From 2cd4bf1ee79b72881fe2f1d8a1160a390c7d837a Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Tue, 15 Nov 2022 23:13:55 +0100
Subject: [PATCH] Demo running directly a service from the nix store

---
 .../staging/app/dummy/deploy/dummy-nginx.hcl  | 91 +++++++++++++------
 cluster/staging/app/dummy/deploy/shell.nix    |  5 +
 cluster/staging/node/cariacou.nix             | 13 +++
 3 files changed, 79 insertions(+), 30 deletions(-)
 create mode 100644 cluster/staging/app/dummy/deploy/shell.nix

diff --git a/cluster/staging/app/dummy/deploy/dummy-nginx.hcl b/cluster/staging/app/dummy/deploy/dummy-nginx.hcl
index a8990c6..cf9ec94 100644
--- a/cluster/staging/app/dummy/deploy/dummy-nginx.hcl
+++ b/cluster/staging/app/dummy/deploy/dummy-nginx.hcl
@@ -1,35 +1,66 @@
 job "dummy-nginx" {
-	datacenters = ["neptune"]
-	type = "service"
-	
-	group "nginx" {
-		count = 1
+  datacenters = ["neptune"]
+  type = "service"
+  
+  group "nginx" {
+    count = 1
 
-		network {
-			port "http" {
-				to = 80
-			}
-		}
+    volume "nix-store" {
+      type      = "host"
+      source    = "nix-store"
+      read_only = true
+    }
+    volume "nix-current-system-bin" {
+      type      = "host"
+      source    = "nix-current-system-bin"
+      read_only = true
+    }
 
-		task "nginx" {
-			driver = "docker"
-			config {
-				image = "nginx"
-				ports = [ "http" ]
-			}
-		}
+    network {
+      port "http" {
+        to = 8080
+      }
+    }
 
-		service {
-			port = "http"
-			tags = [
-				"tricot home.adnab.me 100",
-			]
-			check {
-				type = "http"
-				path = "/"
-				interval = "10s"
-				timeout = "2s"
-			}
-		}
-	}
+    task "not-actually-nginx" {
+      driver = "exec"
+      config {
+        command = "env"
+        args = [
+          "/run/current-system/sw/bin/nix-shell",
+          "--run", "python3 -m http.server 8080"
+        ]
+      }
+      env = {
+        NIX_PATH = "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
+      }
+
+      volume_mount {
+        volume      = "nix-store"
+        destination = "/nix"
+      }
+      volume_mount {
+        volume      = "nix-current-system-bin"
+        destination = "/run/current-system/sw/bin"
+      }
+
+      template {
+        data = file("shell.nix")
+        destination = "shell.nix"
+      }
+    }
+
+    service {
+      port = "http"
+      tags = [
+        "tricot home.adnab.me 100",
+      ]
+      check {
+        type = "http"
+        path = "/"
+        interval = "10s"
+        timeout = "2s"
+      }
+    }
+  }
 }
diff --git a/cluster/staging/app/dummy/deploy/shell.nix b/cluster/staging/app/dummy/deploy/shell.nix
new file mode 100644
index 0000000..1323f1c
--- /dev/null
+++ b/cluster/staging/app/dummy/deploy/shell.nix
@@ -0,0 +1,5 @@
+{ pkgs ? import <nixpkgs> {} }:
+pkgs.mkShell {
+# nativeBuildInputs is usually what you want -- tools you need to run
+  nativeBuildInputs = [ pkgs.python3 ];
+}
diff --git a/cluster/staging/node/cariacou.nix b/cluster/staging/node/cariacou.nix
index 61d3f28..5662422 100644
--- a/cluster/staging/node/cariacou.nix
+++ b/cluster/staging/node/cariacou.nix
@@ -21,4 +21,17 @@
 
   deuxfleurs.cluster_ip = "10.14.1.1";
   deuxfleurs.is_raft_server = true;
+
+  # experimental: nomad as root, to enable exec driver
+  services.nomad.dropPrivileges = false;
+  services.nomad.settings.client.host_volume = {
+    "nix-store" = {
+      path = "/nix";
+      read_only = true;
+    };
+    "nix-current-system-bin" = {
+      path = "/run/current-system/sw/bin";
+      read_only = true;
+    };
+  };
 }