yamanin/registry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(incus-vm): shared host nix-daemon for NixOS VMs via nix-shared profile

Browse Source 
- Add nix-shared Incus profile on ThinkStation (bind /data/nix -> /nix)
- Apply nix-shared profile to NixOS VMs on ThinkStation
- coder.nix: disable VM nix-daemon/socket, use host daemon socket
- coder.nix: trusted-users includes workspace user
- coder.nix: override /nix/store fstab to bind from host-mounted /nix
This commit is contained in:
Ben Potter 2026-04-24 14:12:30 +00:00
parent a262565650
commit 19caa9598c
2 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
registry/bpmct/templates/incus-vm/main.tf
View File

@ -219,7 +219,8 @@ resource "incus_instance" "dev" {
running = data.coder_workspace.me.start_count == 1 running = data.coder_workspace.me.start_count == 1
name = "coder-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}" name = "coder-${lower(data.coder_workspace_owner.me.name)}-${lower(data.coder_workspace.me.name)}"
image = incus_image.image.fingerprint image = incus_image.image.fingerprint
type = "virtual-machine" type = "virtual-machine"
profiles = local.is_nixos && data.coder_parameter.host.value == "ThinkStation" ? ["default", "nix-shared"] : ["default"]
dynamic "device" { dynamic "device" {
for_each = local.usb_device != null ? [local.usb_device] : [] for_each = local.usb_device != null ? [local.usb_device] : []

20
registry/bpmct/templates/incus-vm/nixos.tf
View File

@ -67,6 +67,26 @@ resource "null_resource" "provision_nixos" {
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
# Use the shared host nix-daemon instead of running our own.
# The host mounts /nix (from /data/nix) into this VM via the nix-shared
# Incus profile, so the daemon socket is already present at
# /nix/var/nix/daemon-socket/socket.
nix.settings.trusted-users = [ "root" "$WUSER" ];
nix.settings.allowed-users = [ "*" ];
# Disable the VM's own nix-daemon we use the host one.
systemd.services.nix-daemon.enable = lib.mkForce false;
systemd.sockets.nix-daemon.enable = lib.mkForce false;
# Override the default read-only bind of /nix/store from the VM's own
# disk partition. With the host /nix already mounted at /nix via virtio-fs,
# we just bind /nix/store from there (read-write so the daemon can write).
fileSystems."/nix/store" = lib.mkForce {
device = "/nix/store";
options = [ "bind" "rw" ];
depends = [ "/nix" ];
};
systemd.services.coder-agent = { systemd.services.coder-agent = {
description = "Coder Agent"; description = "Coder Agent";
after = [ "network-online.target" ]; after = [ "network-online.target" ];