depot/third_party/nixpkgs/nixos/modules/virtualisation/lxc.nix

120 lines
3.2 KiB
Nix

# LXC Configuration
{
config,
lib,
pkgs,
...
}:
let
cfg = config.virtualisation.lxc;
in
{
meta = {
maintainers = lib.teams.lxc.members;
};
options.virtualisation.lxc = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
This enables Linux Containers (LXC), which provides tools
for creating and managing system or application containers
on Linux.
'';
};
unprivilegedContainers = lib.mkEnableOption "support for unprivileged users to launch containers";
systemConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
This is the system-wide LXC config. See
{manpage}`lxc.system.conf(5)`.
'';
};
package = lib.mkPackageOption pkgs "lxc" { };
defaultConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
Default config (default.conf) for new containers, i.e. for
network config. See {manpage}`lxc.container.conf(5)`.
'';
};
usernetConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
This is the config file for managing unprivileged user network
administration access in LXC. See {manpage}`lxc-usernet(5)`.
'';
};
bridgeConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
This is the config file for override lxc-net bridge default settings.
'';
};
};
###### implementation
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.etc."lxc/lxc.conf".text = cfg.systemConfig;
environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig;
environment.etc."lxc/default.conf".text = cfg.defaultConfig;
environment.etc."lxc/lxc-net".text = cfg.bridgeConfig;
environment.pathsToLink = [ "/share/lxc" ];
systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
security.apparmor.packages = [ cfg.package ];
security.apparmor.policies = {
"bin.lxc-start".profile = ''
include ${cfg.package}/etc/apparmor.d/usr.bin.lxc-start
'';
"lxc-containers".profile = ''
include ${cfg.package}/etc/apparmor.d/lxc-containers
'';
};
# We don't need the `lxc-user` group, unless the unprivileged containers are enabled.
users.groups = lib.mkIf cfg.unprivilegedContainers { lxc-user = { }; };
# `lxc-user-nic` needs suid to attach to bridge for unpriv containers.
security.wrappers = lib.mkIf cfg.unprivilegedContainers {
lxcUserNet = {
source = "${pkgs.lxc}/libexec/lxc/lxc-user-nic";
setuid = true;
owner = "root";
group = "lxc-user";
program = "lxc-user-nic";
permissions = "u+rx,g+x,o-rx";
};
};
# Add lxc-net service if unpriv mode is enabled.
systemd.packages = lib.mkIf cfg.unprivilegedContainers [ pkgs.lxc ];
systemd.services = lib.mkIf cfg.unprivilegedContainers {
lxc-net = {
enable = true;
wantedBy = [ "multi-user.target" ];
path = [
pkgs.iproute2
pkgs.iptables
pkgs.getent
pkgs.dnsmasq
];
};
};
};
}