clone3",
+ "close",
+ "close_range",
+ "connect",
+ "copy_file_range",
+ "creat",
+ "dup",
+ "dup2",
+ "dup3",
+ "epoll_create",
+ "epoll_create1",
+ "epoll_ctl",
+ "epoll_ctl_old",
+ "epoll_pwait",
+ "epoll_pwait2",
+ "epoll_wait",
+ "epoll_wait_old",
+ "eventfd",
+ "eventfd2",
+ "execve",
+ "execveat",
+ "exit",
+ "exit_group",
+ "faccessat",
+ "faccessat2",
+ "fadvise64",
+ "fadvise64_64",
+ "fallocate",
+ "fanotify_mark",
+ "fchdir",
+ "fchmod",
+ "fchmodat",
+ "fchown",
+ "fchown32",
+ "fchownat",
+ "fcntl",
+ "fcntl64",
+ "fdatasync",
+ "fgetxattr",
+ "flistxattr",
+ "flock",
+ "fork",
+ "fremovexattr",
+ "fsconfig",
+ "fsetxattr",
+ "fsmount",
+ "fsopen",
+ "fspick",
+ "fstat",
+ "fstat64",
+ "fstatat64",
+ "fstatfs",
+ "fstatfs64",
+ "fsync",
+ "ftruncate",
+ "ftruncate64",
+ "futex",
+ "futex_time64",
+ "futimesat",
+ "get_robust_list",
+ "get_thread_area",
+ "getcpu",
+ "getcwd",
+ "getdents",
+ "getdents64",
+ "getegid",
+ "getegid32",
+ "geteuid",
+ "geteuid32",
+ "getgid",
+ "getgid32",
+ "getgroups",
+ "getgroups32",
+ "getitimer",
+ "get_mempolicy",
+ "getpeername",
+ "getpgid",
+ "getpgrp",
+ "getpid",
+ "getppid",
+ "getpriority",
+ "getrandom",
+ "getresgid",
+ "getresgid32",
+ "getresuid",
+ "getresuid32",
+ "getrlimit",
+ "getrusage",
+ "getsid",
+ "getsockname",
+ "getsockopt",
+ "gettid",
+ "gettimeofday",
+ "getuid",
+ "getuid32",
+ "getxattr",
+ "inotify_add_watch",
+ "inotify_init",
+ "inotify_init1",
+ "inotify_rm_watch",
+ "io_cancel",
+ "io_destroy",
+ "io_getevents",
+ "io_setup",
+ "io_submit",
+ "ioctl",
+ "ioprio_get",
+ "ioprio_set",
+ "ipc",
+ "keyctl",
+ "kill",
+ "lchown",
+ "lchown32",
+ "lgetxattr",
+ "link",
+ "linkat",
+ "listen",
+ "listxattr",
+ "llistxattr",
+ "lremovexattr",
+ "lseek",
+ "lsetxattr",
+ "lstat",
+ "lstat64",
+ "madvise",
+ "mbind",
+ "memfd_create",
+ "memfd_secret",
+ "mincore",
+ "mkdir",
+ "mkdirat",
+ "mknod",
+ "mknodat",
+ "mlock",
+ "mlock2",
+ "mlockall",
+ "mmap",
+ "mmap2",
+ "mount",
+ "move_mount",
+ "mprotect",
+ "mq_getsetattr",
+ "mq_notify",
+ "mq_open",
+ "mq_timedreceive",
+ "mq_timedreceive_time64",
+ "mq_timedsend",
+ "mq_timedsend_time64",
+ "mq_unlink",
+ "mremap",
+ "msgctl",
+ "msgget",
+ "msgrcv",
+ "msgsnd",
+ "msync",
+ "munlock",
+ "munlockall",
+ "munmap",
+ "name_to_handle_at",
+ "nanosleep",
+ "newfstatat",
+ "open",
+ "openat",
+ "openat2",
+ "open_tree",
+ "pause",
+ "pidfd_getfd",
+ "pidfd_open",
+ "pidfd_send_signal",
+ "pipe",
+ "pipe2",
+ "pivot_root",
+ "pkey_alloc",
+ "pkey_free",
+ "pkey_mprotect",
+ "poll",
+ "ppoll",
+ "ppoll_time64",
+ "prctl",
+ "pread64",
+ "preadv",
+ "preadv2",
+ "prlimit64",
+ "pselect6",
+ "pselect6_time64",
+ "pwrite64",
+ "pwritev",
+ "pwritev2",
+ "read",
+ "readahead",
+ "readdir",
+ "readlink",
+ "readlinkat",
+ "readv",
+ "reboot",
+ "recv",
+ "recvfrom",
+ "recvmmsg",
+ "recvmmsg_time64",
+ "recvmsg",
+ "remap_file_pages",
+ "removexattr",
+ "rename",
+ "renameat",
+ "renameat2",
+ "restart_syscall",
+ "rmdir",
+ "rseq",
+ "rt_sigaction",
+ "rt_sigpending",
+ "rt_sigprocmask",
+ "rt_sigqueueinfo",
+ "rt_sigreturn",
+ "rt_sigsuspend",
+ "rt_sigtimedwait",
+ "rt_sigtimedwait_time64",
+ "rt_tgsigqueueinfo",
+ "sched_get_priority_max",
+ "sched_get_priority_min",
+ "sched_getaffinity",
+ "sched_getattr",
+ "sched_getparam",
+ "sched_getscheduler",
+ "sched_rr_get_interval",
+ "sched_rr_get_interval_time64",
+ "sched_setaffinity",
+ "sched_setattr",
+ "sched_setparam",
+ "sched_setscheduler",
+ "sched_yield",
+ "seccomp",
+ "select",
+ "semctl",
+ "semget",
+ "semop",
+ "semtimedop",
+ "semtimedop_time64",
+ "send",
+ "sendfile",
+ "sendfile64",
+ "sendmmsg",
+ "sendmsg",
+ "sendto",
+ "setns",
+ "set_mempolicy",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
+ "setfsgid",
+ "setfsgid32",
+ "setfsuid",
+ "setfsuid32",
+ "setgid",
+ "setgid32",
+ "setgroups",
+ "setgroups32",
+ "setitimer",
+ "setpgid",
+ "setpriority",
+ "setregid",
+ "setregid32",
+ "setresgid",
+ "setresgid32",
+ "setresuid",
+ "setresuid32",
+ "setreuid",
+ "setreuid32",
+ "setrlimit",
+ "setsid",
+ "setsockopt",
+ "setuid",
+ "setuid32",
+ "setxattr",
+ "shmat",
+ "shmctl",
+ "shmdt",
+ "shmget",
+ "shutdown",
+ "sigaltstack",
+ "signalfd",
+ "signalfd4",
+ "sigreturn",
+ "socketcall",
+ "socketpair",
+ "splice",
+ "stat",
+ "stat64",
+ "statfs",
+ "statfs64",
+ "statx",
+ "symlink",
+ "symlinkat",
+ "sync",
+ "sync_file_range",
+ "syncfs",
+ "sysinfo",
+ "syslog",
+ "tee",
+ "tgkill",
+ "time",
+ "timer_create",
+ "timer_delete",
+ "timer_getoverrun",
+ "timer_gettime",
+ "timer_gettime64",
+ "timer_settime",
+ "timer_settime64",
+ "timerfd_create",
+ "timerfd_gettime",
+ "timerfd_gettime64",
+ "timerfd_settime",
+ "timerfd_settime64",
+ "times",
+ "tkill",
+ "truncate",
+ "truncate64",
+ "ugetrlimit",
+ "umask",
+ "umount",
+ "umount2",
+ "uname",
+ "unlink",
+ "unlinkat",
+ "unshare",
+ "utime",
+ "utimensat",
+ "utimensat_time64",
+ "utimes",
+ "vfork",
+ "wait4",
+ "waitid",
+ "waitpid",
+ "write",
+ "writev"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 0,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 8,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 131072,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 131080,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "personality"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 4294967295,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {}
+ },
+ {
+ "names": [
+ "sync_file_range2"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "ppc64le"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "arm_fadvise64_64",
+ "arm_sync_file_range",
+ "sync_file_range2",
+ "breakpoint",
+ "cacheflush",
+ "set_tls"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "arm",
+ "arm64"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "arch_prctl"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "amd64",
+ "x32"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "modify_ldt"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "amd64",
+ "x32",
+ "x86"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "s390_pci_mmio_read",
+ "s390_pci_mmio_write",
+ "s390_runtime_instr"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "arches": [
+ "s390",
+ "s390x"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "open_by_handle_at"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_DAC_READ_SEARCH"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "open_by_handle_at"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_DAC_READ_SEARCH"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "bpf",
+ "fanotify_init",
+ "lookup_dcookie",
+ "perf_event_open",
+ "quotactl",
+ "setdomainname",
+ "sethostname",
+ "setns"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_ADMIN"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "bpf",
+ "fanotify_init",
+ "lookup_dcookie",
+ "perf_event_open",
+ "quotactl",
+ "setdomainname",
+ "sethostname",
+ "setns"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_ADMIN"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "chroot"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_CHROOT"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "chroot"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_CHROOT"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "delete_module",
+ "init_module",
+ "finit_module",
+ "query_module"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_MODULE"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "delete_module",
+ "init_module",
+ "finit_module",
+ "query_module"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_MODULE"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "acct"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_PACCT"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "acct"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_PACCT"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "kcmp",
+ "process_madvise",
+ "process_vm_readv",
+ "process_vm_writev",
+ "ptrace"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_PTRACE"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "kcmp",
+ "process_madvise",
+ "process_vm_readv",
+ "process_vm_writev",
+ "ptrace"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_PTRACE"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "iopl",
+ "ioperm"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_RAWIO"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "iopl",
+ "ioperm"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_RAWIO"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "settimeofday",
+ "stime",
+ "clock_settime",
+ "clock_settime64"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_TIME"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "settimeofday",
+ "stime",
+ "clock_settime",
+ "clock_settime64"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_TIME"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "vhangup"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [],
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_SYS_TTY_CONFIG"
+ ]
+ },
+ "excludes": {}
+ },
+ {
+ "names": [
+ "vhangup"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_SYS_TTY_CONFIG"
+ ]
+ },
+ "errnoRet": 1,
+ "errno": "EPERM"
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ERRNO",
+ "args": [
+ {
+ "index": 0,
+ "value": 16,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ },
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_EQ"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ },
+ "errnoRet": 22,
+ "errno": "EINVAL"
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 0,
+ "value": 16,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": [
+ {
+ "index": 2,
+ "value": 9,
+ "valueTwo": 0,
+ "op": "SCMP_CMP_NE"
+ }
+ ],
+ "comment": "",
+ "includes": {},
+ "excludes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ }
+ },
+ {
+ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+ "args": null,
+ "comment": "",
+ "includes": {
+ "caps": [
+ "CAP_AUDIT_WRITE"
+ ]
+ },
+ "excludes": {}
+ }
+ ]
+}
diff --git a/systems/modules/profiles/work.nix b/systems/modules/profiles/work.nix
@@ -93,4 +93,5 @@ in
path = "/etc/pki/tls/certs/win-intermediate-ca.cer";
};
};
+
}
diff --git a/systems/modules/virtualisation/default.nix b/systems/modules/virtualisation/default.nix
@@ -1,6 +1,7 @@
{
imports = [
- ./buildkit.nix
+ # ./buildkit.nix # sourced in flake direclty
+ ./libvirt.nix
# Containerd is now a module upstream
# FIXME: remove this when 21.05 is out.
./containerd.nix
diff --git a/systems/modules/virtualisation/libvirt.nix b/systems/modules/virtualisation/libvirt.nix
@@ -15,6 +15,9 @@ in
virtualisation.libvirtd.enable = true;
environment.systemPackages = with pkgs; [ qemu vde2 libosinfo ];
}
+ (mkIf config.modules.desktop.enable {
+ environment.systemPackages = with pkgs; [ virtmanager ];
+ })
(mkIf cfg.nested {
boot.kernelParams = [ "kvm_intel.nested=1" ];
environment.etc."modprobe.d/kvm.conf".text = ''
diff --git a/users/vincent/containers/kubernetes.nix b/users/vincent/containers/kubernetes.nix
@@ -14,7 +14,7 @@ in
kubectl
kustomize
kind
- minikube
+ # minikube # probably don't need that always.. only on demand
ko
crane
#my.krew
diff --git a/users/vincent/default.nix b/users/vincent/default.nix
@@ -23,12 +23,14 @@ in
description = "Vincent Demeester";
extraGroups = [ "wheel" "input" ]
++ optionals config.networking.networkmanager.enable [ "networkmanager" ]
- ++ optionals config.profiles.desktop.enable [ "audio" "video" ]
+ ++ optionals config.modules.desktop.enable [ "audio" "video" ]
+ ++ optionals config.profiles.desktop.enable [ "audio" "video" ] # FIXME deprecated
++ optionals config.profiles.scanning.enable [ "lp" "scanner" ]
++ optionals config.networking.networkmanager.enable [ "networkmanager" ]
++ optionals config.virtualisation.docker.enable [ "docker" ]
++ optionals config.virtualisation.buildkitd.enable [ "buildkit" ]
- ++ optionals config.profiles.virtualization.enable [ "libvirtd" ]
+ ++ optionals config.modules.virtualisation.libvirt.enable [ "libvirtd" ]
+ ++ optionals config.profiles.virtualization.enable [ "libvirtd" ] # FIXME deprecated
++ optionals config.services.nginx.enable [ "nginx" ];
shell = mkIf config.programs.zsh.enable pkgs.zsh;
isNormalUser = true;
@@ -76,6 +78,13 @@ in
]
++ optionals config.modules.dev.enable [
(import ./dev)
+ # TODO Move it elsewhere ?
+ (import ./containers/kubernetes.nix)
+ (import ./containers/openshift.nix)
+ (import ./containers/tekton.nix)
+ ]
+ ++ optionals config.modules.dev.containers.enable [
+ (import ./containers)
]
++ optionals config.modules.desktop.enable [ (import ./desktop) ]
++ optionals config.profiles.dev.enable [