diff options
| author | Adam Stephens <adam@valkor.net> | 2023-10-27 12:58:50 -0400 |
|---|---|---|
| committer | Adam Stephens <adam@valkor.net> | 2023-11-28 15:14:43 -0500 |
| commit | 2cd9619801c0ad8a223ad6bd7915695b440abbb6 (patch) | |
| tree | 43ad06cb52cfe69c27eee1ebc26d34fdc96334f1 /nixos/modules/virtualisation | |
| parent | e14da5c1b828e370eed56c3169bc01bbab7ff712 (diff) | |
| download | nixlib-2cd9619801c0ad8a223ad6bd7915695b440abbb6.tar nixlib-2cd9619801c0ad8a223ad6bd7915695b440abbb6.tar.gz nixlib-2cd9619801c0ad8a223ad6bd7915695b440abbb6.tar.bz2 nixlib-2cd9619801c0ad8a223ad6bd7915695b440abbb6.tar.lz nixlib-2cd9619801c0ad8a223ad6bd7915695b440abbb6.tar.xz nixlib-2cd9619801c0ad8a223ad6bd7915695b440abbb6.tar.zst nixlib-2cd9619801c0ad8a223ad6bd7915695b440abbb6.zip | |
nixos/lxc-container: use lxc systemd generator
Diffstat (limited to 'nixos/modules/virtualisation')
| -rw-r--r-- | nixos/modules/virtualisation/lxc-container.nix | 54 |
1 files changed, 9 insertions, 45 deletions
diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix index 61d7c4cb73fe..3471db974a15 100644 --- a/nixos/modules/virtualisation/lxc-container.nix +++ b/nixos/modules/virtualisation/lxc-container.nix @@ -1,26 +1,14 @@ { lib, config, pkgs, ... }: -let - cfg = config.virtualisation.lxc; -in { +{ imports = [ ./lxc-instance-common.nix + + (lib.mkRemovedOptionModule [ "virtualisation" "lxc" "nestedContainer" ] "") + (lib.mkRemovedOptionModule [ "virtualisation" "lxc" "privilegedContainer" ] "") ]; - options = { - virtualisation.lxc = { - nestedContainer = lib.mkEnableOption (lib.mdDoc '' - Whether this container is configured as a nested container. On LXD containers this is recommended - for all containers and is enabled with `security.nesting = true`. - ''); - - privilegedContainer = lib.mkEnableOption (lib.mdDoc '' - Whether this LXC container will be running as a privileged container or not. If set to `true` then - additional configuration will be applied to the `systemd` instance running within the container as - recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/). - ''); - }; - }; + options = { }; config = { boot.isContainer = true; @@ -85,34 +73,10 @@ in { ${pkgs.coreutils}/bin/ln -fs "$1/init" /sbin/init ''; - systemd.additionalUpstreamSystemUnits = lib.mkIf cfg.nestedContainer ["systemd-udev-trigger.service"]; - - # Add the overrides from lxd distrobuilder - # https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630 - systemd.packages = [ - (pkgs.writeTextFile { - name = "systemd-lxc-service-overrides"; - destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf"; - text = '' - [Service] - ProcSubset=all - ProtectProc=default - ProtectControlGroups=no - ProtectKernelTunables=no - NoNewPrivileges=no - LoadCredential= - '' + lib.optionalString cfg.privilegedContainer '' - # Additional settings for privileged containers - ProtectHome=no - ProtectSystem=no - PrivateDevices=no - PrivateTmp=no - ProtectKernelLogs=no - ProtectKernelModules=no - ReadWritePaths= - ''; - }) - ]; + # networkd depends on this, but systemd module disables this for containers + systemd.additionalUpstreamSystemUnits = ["systemd-udev-trigger.service"]; + + systemd.packages = [ pkgs.distrobuilder.generator ]; system.activationScripts.installInitScript = lib.mkForce '' ln -fs $systemConfig/init /sbin/init |