diff options
Diffstat (limited to 'nixos/modules/virtualisation/containers.nix')
| -rw-r--r-- | nixos/modules/virtualisation/containers.nix | 90 |
1 files changed, 58 insertions, 32 deletions
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index 3a6767d84a9..84824e2f90f 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -1,22 +1,10 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, utils, ... }: let cfg = config.virtualisation.containers; inherit (lib) mkOption types; - # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator - toTOML = name: value: pkgs.runCommandNoCC name { - nativeBuildInputs = [ pkgs.remarshal ]; - value = builtins.toJSON value; - passAsFile = [ "value" ]; - } '' - json2toml "$valuePath" "$out" - ''; - - # Copy configuration files to avoid having the entire sources in the system closure - copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' - cp ${filePath} $out - ''; + toml = pkgs.formats.toml { }; in { meta = { @@ -30,6 +18,11 @@ in [ "virtualisation" "containers" "users" ] "All users with `isNormalUser = true` set now get appropriate subuid/subgid mappings." ) + ( + lib.mkRemovedOptionModule + [ "virtualisation" "containers" "containersConf" "extraConfig" ] + "Use virtualisation.containers.containersConf.settings instead." + ) ]; options.virtualisation.containers = { @@ -43,23 +36,45 @@ in ''; }; - containersConf = mkOption { - default = {}; + ociSeccompBpfHook.enable = mkOption { + type = types.bool; + default = false; + description = "Enable the OCI seccomp BPF hook"; + }; + + containersConf.settings = mkOption { + type = toml.type; + default = { }; description = "containers.conf configuration"; - type = types.submodule { - options = { + }; - extraConfig = mkOption { - type = types.lines; - default = ""; - description = '' - Extra configuration that should be put in the containers.conf - configuration file - ''; + containersConf.cniPlugins = mkOption { + type = types.listOf types.package; + defaultText = '' + [ + pkgs.cni-plugins + ] + ''; + example = lib.literalExample '' + [ + pkgs.cniPlugins.dnsname + ] + ''; + description = '' + CNI plugins to install on the system. + ''; + }; - }; + storage.settings = mkOption { + type = toml.type; + default = { + storage = { + driver = "overlay"; + graphroot = "/var/lib/containers/storage"; + runroot = "/run/containers/storage"; }; }; + description = "storage.conf configuration"; }; registries = { @@ -112,19 +127,30 @@ in config = lib.mkIf cfg.enable { - environment.etc."containers/containers.conf".text = '' - [network] - cni_plugin_dirs = ["${pkgs.cni-plugins}/bin/"] + virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ]; + + virtualisation.containers.containersConf.settings = { + network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins; + engine = { + init_path = "${pkgs.catatonit}/bin/catatonit"; + } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable { + hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ]; + }; + }; + + environment.etc."containers/containers.conf".source = + toml.generate "containers.conf" cfg.containersConf.settings; - '' + cfg.containersConf.extraConfig; + environment.etc."containers/storage.conf".source = + toml.generate "storage.conf" cfg.storage.settings; - environment.etc."containers/registries.conf".source = toTOML "registries.conf" { + environment.etc."containers/registries.conf".source = toml.generate "registries.conf" { registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; }; environment.etc."containers/policy.json".source = if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) - else copyFile "${pkgs.skopeo.src}/default-policy.json"; + else utils.copyFile "${pkgs.skopeo.src}/default-policy.json"; }; } |