lxd module

hosts/common/optional/lxd/default.nix

@@ -0,0 +1,18 @@
+{
+  imports = [
+    ./lxd-preseed.nix
+    ./lxd-networking.nix
+  ];
+
+  virtualisation = {
+    lxd = {
+      enable = true;
+
+      recommendedSysctlSettings = true;
+    };
+
+    lxc = {
+      lxcfs.enable = true;
+    };
+  };
+}

hosts/common/optional/lxd/lxd-networking.nix

@@ -0,0 +1,21 @@
+{ ... }:
+let
+  lxd_profiles = {
+    "default" = (import ./profiles/default.nix);
+  };
+in
+{
+  boot = {
+    kernelModules = [ "nf_nat_ftp" ];
+
+    kernel.sysctl = {
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv4.conf.default.forwarding" = true;
+    };
+  };
+
+  # allow static ipv4 for containers
+  networking.firewall.extraCommands = ''
+    iptables -a input -i ${lxd_profiles.default.network.name} -m comment --comment "lxd rule for ${lxd_profiles.default.network.name}" -j accept
+  '';
+}

hosts/common/optional/lxd/lxd-preseed.nix

@@ -0,0 +1,26 @@
+{ ... }:
+
+let
+  lxd_profiles = {
+    "default" = (import ./profiles/default.nix);
+  };
+in
+{
+  virtualisation = {
+    lxd = {
+      preseed =  {
+        networks = [
+          lxd_profiles.default.network
+        ];
+
+        profiles = [
+          lxd_profiles.default.profile
+        ];
+
+        storage_pools = [
+          lxd_profiles.default.storage_pool
+        ];  
+      };
+    };
+  };
+}

hosts/common/optional/lxd/profiles/default.nix

@@ -0,0 +1,35 @@
+{
+  network = {
+    name = "lxdBrDefault";
+    type = "bridge";
+
+    config = {
+      "ipv4.address" = "10.100.1.1/8";
+      "ipv4.nat" = "true";
+    };
+  };
+
+  storage_pool = {
+    name = "test";
+    driver = "zfs";
+    config.source = "zspeed/test";
+  };
+
+  profile = {
+    name = "default";
+    devices = {
+      "eth0" = {
+        name = "eth0";
+        nictype = "bridged";
+        parent = "lxdBrDefault";
+        type = "nic";
+      };
+      "root" = {
+        path = "/";
+        pool = "default";
+        size = "8GiB";
+        type = "disk";
+      };
+    };
+  };
+}

hosts/common/users/admin/default.nix

@@ -1,5 +1,6 @@
 { pkgs, inputs, config, lib, ... }:
 let
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
   username = "admin";
   pubKeys = lib.filesystem.listFilesRecursive (../keys);
   hostname = config.networking.hostName;
@@ -7,7 +8,7 @@ let
   secretsDirectory = builtins.toString inputs.nix-secrets;
   secretsFile = "${secretsDirectory}/secrets.yaml";
 
-in 
+in
 {
   users.users.${username} = {
     isNormalUser = true;
@@ -15,7 +16,13 @@ in
     hashedPasswordFile = sopsHashedPasswordFile;
     openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
 
-    extraGroups = ["wheel"]; 
+    extraGroups = [
+      "wheel"
+    ] ++ ifTheyExist [
+      "docker"
+      "lxc"
+      "git"
+    ];
 
     packages = with pkgs; [
     ];
@@ -30,7 +37,7 @@ in
       path = "/home/${username}/.ssh/id_ed25519";
       mode = "0600";
       owner = "${username}";
-      };
+    };
     "ssh_keys/${username}/id_ed25519.pub" = {
       path = "/home/${username}/.ssh/id_ed25519.pub";
       mode = "0644";

hosts/nebula/default.nix

@@ -1,11 +1,10 @@
-{ inputs, config, lib, pkgs, outputs, ... }:
+{ inputs, ... }:
 let
   # Disko setup
   fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
   dev = "/dev/sda"; # depends on target hardware
   encrypted = false; # currrently only applies to btrfs
   impermanence = false; # currrently only applies to btrfs
-  btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
   user = "admin";
 in
 {
@@ -24,7 +23,7 @@ in
 
       # Import optional options
       ../common/optional/openssh.nix
-
+      ../common/optional/lxd
 
     ];