NixOS Containers: Difference between revisions

(5 intermediate revisions by 4 users not shown)

Line 113:

</syntaxhighlight>

Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.

View log for container<syntaxhighlight lang="console">

# journalctl -M webserver

</syntaxhighlight>Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.

== Tips and tricks ==

==== Define and create nixos-container from a Flake file ====

We can define and create a custom container called <code>container</code> from a file stored as <code>flake.nix</code>. In this case we use the unstable branch of the nixpkgs repository as a source.<syntaxhighlight lang="nix">

{

inputs.nixpkgs.url = "nixpkgs/nixos-unstable";

outputs = { self, nixpkgs }: {

nixosConfigurations.container = nixpkgs.lib.nixosSystem {

system = "x86_64-linux";

modules =

[ ({ pkgs, ... }: {

boot.isContainer = true;

networking.firewall.allowedTCPPorts = [ 80 ];

services.httpd = {

enable = true;

adminAddr = "morty@example.org";

};

})

];

};

}

</syntaxhighlight>To create and run that container, enter following commands. In this example the <code>flake.nix</code> file is in the same directory.<syntaxhighlight lang="console">

# nixos-container create flake-test --flake .

host IP is 10.233.4.1, container IP is 10.233.4.2

# nixos-container start flake-test

</syntaxhighlight>

==== Use agenix secrets in container ====

To add <code>agenix</code> secrets to a container bind mount the <code>ssh-host.key</code> and import the <code>agenix.nixosModule</code> and set <code>age.identityPaths</code> [https://discourse.nixos.org/t/secrets-inside-nixos-containers/34403/6 Source]<syntaxhighlight lang="nix">

{ agenix, ... }:

{

containers."withSecret" = {

# pass the private key to the container for agenix to decrypt the secret

bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;

config =

{

config,

lib,

pkgs,

...

}:

{

imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container

age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically when openssh is not setup

# import the secret

age.secrets."secret-name" = {

file = ../secrets/secret.age;

};

}

</syntaxhighlight>

== Troubleshooting ==

=== I have changed the host's channel and some services are no longer functional ===

==== I have changed the host's channel and some services are no longer functional ====

'''Symptoms:'''

* Lost data in PostgreSQL database

Line 132:

Line 197:

* [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html Blog Article - Declarative NixOS Containers]

* [https://discourse.nixos.org/t/extra-container-run-declarative-containers-without-full-system-rebuilds/511 NixOS Discourse - Extra-container: Run declarative containers without full system rebuilds]

* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/~~tools~~/~~virtualization~~/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]

* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ni/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]

* [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/nixos-containers.nix Nixpkgs - nixos-containers.nix]

* [https://nixcademy.com/2023/08/29/nixos-nspawn/ nixos-nspawn]

@@ Line 113: / Line 113: @@
 </syntaxhighlight>
-Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.
+View log for container<syntaxhighlight lang="console">
+# journalctl -M webserver
+</syntaxhighlight>Further informations are available in the {{manual:nixos|sec=#ch-containers|chapter=NixOS manual}}.
+== Tips and tricks ==
+==== Define and create nixos-container from a Flake file ====
+We can define and create a custom container called <code>container</code> from a file stored as <code>flake.nix</code>. In this case we use the unstable branch of the nixpkgs repository as a source.<syntaxhighlight lang="nix">
+{
+  inputs.nixpkgs.url = "nixpkgs/nixos-unstable";
+  outputs = { self, nixpkgs }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules =
+        [ ({ pkgs, ... }: {
+            boot.isContainer = true;
+            networking.firewall.allowedTCPPorts = [ 80 ];
+            services.httpd = {
+              enable = true;
+              adminAddr = "morty@example.org";
+            };
+          })
+        ];
+    };
+  };
+}
+</syntaxhighlight>To create and run that container, enter following commands. In this example the <code>flake.nix</code> file is in the same directory.<syntaxhighlight lang="console">
+# nixos-container create flake-test --flake .
+host IP is 10.233.4.1, container IP is 10.233.4.2
+# nixos-container start flake-test
+</syntaxhighlight>
+==== Use agenix secrets in container ====
+To add <code>agenix</code> secrets to a container bind mount the <code>ssh-host.key</code> and import the <code>agenix.nixosModule</code> and set <code>age.identityPaths</code> [https://discourse.nixos.org/t/secrets-inside-nixos-containers/34403/6 Source]<syntaxhighlight lang="nix">
+{ agenix, ... }:
+{
+  containers."withSecret" = {
+    # pass the private key to the container for agenix to decrypt the secret
+    bindMounts."/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
+    config =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        imports = [ agenix.nixosModules.default ]; # import agenix-module into the nixos-container
+        age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # isn't set automatically when openssh is not setup
+        # import the secret
+        age.secrets."secret-name" = {
+          file = ../secrets/secret.age;
+        };
+      };
+  };
+}
+</syntaxhighlight>
 == Troubleshooting ==
-=== I have changed the host's channel and some services are no longer functional ===
+==== I have changed the host's channel and some services are no longer functional ====
 '''Symptoms:'''
 * Lost data in PostgreSQL database
@@ Line 132: / Line 197: @@
 * [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html Blog Article - Declarative NixOS Containers]
 * [https://discourse.nixos.org/t/extra-container-run-declarative-containers-without-full-system-rebuilds/511 NixOS Discourse - Extra-container: Run declarative containers without full system rebuilds]
-* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/virtualization/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]
+* [https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/ni/nixos-container/nixos-container.pl Nixpkgs - nixos-container.pl]
 * [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/nixos-containers.nix Nixpkgs - nixos-containers.nix]
 * [https://nixcademy.com/2023/08/29/nixos-nspawn/ nixos-nspawn]