vizanto/hardware-configuration.nix

## hardware-configuration.nix
{ config, lib, pkgs, ... }: with lib;
{
  ### SmartOS Linux Branded Zone specific configuration

  boot.isContainer = true;
  boot.loader.initScript.enable = true;
  networking.useDHCP = false;
  networking.firewall.enable = false;
  services.nscd.enable = true;# false;

  nix.useSandbox = mkForce false;

  systemd.services.plymouth-start.enable = false;
  systemd.services.systemd-udevd.unitConfig.ConditionVirtualization = "!container-other";
  systemd.services.systemd-binfmt.enable = false;
  systemd.services.systemd-logind.serviceConfig.SystemCallFilter = "";
  systemd.services.systemd-logind.serviceConfig.CapabilityBoundingSet = "~";
  systemd.services.systemd-logind.serviceConfig.MemoryDenyWriteExecute = false;

  systemd.services.smartos-init = {
    path = [ pkgs.bash ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = ''/lib/smartdc/joyent_rc.local'';
    };
  };

  system.activationScripts.stdio = mkForce "";
  system.activationScripts.tmpfs = mkForce ""; #"ls -Al /etc/systemd/system/ ; realpath /etc/systemd/system/local-fs.target.wants";

  # LX brand does not (yet?) support 'sandbox' privilege seperation
  # thus we set a working default instead:
  services.openssh.extraConfig = mkOrder (-1) "UsePrivilegeSeparation yes";
  services.openssh.startWhenNeeded = false;

  services.resolved.enable = mkForce false;
  system.activationScripts.resolvconf = mkForce "";
  environment.etc."resolv.conf".text = mkForce (flip concatMapStrings config.networking.nameservers (ns: ''
    nameserver ${ns}
  ''));
  environment.etc."hostname".text = mkForce config.networking.hostName;

  system.activationScripts.alpine-release = ''
    touch /etc/alpine-release
  '';

  environment.systemPackages = with pkgs; let
    symlinkBin = target: bin: runCommand bin { inherit target bin; } "mkdir -p $out/bin && ln -sv $target $out/bin/$bin";
    dtrace = symlinkBin "/native/usr/sbin/dtrace" "dtrace";
    zfs    = symlinkBin "/native/usr/sbin/zfs"    "zfs";
    zpool  = symlinkBin "/native/usr/sbin/zpool"  "zpool";
  in [ dtrace zfs zpool ];

  fileSystems."/tmp" =
    { device = "swap";
      fsType = "tmpfs";
    };

  nix.maxJobs = 1;
  nix.buildCores = 12;
}

## rebuild.sh
[root@nixos:~]# nixos-rebuild switch
building Nix...
building the system configuration...
these derivations will be built:
  /nix/store/68a1dc8lv61dv5cy601ld6229q9w5cl1-etc-fstab.drv
  /nix/store/0llmjlxan2g8rzd1khy0i7fa51jla6q9-etc.drv
  /nix/store/m2fkpzk5yih79kxs0b5a57d4393qxg2c-nixos-system-nixos-17.03.1947.d77e0969a78.drv
building path(s) '/nix/store/8s112ias0gm05r01p1gznngclvk53ddp-etc-fstab'
building '/nix/store/68a1dc8lv61dv5cy601ld6229q9w5cl1-etc-fstab.drv'...
building path(s) '/nix/store/gv7nj78jmm895npfgazp5ik25s03zl16-etc'
building '/nix/store/0llmjlxan2g8rzd1khy0i7fa51jla6q9-etc.drv'...
building path(s) '/nix/store/k8bpaspxzgj2lnnr9rqyxj6j10zayqhl-nixos-system-nixos-17.03.1947.d77e0969a78'
building '/nix/store/m2fkpzk5yih79kxs0b5a57d4393qxg2c-nixos-system-nixos-17.03.1947.d77e0969a78.drv'...
stopping the following units: tmp.mount
Job for tmp.mount failed.
See "systemctl status tmp.mount" and "journalctl -xe" for details.
activating the configuration...
setting up /etc...
mount: unknown filesystem type 'devtmpfs'
mount: unknown filesystem type 'devpts'
mount: unknown filesystem type 'ramfs'
unable to set CAP_SETFCAP effective capability: Operation not permitted
setting up tmpfiles
Setting default ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal failed: Function not implemented
Setting access ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal failed: Function not implemented
Setting default ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3 failed: Function not implemented
Setting access ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3 failed: Function not implemented
Setting access ACL "u::rw-,g::r--,g:wheel:r--,g:adm:r--,m::r--,o::---" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3/system.journal failed: Function not implemented
warning: the following units failed: systemd-tmpfiles-setup.service

● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
   Loaded: loaded (/nix/store/8dshy3jqzkw2c73czw6kbw0msx9ivfi6-systemd-232/example/systemd/system/systemd-tmpfiles-setup.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2018-02-27 12:00:38 UTC; 210ms ago
     Docs: man:tmpfiles.d(5)
           man:systemd-tmpfiles(8)
  Process: 14807 ExecStart=/nix/store/8dshy3jqzkw2c73czw6kbw0msx9ivfi6-systemd-232/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
 Main PID: 14807 (code=exited, status=1/FAILURE)
warning: error(s) occurred while switching to the new configuration
	{ config, lib, pkgs, ... }: with lib;
	{
	### SmartOS Linux Branded Zone specific configuration

	boot.isContainer = true;
	boot.loader.initScript.enable = true;
	networking.useDHCP = false;
	networking.firewall.enable = false;
	services.nscd.enable = true;# false;

	nix.useSandbox = mkForce false;

	systemd.services.plymouth-start.enable = false;
	systemd.services.systemd-udevd.unitConfig.ConditionVirtualization = "!container-other";
	systemd.services.systemd-binfmt.enable = false;
	systemd.services.systemd-logind.serviceConfig.SystemCallFilter = "";
	systemd.services.systemd-logind.serviceConfig.CapabilityBoundingSet = "~";
	systemd.services.systemd-logind.serviceConfig.MemoryDenyWriteExecute = false;

	systemd.services.smartos-init = {
	path = [ pkgs.bash ];
	wantedBy = [ "multi-user.target" ];
	serviceConfig = {
	Type = "oneshot";
	ExecStart = ''/lib/smartdc/joyent_rc.local'';
	};
	};

	system.activationScripts.stdio = mkForce "";
	system.activationScripts.tmpfs = mkForce ""; #"ls -Al /etc/systemd/system/ ; realpath /etc/systemd/system/local-fs.target.wants";

	# LX brand does not (yet?) support 'sandbox' privilege seperation
	# thus we set a working default instead:
	services.openssh.extraConfig = mkOrder (-1) "UsePrivilegeSeparation yes";
	services.openssh.startWhenNeeded = false;

	services.resolved.enable = mkForce false;
	system.activationScripts.resolvconf = mkForce "";
	environment.etc."resolv.conf".text = mkForce (flip concatMapStrings config.networking.nameservers (ns: ''
	nameserver ${ns}
	''));
	environment.etc."hostname".text = mkForce config.networking.hostName;

	system.activationScripts.alpine-release = ''
	touch /etc/alpine-release
	'';

	environment.systemPackages = with pkgs; let
	symlinkBin = target: bin: runCommand bin { inherit target bin; } "mkdir -p $out/bin && ln -sv $target $out/bin/$bin";
	dtrace = symlinkBin "/native/usr/sbin/dtrace" "dtrace";
	zfs = symlinkBin "/native/usr/sbin/zfs" "zfs";
	zpool = symlinkBin "/native/usr/sbin/zpool" "zpool";
	in [ dtrace zfs zpool ];

	fileSystems."/tmp" =
	{ device = "swap";
	fsType = "tmpfs";
	};

	nix.maxJobs = 1;
	nix.buildCores = 12;
	}
	[root@nixos:~]# nixos-rebuild switch
	building Nix...
	building the system configuration...
	these derivations will be built:
	/nix/store/68a1dc8lv61dv5cy601ld6229q9w5cl1-etc-fstab.drv
	/nix/store/0llmjlxan2g8rzd1khy0i7fa51jla6q9-etc.drv
	/nix/store/m2fkpzk5yih79kxs0b5a57d4393qxg2c-nixos-system-nixos-17.03.1947.d77e0969a78.drv
	building path(s) '/nix/store/8s112ias0gm05r01p1gznngclvk53ddp-etc-fstab'
	building '/nix/store/68a1dc8lv61dv5cy601ld6229q9w5cl1-etc-fstab.drv'...
	building path(s) '/nix/store/gv7nj78jmm895npfgazp5ik25s03zl16-etc'
	building '/nix/store/0llmjlxan2g8rzd1khy0i7fa51jla6q9-etc.drv'...
	building path(s) '/nix/store/k8bpaspxzgj2lnnr9rqyxj6j10zayqhl-nixos-system-nixos-17.03.1947.d77e0969a78'
	building '/nix/store/m2fkpzk5yih79kxs0b5a57d4393qxg2c-nixos-system-nixos-17.03.1947.d77e0969a78.drv'...
	stopping the following units: tmp.mount
	Job for tmp.mount failed.
	See "systemctl status tmp.mount" and "journalctl -xe" for details.
	activating the configuration...
	setting up /etc...
	mount: unknown filesystem type 'devtmpfs'
	mount: unknown filesystem type 'devpts'
	mount: unknown filesystem type 'ramfs'
	unable to set CAP_SETFCAP effective capability: Operation not permitted
	setting up tmpfiles
	Setting default ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal failed: Function not implemented
	Setting access ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal failed: Function not implemented
	Setting default ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3 failed: Function not implemented
	Setting access ACL "u::rwx,g::r-x,g:wheel:r-x,g:adm:r-x,m::r-x,o::r-x" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3 failed: Function not implemented
	Setting access ACL "u::rw-,g::r--,g:wheel:r--,g:adm:r--,m::r--,o::---" on /var/log/journal/a16ec2d0921d47948d8d10be103d89b3/system.journal failed: Function not implemented
	warning: the following units failed: systemd-tmpfiles-setup.service

	● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
	Loaded: loaded (/nix/store/8dshy3jqzkw2c73czw6kbw0msx9ivfi6-systemd-232/example/systemd/system/systemd-tmpfiles-setup.service; enabled; vendor preset: enabled)
	Active: failed (Result: exit-code) since Tue 2018-02-27 12:00:38 UTC; 210ms ago
	Docs: man:tmpfiles.d(5)
	man:systemd-tmpfiles(8)
	Process: 14807 ExecStart=/nix/store/8dshy3jqzkw2c73czw6kbw0msx9ivfi6-systemd-232/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
	Main PID: 14807 (code=exited, status=1/FAILURE)
	warning: error(s) occurred while switching to the new configuration