add sysbox

configuration.nix

@@ -289,6 +289,10 @@ in
     #    enableNvidia = true;
   };
   # hardware.nvidia-container-toolkit.enable = true;
+
+  # Enable sysbox for system containers
+  virtualisation.sysbox.enable = true;
+
   services.avahi.enable = true;
 
   boot = {
@@ -467,7 +471,7 @@ in
   # USB_DENYLIST = "04d9:a0b8";
   # };
   powerManagement.enable = true;
-  powerManagement.powertop.enable = true;
+  #powerManagement.powertop.enable = true;
   powerManagement.cpuFreqGovernor = "schedutil";
   services.thermald.enable = true;
 

flake.nix

@@ -67,6 +67,14 @@
       ...
     }@attrs:
     {
+      # Export sysbox package overlay for external use
+      overlays.default = final: prev: {
+        sysbox = final.callPackage ./pkgs/sysbox/package.nix { };
+      };
+
+      # Export sysbox NixOS module for external use
+      nixosModules.sysbox = import ./modules/sysbox.nix;
+
       nixosConfigurations.aura = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = attrs;
@@ -74,7 +82,9 @@
           {
             nixpkgs.overlays = [
               # dolphin-overlay.overlays.default
-              (_: prev: {
+              # Add sysbox overlay
+              (final: prev: {
+                sysbox = final.callPackage ./pkgs/sysbox/package.nix { };
                 tailscale = prev.tailscale.overrideAttrs (old: {
                   checkFlags = builtins.map (
                     flag:
@@ -97,6 +107,8 @@
             home-manager.backupFileExtension = "backup";
           }
           ./configuration.nix
+          # Import sysbox module
+          ./modules/sysbox.nix
           nix-index-database.nixosModules.nix-index
           { programs.nix-index-database.comma.enable = true; }
           #./powersave.nix

modules/sysbox-README.md

@@ -0,0 +1,131 @@
+# Sysbox Integration
+
+This directory contains a NixOS module for [Sysbox](https://github.com/nestybox/sysbox), a next-generation OCI runtime for running system containers.
+
+## What is Sysbox?
+
+Sysbox enables running system containers with enhanced security and isolation. It allows you to run Docker, Systemd, Kubernetes, and other system-level software inside containers without privileged mode.
+
+## Usage in This Configuration
+
+Sysbox is already enabled for the `aura` system in `configuration.nix:295`:
+
+```nix
+virtualisation.sysbox.enable = true;
+```
+
+## Testing Sysbox
+
+After rebuilding your system, you can test sysbox with Docker:
+
+### 1. Check Services
+```bash
+systemctl status sysbox-mgr sysbox-fs
+```
+
+### 2. Verify Docker Integration
+```bash
+docker info | grep sysbox-runc
+```
+
+### 3. Run a Test Container
+```bash
+# Run a simple container with sysbox-runc
+docker run --runtime=sysbox-runc --rm -it ubuntu:latest bash
+```
+
+### 4. Run Docker-in-Docker
+```bash
+# Run Docker inside Docker using sysbox
+docker run --runtime=sysbox-runc --name=docker-in-docker -d nestybox/ubuntu-jammy-docker
+
+# Execute commands inside
+docker exec -it docker-in-docker docker run hello-world
+```
+
+## External Usage
+
+Other flakes can use this sysbox module:
+
+```nix
+{
+  inputs.your-dotfiles.url = "github:youruser/dotfiles";
+  
+  outputs = { nixpkgs, your-dotfiles, ... }: {
+    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
+      modules = [
+        your-dotfiles.nixosModules.sysbox
+        {
+          virtualisation.sysbox.enable = true;
+          virtualisation.docker.enable = true;  # or podman
+        }
+      ];
+    };
+  };
+}
+```
+
+You can also use just the package overlay:
+
+```nix
+{
+  inputs.your-dotfiles.url = "github:youruser/dotfiles";
+  
+  outputs = { nixpkgs, your-dotfiles, ... }: {
+    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
+      modules = [{
+        nixpkgs.overlays = [ your-dotfiles.overlays.default ];
+        environment.systemPackages = [ pkgs.sysbox ];
+      }];
+    };
+  };
+}
+```
+
+## Configuration Options
+
+The module provides these options:
+
+- `virtualisation.sysbox.enable` - Enable sysbox (default: false)
+- `virtualisation.sysbox.package` - The sysbox package to use (default: pkgs.sysbox)
+
+## What the Module Does
+
+When enabled, the module automatically:
+
+1. **Configures Container Runtimes**
+   - Registers `sysbox-runc` with Docker (if Docker is enabled)
+   - Registers `sysbox-runc` with Podman (if Podman is enabled)
+
+2. **Sets Up Services**
+   - `sysbox-mgr.service` - Manager service
+   - `sysbox-fs.service` - Filesystem service
+
+3. **Applies System Configuration**
+   - Enables unprivileged user namespaces
+   - Sets required sysctl values (inotify limits, kernel.keys)
+   - Creates iptables compatibility layer in /sbin
+
+4. **Installs Binaries**
+   - `sysbox-runc` - The OCI runtime
+   - `sysbox-mgr` - Manager daemon
+   - `sysbox-fs` - Filesystem daemon
+
+## Implementation Details
+
+- **Version**: 0.6.7
+- **License**: Apache 2.0
+- **Platforms**: x86_64-linux, aarch64-linux
+- **Package Type**: Pre-built .deb packages (not built from source)
+
+The implementation is based on [this commit](https://github.com/CyberShadow/nixpkgs/commit/9f14ecca828c47b9696ffe588759779d5d7784a7) with improvements for:
+- Module system compatibility (avoiding infinite recursion)
+- Sysctl conflict resolution
+- Automatic runtime registration
+
+## Files
+
+- `pkgs/sysbox/package.nix` - Package definition
+- `modules/sysbox.nix` - NixOS module
+- Exported as `nixosModules.sysbox` in flake.nix
+- Exported as `overlays.default` in flake.nix

modules/sysbox.nix

@@ -0,0 +1,106 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.virtualisation.sysbox;
+in
+
+{
+  options.virtualisation.sysbox = {
+    enable = lib.mkEnableOption "Sysbox, a next-generation runc for running system containers";
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      description = "The sysbox package to use.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.sysbox.package = lib.mkDefault pkgs.sysbox;
+
+    # Configure Docker to use sysbox-runc runtime
+    virtualisation.docker.daemon.settings = lib.mkIf config.virtualisation.docker.enable {
+      runtimes.sysbox-runc = {
+        path = "${cfg.package}/bin/sysbox-runc";
+      };
+    };
+
+    # Configure Podman to use sysbox-runc runtime
+    virtualisation.containers.containersConf.settings = lib.mkIf config.virtualisation.podman.enable {
+      engine.runtimes.sysbox-runc = [
+        "${cfg.package}/bin/sysbox-runc"
+      ];
+    };
+
+    systemd.services.sysbox-mgr = {
+      description = "Sysbox Manager Service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      path = with pkgs; [
+        rsync
+        kmod
+        iptables
+      ];
+
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${cfg.package}/bin/sysbox-mgr";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        User = "root";
+        Group = "root";
+      };
+
+      preStart = ''
+        # Ensure iptables is available in /sbin for sysbox compatibility
+        mkdir -p /sbin
+        for cmd in ${pkgs.iptables}/bin/iptables*; do
+          ln -sf "$cmd" "/sbin/$(basename $cmd)" || true
+        done
+      '';
+    };
+
+    systemd.services.sysbox-fs = {
+      description = "Sysbox FileSystem Service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "sysbox-mgr.service" ];
+      requires = [ "sysbox-mgr.service" ];
+
+      path = with pkgs; [
+        rsync
+        kmod
+        fuse
+        iptables
+      ];
+
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${cfg.package}/bin/sysbox-fs";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        User = "root";
+        Group = "root";
+      };
+    };
+
+    # Enable unprivileged user namespace cloning (required for sysbox)
+    security.unprivilegedUsernsClone = true;
+
+    # Apply sysctl configuration (sysbox requires higher values than system defaults)
+    boot.kernel.sysctl = {
+      "fs.inotify.max_queued_events" = lib.mkOverride 999 1048576;
+      "fs.inotify.max_user_watches" = lib.mkOverride 999 1048576;
+      "fs.inotify.max_user_instances" = lib.mkOverride 999 1048576;
+      "kernel.keys.maxkeys" = lib.mkOverride 999 20000;
+      "kernel.keys.maxbytes" = lib.mkOverride 999 400000;
+    };
+
+    # Make sysbox-runc available in PATH for container runtimes
+    environment.systemPackages = [ cfg.package ];
+  };
+}

pkgs/sysbox/package.nix

@@ -0,0 +1,66 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+  dpkg,
+  rsync,
+  fuse,
+  kmod,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "sysbox";
+  version = "0.6.7";
+
+  src = fetchurl {
+    url = "https://github.com/nestybox/sysbox/releases/download/v${version}/sysbox-ce_${version}.linux_${
+      {
+        x86_64-linux = "amd64";
+        aarch64-linux = "arm64";
+      }
+      .${stdenv.hostPlatform.system}
+    }.deb";
+    hash =
+      {
+        x86_64-linux = "sha256-t6w4nloZWSyt8W4Mow5AkZUWEo9uG3+Z4ctP9kVUFy4=";
+        aarch64-linux = "sha256-FugBvWoeqk/5bO0hXCvJjvbM7qk1W0qOt6TYOSwj5JE=";
+      }
+      .${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
+  };
+
+  nativeBuildInputs = [ dpkg ];
+
+  buildInputs = [
+    rsync
+    fuse
+    kmod
+  ];
+
+  unpackPhase = ''
+    runHook preUnpack
+    dpkg-deb -x $src .
+    runHook postUnpack
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp -r usr/* $out/
+    cp -r lib $out/
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Next-generation runc that empowers rootless containers to run workloads such as Systemd, Docker, and Kubernetes";
+    homepage = "https://github.com/nestybox/sysbox";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ ];
+    platforms = [
+      "x86_64-linux"
+      "aarch64-linux"
+    ];
+    mainProgram = "sysbox-runc";
+  };
+}