From ceb211ae5121e20f37546a1557b96f03031ec850 Mon Sep 17 00:00:00 2001 From: Nathan Date: Wed, 31 Dec 2025 16:31:24 -0600 Subject: [PATCH] Revert "no sandbox" This reverts commit 112782fa9192ff6a980f8fcaaf3ea67143e053d0. --- system/services/containers/default.nix | 1 + .../services/containers/keycloak/default.nix | 4 + .../services/containers/sandbox/default.nix | 89 +++++++++++++++++++ 3 files changed, 94 insertions(+) create mode 100644 system/services/containers/sandbox/default.nix diff --git a/system/services/containers/default.nix b/system/services/containers/default.nix index a4e53c1..92d11fd 100644 --- a/system/services/containers/default.nix +++ b/system/services/containers/default.nix @@ -20,5 +20,6 @@ ./code-server ./novnc ./minecraft + ./sandbox ]; } diff --git a/system/services/containers/keycloak/default.nix b/system/services/containers/keycloak/default.nix index 780b2c5..b32a358 100644 --- a/system/services/containers/keycloak/default.nix +++ b/system/services/containers/keycloak/default.nix @@ -5,6 +5,10 @@ default = false; }; + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + config = lib.mkIf config.sysconfig.virtualization.keycloak.enable { sops.secrets."keycloak/dbpass" = {}; diff --git a/system/services/containers/sandbox/default.nix b/system/services/containers/sandbox/default.nix new file mode 100644 index 0000000..1b596a3 --- /dev/null +++ b/system/services/containers/sandbox/default.nix @@ -0,0 +1,89 @@ +{ config, lib, inputs, ... }: { + + options.sysconfig.virtualization.sandbox.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + disabledModules = [ + "virtualisation/nixos-containers.nix" + ]; + + imports = [ + (import "${inputs.nixpkgs-us}/nixos/modules/virtualisation/nixos-containers.nix" { + inherit config lib; + pkgs = (import inputs.nixpkgs-us { + system = "x86_64-linux"; + }); + }) + ]; + + config = lib.mkIf config.sysconfig.virtualization.sandbox.enable { + + networking = { + + nat.internalInterfaces = [ "ve-sandbox" ]; + }; + containers.sandbox = { + + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.32"; + + ephemeral = true; + + timeoutStartSec = "3min"; + + flake = "${inputs.self}"; + + bindMounts = { + "/dev/nvidia0" = { + hostPath = "/dev/nvidia0"; + isReadOnly = false; + }; + "/dev/nvidiactl" = { + hostPath = "/dev/nvidiactl"; + isReadOnly = false; + }; + "/dev/nvidia-uvm" = { + hostPath = "/dev/nvidia-uvm"; + isReadOnly = false; + }; + "/dev/nvidia-modeset" = { + hostPath = "/dev/nvidia-modeset"; + isReadOnly = false; + }; + "/dev/nvidia-uvm-tools" = { + hostPath = "/dev/nvidia-uvm-tools"; + isReadOnly = false; + }; + }; + + allowedDevices = [ + { + node = "/dev/nvidia0"; + modifier = "rw"; + } + { + node = "/dev/nvidiactl"; + modifier = "rw"; + } + { + node = "/dev/nvidia-uvm"; + modifier = "rw"; + } + { + node = "/dev/nvidia-modeset"; + modifier = "rw"; + } + { + node = "/dev/nvidia-uvm-tools"; + modifier = "rw"; + } + ]; + + + }; + }; +}