Revert "no sandbox"

This reverts commit 112782fa91.
2025-12-31 16:31:24 -06:00
parent 2a5613bdee
commit ceb211ae51
3 changed files with 94 additions and 0 deletions
--- a/system/services/containers/default.nix
+++ b/system/services/containers/default.nix
@@ -20,5 +20,6 @@
        ./code-server
        ./novnc
        ./minecraft
        ./sandbox
    ];
 }
--- a/system/services/containers/keycloak/default.nix
+++ b/system/services/containers/keycloak/default.nix
@@ -5,6 +5,10 @@
        default = false;
    };
    imports = [
        inputs.sops-nix.nixosModules.sops
    ];
    config = lib.mkIf config.sysconfig.virtualization.keycloak.enable {
        sops.secrets."keycloak/dbpass" = {};
--- a/system/services/containers/sandbox/default.nix
+++ b/system/services/containers/sandbox/default.nix
@@ -0,0 +1,89 @@
 { config, lib, inputs, ... }: {
    options.sysconfig.virtualization.sandbox.enable = lib.mkOption {
        type = lib.types.bool;
        default = false;
    };
    disabledModules = [
        "virtualisation/nixos-containers.nix"
    ];
    imports = [
        (import "${inputs.nixpkgs-us}/nixos/modules/virtualisation/nixos-containers.nix" { 
            inherit config lib; 
            pkgs = (import inputs.nixpkgs-us { 
                system = "x86_64-linux"; 
            });
        })
    ];
    config = lib.mkIf config.sysconfig.virtualization.sandbox.enable {
        networking = {
            nat.internalInterfaces = [ "ve-sandbox" ];
        };
        containers.sandbox = {
            autoStart = true;
            privateNetwork = true;
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.32";
            ephemeral = true;
            timeoutStartSec = "3min";
            flake = "${inputs.self}";
            bindMounts = {
                "/dev/nvidia0" = {
                    hostPath = "/dev/nvidia0";
                    isReadOnly = false;
                };
                "/dev/nvidiactl" = {
                    hostPath = "/dev/nvidiactl";
                    isReadOnly = false;
                };
                "/dev/nvidia-uvm" = {
                    hostPath = "/dev/nvidia-uvm";
                    isReadOnly = false;
                };
                "/dev/nvidia-modeset" = {
                    hostPath = "/dev/nvidia-modeset";
                    isReadOnly = false;
                };
                "/dev/nvidia-uvm-tools" = {
                    hostPath = "/dev/nvidia-uvm-tools";
                    isReadOnly = false;
                };
            };
            allowedDevices = [
                {
                    node = "/dev/nvidia0";
                    modifier = "rw";
                }
                {
                    node = "/dev/nvidiactl";
                    modifier = "rw";
                }
                {
                    node = "/dev/nvidia-uvm";
                    modifier = "rw";
                }
                {
                    node = "/dev/nvidia-modeset";
                    modifier = "rw";
                }
                {
                    node = "/dev/nvidia-uvm-tools";
                    modifier = "rw";
                }
            ];
        };
    };
 }