Created
February 27, 2018 12:03
-
-
Save vizanto/9ba230eba92563692dfb49f02f501264 to your computer and use it in GitHub Desktop.
NixOS 17.03 on SmartOS LX-branded Zone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { config, lib, pkgs, ... }: with lib; | |
| { | |
| ### SmartOS Linux Branded Zone specific configuration | |
| boot.isContainer = true; | |
| boot.loader.initScript.enable = true; | |
| networking.useDHCP = false; | |
| networking.firewall.enable = false; | |
| services.nscd.enable = true;# false; | |
| nix.useSandbox = mkForce false; | |
| systemd.services.plymouth-start.enable = false; | |
| systemd.services.systemd-udevd.unitConfig.ConditionVirtualization = "!container-other"; | |
| systemd.services.systemd-binfmt.enable = false; | |
| systemd.services.systemd-logind.serviceConfig.SystemCallFilter = ""; | |
| systemd.services.systemd-logind.serviceConfig.CapabilityBoundingSet = "~"; | |
| systemd.services.systemd-logind.serviceConfig.MemoryDenyWriteExecute = false; | |
| systemd.services.smartos-init = { | |
| path = [ pkgs.bash ]; | |
| wantedBy = [ "multi-user.target" ]; | |
| serviceConfig = { | |
| Type = "oneshot"; | |
| ExecStart = ''/lib/smartdc/joyent_rc.local''; | |
| }; | |
| }; | |
| system.activationScripts.stdio = mkForce ""; | |
| system.activationScripts.tmpfs = mkForce ""; #"ls -Al /etc/systemd/system/ ; realpath /etc/systemd/system/local-fs.target.wants"; | |
| # LX brand does not (yet?) support 'sandbox' privilege seperation | |
| # thus we set a working default instead: | |
| services.openssh.extraConfig = mkOrder (-1) "UsePrivilegeSeparation yes"; | |
| services.openssh.startWhenNeeded = false; | |
| services.resolved.enable = mkForce false; | |
| system.activationScripts.resolvconf = mkForce ""; | |
| environment.etc."resolv.conf".text = mkForce (flip concatMapStrings config.networking.nameservers (ns: '' | |
| nameserver ${ns} | |
| '')); | |
| environment.etc."hostname".text = mkForce config.networking.hostName; | |
| system.activationScripts.alpine-release = '' | |
| touch /etc/alpine-release | |
| ''; | |
| environment.systemPackages = with pkgs; let | |
| symlinkBin = target: bin: runCommand bin { inherit target bin; } "mkdir -p $out/bin && ln -sv $target $out/bin/$bin"; | |
| dtrace = symlinkBin "/native/usr/sbin/dtrace" "dtrace"; | |
| zfs = symlinkBin "/native/usr/sbin/zfs" "zfs"; | |
| zpool = symlinkBin "/native/usr/sbin/zpool" "zpool"; | |
| in [ dtrace zfs zpool ]; | |
| fileSystems."/tmp" = | |
| { device = "swap"; | |
| fsType = "tmpfs"; | |
| }; | |
| nix.maxJobs = 1; | |
| nix.buildCores = 12; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [root@nixos:~]# nixos-rebuild switch | |
| building Nix... | |
| building the system configuration... | |
| these derivations will be built: | |
| /nix/store/68a1dc8lv61dv5cy601ld6229q9w5cl1-etc-fstab.drv | |
| /nix/store/0llmjlxan2g8rzd1khy0i7fa51jla6q9-etc.drv | |
| /nix/store/m2fkpzk5yih79kxs0b5a57d4393qxg2c-nixos-system-nixos-17.03.1947.d77e0969a78.drv | |
| building path(s) '/nix/store/8s112ias0gm05r01p1gznngclvk53ddp-etc-fstab' | |
| building '/nix/store/68a1dc8lv61dv5cy601ld6229q9w5cl1-etc-fstab.drv'... | |
| building path(s) '/nix/store/gv7nj78jmm895npfgazp5ik25s03zl16-etc' | |
| building '/nix/store/0llmjlxan2g8rzd1khy0i7fa51jla6q9-etc.drv'... | |
| building path(s) '/nix/store/k8bpaspxzgj2lnnr9rqyxj6j10zayqhl-nixos-system-nixos-17.03.1947.d77e0969a78' | |
| building '/nix/store/m2fkpzk5yih79kxs0b5a57d4393qxg2c-nixos-system-nixos-17.03.1947.d77e0969a78.drv'... | |
| stopping the following units: tmp.mount | |
| Job for tmp.mount failed. | |
| See "systemctl status tmp.mount" and "journalctl -xe" for details. | |
| activating the configuration... | |
| setting up /etc... | |
| mount: unknown filesystem type 'devtmpfs' | |
| mount: unknown filesystem type 'devpts' | |
| mount: unknown filesystem type 'ramfs' | |
| unable to set CAP_SETFCAP effective capability: Operation not permitted | |
| setting up tmpfiles | |
| Setting default ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal failed: Function not implemented | |
| Setting access ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal failed: Function not implemented | |
| Setting default ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3 failed: Function not implemented | |
| Setting access ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3 failed: Function not implemented | |
| Setting access ACL "u::rw-,g::r--,g:wheel:r--,g:adm:r--,m::r--,o::---" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3/system.journal failed: Function not implemented | |
| warning: the following units failed: systemd-tmpfiles-setup.service | |
| ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories | |
| Loaded: loaded (/nix/store/8dshy3jqzkw2c73czw6kbw0msx9ivfi6-systemd-232/example/systemd/system/systemd-tmpfiles-setup.service; enabled; vendor preset: enabled) | |
| Active: failed (Result: exit-code) since Tue 2018-02-27 12:00:38 UTC; 210ms ago | |
| Docs: man:tmpfiles.d(5) | |
| man:systemd-tmpfiles(8) | |
| Process: 14807 ExecStart=/nix/store/8dshy3jqzkw2c73czw6kbw0msx9ivfi6-systemd-232/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) | |
| Main PID: 14807 (code=exited, status=1/FAILURE) | |
| warning: error(s) occurred while switching to the new configuration |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment