Skip to content

Source: examples/safe/nspawn.bu#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# butane config
# {% if SHOWCASE_NSPAWN %}

storage:
  directories:
    # add a "volume", todo: make some service like podman quadlet
    - path: /var/lib/volumes/hello-nspawn.data

  files:
    # machine .nspawn configuration
    - path: /etc/systemd/nspawn/hello-nspawn.nspawn
      contents:
        inline: |
          [Exec]
          # set custom env
          Environment=TEST=true

          [Files]
          # Example "Volume"
          Bind=/var/lib/volumes/hello-nspawn.data:/var/lib/data

    # machine provision script
    - path: /etc/nspawn/build/hello-nspawn/nspawn.provision.sh
      mode: 0755
      contents:
        local: nspawn/hello-nspawn/nspawn.provision.sh

    # machine provision environment
    - path: /etc/nspawn/environment/hello-nspawn.env
      mode: 0600
      contents:
        inline: |
          # NSPAWN_OSNAME   : base container image name, for spawn-build@service
          # NSPAWN_PROVISION: optional input as STDIN to nspawn.provision.sh
          # NSPAWN_TRAEFIK  : optional router and services configuration for systemd-nspawn@.d/traefik.conf
          # \\$IPADDR is replaced inside NSPAWN_TRAEFIK with the current machine ip
          # XXX: "rule: Host":  escape backticks with two backslashes
          NSPAWN_OSNAME=debian-bookworm
          NSPAWN_PROVISION="
          # ---BEGIN OPENSSH AUTHORIZED KEYS---
          {{ AUTHORIZED_KEYS|indent(10) }}
          # ---END OPENSSH AUTHORIZED KEYS---
          "
          NSPAWN_TRAEFIK="
          http:
            routers:
              hello-nspawn:
                rule: Host(\\`hello-nspawn.{{ HOSTNAME }}\\`)
                service: hello-nspawn
                entrypoints: https
            services:
              hello-nspawn:
                loadBalancer:
                  servers:
                    - url: http://$IPADDR:80/
          "

  trees:
    # copy build dependency of nspawn machine
    - path: /etc/containers/build/debian-bookworm
      local: Containerfile/debian-bookworm

systemd:
  units:
    # enable build of nspawn machine
    - name: nspawn-build@hello-nspawn.service
      enabled: true
      dropins:
        # make nspawn-build depend on container-build@debian-bookworm
        # container-build@(*) should be the same as NSPAWN_OSNAME
        - name: require.conf
          contents: |
            [Unit]
            Wants=container-build@debian-bookworm.service
            After=container-build@debian-bookworm.service

    # enable execution of nspawn machine
    - name: systemd-nspawn@hello-nspawn.service
      enabled: true
      dropins:
        # load server key as credential into systemd-nspawn
        - name: loadcreds.conf
          contents: |
            [Service]
            ImportCredential=server.crt

# {% endif %}