Xieby1's Nix/NixOS Config

# # home-manager podman module v.s. podman shell script
#
# ## home-manager podman module
#
# - Cons:
#   - Need network-online.target, which is not request in nixos module.
#   - It is hard to customize the StartExec as it is generated by podman-user-generator,
#     - E.g. I want to remove the -d (detach) arguments.
#   - Systemd service is hard to debug. I can not directly run it like a script and inspect the output
#     - (which need journalctl, which is unnecessary abstraction)
# 
# In home-manager podman module: how ~/.config/systemd/user/podman-hermes.service is generated
#
# - services.podman.containers.hermes = {}
# - <home-manager>/modules/services/podman-linux/containers.nix: services.podman.internal.quadletDefinitions
# - <home-manager>/modules/services/podman-linux/install-quadlet.nix: builtQuadlets = map buildPodmanQuadlet cfg.internal.quadletDefinitions;
#   - ${cfg.package}/lib/systemd/user-generators/podman-user-generator $out/units
#     Convert *.container (quadlet file) to *.service (systemd service file)
#
# ## podman shell script
#
# - Pros:
#   - Simple and explicit
let
  pkgs = import <nixpkgs> {};
in pkgs.writeShellScript "container.sh" ''
  CONTAINER_HOME=${builtins.getEnv "HOME"}/.local/state/hermes-container
  CONTAINER_USER=hermes-container
  mkdir -p $CONTAINER_HOME/usr
  mkdir -p $CONTAINER_HOME/tmp
  mkdir -p $CONTAINER_HOME/$CONTAINER_USER
  CONTAINER_ROOT=${import ./build-env.nix}

  NIX_PROFILES=${builtins.getEnv "HOME"}/.local/state/hermes-container-nix-profiles
  mkdir -p $NIX_PROFILES

  # Run without -it: this is a systemd-managed service, not an interactive
  # terminal session, so non-interactive stdio/signal behavior is preferred.
  ${pkgs.podman}/bin/podman run \
    --name hermes-container \
    --rm --replace \
    -v $CONTAINER_ROOT/bin/:/bin \
    -v $CONTAINER_ROOT/bin/:/usr/bin \
    -v $CONTAINER_ROOT/lib/:/lib \
    -v $CONTAINER_ROOT/libexec/:/libexec \
    -v $CONTAINER_ROOT/share/:/share \
    -v /nix/:/nix \
    -v $NIX_PROFILES:/nix/var/nix/profiles/ \
    --env HOME=/$CONTAINER_USER \
    --env PATH=/bin:/$CONTAINER_USER/.nix-profile/bin \
    --env NIX_PATH=nixpkgs=${<nixpkgs>}:home-manager=${<home-manager>} \
    --env SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt \
    --env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt \
    --env REQUESTS_CA_BUNDLE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt \
    --env HTTPS_PROXY="http://127.0.0.1:8889" \
    --env HTTP_PROXY="http://127.0.0.1:8889" \
    --env FTP_PROXY="http://127.0.0.1:8889" \
    --env http_proxy="http://127.0.0.1:8889" \
    --env https_proxy="http://127.0.0.1:8889" \
    --env ftp_proxy="http://127.0.0.1:8889" \
    --env-file=${builtins.getEnv "HOME"}/.hermes/.env \
    --network=host \
    --rootfs $CONTAINER_HOME start-hermes
''