Add support for nixos

docs/compatibility.md

@@ -15,6 +15,7 @@
 |Debian 12 Bookworm|✅|
 |Ubuntu Jammy|✅|
 |Fedora 39|✅|
+|Nixos 24.05|✅|
 |Arch|🟨|
 |Alpine|❌|      
 

jlmkr.py

@@ -1379,6 +1379,7 @@ def create_jail(**kwargs):
 
         if (
             init_system_name != "systemd"
+            and parse_os_release(jail_rootfs_path).get("ID") != "nixos"
         ):
             print(
                 dedent(

templates/nixos/README.md

@@ -0,0 +1,35 @@
+# Nixos Jail Template
+
+## Disclaimer
+
+**Experimental. Using nixos in this setup hasn't been extensively tested and has [known issues](#known-issues).**
+
+## Setup
+
+Check out the [config](./config) template file. You may provide it when asked during `./jlmkr.py create` or, if you have the template file stored on your NAS, you may provide it directly by running `./jlmkr.py create --start --config /mnt/tank/path/to/nixos/config mynixosjail`.
+
+## Manual Setup
+
+```bash
+# Create the jail without starting
+./jlmkr.py create --distro=nixos --release=24.05 nixos --network-bridge=br1 --resolv-conf=bind-host --bind-ro=./lxd.nix:/etc/nixos/lxd.nix
+# Create empty nix module to satisfy import in default lxc configuration.nix
+echo '{ ... }:{}' > ./jails/nixos/lxd.nix
+# Start the nixos jail
+./jlmkr.py start nixos
+sleep 90
+# Network should be up by now
+./jlmkr.py shell nixos /bin/sh -c 'ifconfig'
+# Try to rebuild the system
+./jlmkr.py shell nixos /bin/sh -c 'nixos-rebuild switch'
+```
+
+## Known Issues
+
+### Environment jlmkr exec
+
+Running `./jlmkr.py exec mynixosjail ifconfig` doesn't work because the shell environment isn't setup properly. You can run `./jlmkr.py shell mynixosjail /bin/sh -c 'ifconfig'` or `./jlmkr.py exec mynixosjail /bin/sh -c '. /etc/bashrc; ifconfig'` instead.
+
+### Bridge networking only
+
+This setup has NOT been tested with macvlan networking.

templates/nixos/config

@@ -0,0 +1,54 @@
+startup=0
+gpu_passthrough_intel=0
+gpu_passthrough_nvidia=0
+# Turning off seccomp filtering improves performance at the expense of security
+seccomp=1
+
+# Use bridge networking to provide an isolated network namespace,
+# so nixos can manage firewall rules
+# Ensure to change br1 to the interface name you want to use
+# You may want to add additional options here, e.g. bind mounts
+systemd_nspawn_user_args=--network-bridge=br1
+    --resolv-conf=bind-host
+    --bind-ro=./lxd.nix:/etc/nixos/lxd.nix
+
+# Script to run on the HOST before starting the jail
+pre_start_hook=#!/usr/bin/env bash
+    set -euo pipefail
+    echo 'PRE_START_HOOK'
+
+    # If there's no machine-id then this we're about to start the jail for the first time
+    if [ ! -e ./rootfs/etc/machine-id ]; then
+        echo 'BEFORE_FIRST_BOOT'
+        # Create empty nix module to satisfy import in default lxc configuration.nix
+        echo '{ ... }:{}' > ./lxd.nix
+    fi
+
+# Only used while creating the jail
+distro=nixos
+release=24.05
+
+# # Example initial_setup which rebuild the system,
+# # for when you mount your own /etc/nixos/configuration.nix inside the jail
+# initial_setup=#!/run/current-system/sw/bin/bash
+#     . /etc/bashrc
+#     set -x
+#     ifconfig
+#     nixos-rebuild switch
+#     echo "All Done"
+
+# You generally will not need to change the options below
+systemd_run_default_args=--property=KillMode=mixed
+    --property=Type=notify
+    --property=RestartForceExitStatus=133
+    --property=SuccessExitStatus=133
+    --property=Delegate=yes
+    --property=TasksMax=infinity
+    --collect
+    --setenv=SYSTEMD_NSPAWN_LOCK=0
+
+systemd_nspawn_default_args=--keep-unit
+    --quiet
+    --boot
+    --bind-ro=/sys/module
+    --inaccessible=/sys/module/apparmor