diff --git a/nixos/arion/arion-compose.nix b/nixos/arion/arion-compose.nix new file mode 100644 index 0000000..a8d3df4 --- /dev/null +++ b/nixos/arion/arion-compose.nix @@ -0,0 +1,50 @@ + +/* + + DISCLAIMER + + This uses a somewhat hidden feature in NixOS, which is the + "runner". It's a script that's available on systemd services + that lets you run the service independently from systemd. + However, it was clearly not intended for public consumption + so please use it with care. + It does not support all features of systemd so you are on + your own if you use it in production. + + One known issue is that the script does not respond to docker's + SIGTERM shutdown signal. + + */ + +{ + project.name = "nixos-unit"; + services.webserver = { config, pkgs, ... }: { + + nixos.configuration = {config, lib, options, pkgs, ...}: { + boot.isContainer = true; + services.nginx = { + enable = true; + virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual"; + } // lib.optionalAttrs (options?services.nginx.stateDir) { + # Work around a problem in NixOS 20.03 + stateDir = "/var/lib/nginx"; + }; + system.build.run-nginx = pkgs.writeScript "run-nginx" '' + #!${pkgs.bash}/bin/bash + PATH='${config.systemd.services.nginx.environment.PATH}' + echo nginx:x:${toString config.users.users.nginx.uid}:${toString config.users.groups.nginx.gid}:nginx web server user:/var/empty:/bin/sh >>/etc/passwd + echo nginx:x:${toString config.users.groups.nginx.gid}:nginx >>/etc/group + echo 'nobody:x:65534:65534:Unprivileged account do not use:/var/empty:/run/current-system/sw/bin/nologin' >>/etc/passwd + echo 'nogroup:x:65534:' >>/etc/group + mkdir -p /var/log/nginx /run/nginx/ /var/cache/nginx /var/lib/nginx/{,logs,proxy_temp,client_body_temp,fastcgi_temp,scgi_temp,uwsgi_temp} /tmp/nginx_client_body + chown nginx /var/log/nginx /run/nginx/ /var/cache/nginx /var/lib/nginx/{,logs,proxy_temp,client_body_temp,fastcgi_temp,scgi_temp,uwsgi_temp} /tmp/nginx_client_body + ${config.systemd.services.nginx.runner} + ''; + }; + service.command = [ config.nixos.build.run-nginx ]; + service.useHostStore = true; + service.ports = [ + "8000:80" # host:container + ]; + }; +} diff --git a/nixos/arion/arion-pkgs.nix b/nixos/arion/arion-pkgs.nix new file mode 100644 index 0000000..109fcb1 --- /dev/null +++ b/nixos/arion/arion-pkgs.nix @@ -0,0 +1,10 @@ +## This file is the default location for Arion to look for Nixpkgs when +## bootstrapping a deployment configuration. +#import ../ {} + +# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH +import { + # We specify the architecture explicitly. Use a Linux remote builder when + # calling arion from other platforms. + system = "x86_64-linux"; +}