nixos/lxc: apply recommendations from distrobuilder

author: Aaron Andersen <aaron@fosslib.net> 2022-11-29 09:16:28 -0500
committer: Aaron Andersen <aaron@fosslib.net> 2022-11-30 10:09:59 -0500
commit: ecf7441d25f82544f2f091f2fb734cf260a3667d (patch)
tree: 422d46b17da1e3bbaffaba07f1877a0600d804b9 /nixos/modules/virtualisation
parent: 582a78f910d6beb65a9752d9125b85e129fd66c5 (diff)
1 files changed, 35 insertions, 6 deletions
diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix
index f05f04baa35da..a71b693410518 100644
--- a/nixos/modules/virtualisation/lxc-container.nix
+++ b/nixos/modules/virtualisation/lxc-container.nix
@@ -88,6 +88,16 @@ in
           };
         '';
       };
+
+      privilegedContainer = mkOption {
+        type = types.bool;
+        default = false;
+        description = lib.mdDoc ''
+          Whether this LXC container will be running as a privileged container or not. If set to `true` then
+          additional configuration will be applied to the `systemd` instance running within the container as
+          recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
+        '';
+      };
     };
   };
 
@@ -146,12 +156,31 @@ in
     };
 
     # Add the overrides from lxd distrobuilder
-    systemd.extraConfig = ''
-      [Service]
-      ProtectProc=default
-      ProtectControlGroups=no
-      ProtectKernelTunables=no
-    '';
+    # https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
+    systemd.packages = [
+      (pkgs.writeTextFile {
+        name = "systemd-lxc-service-overrides";
+        destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
+        text = ''
+          [Service]
+          ProcSubset=all
+          ProtectProc=default
+          ProtectControlGroups=no
+          ProtectKernelTunables=no
+          NoNewPrivileges=no
+          LoadCredential=
+        '' + optionalString cfg.privilegedContainer ''
+          # Additional settings for privileged containers
+          ProtectHome=no
+          ProtectSystem=no
+          PrivateDevices=no
+          PrivateTmp=no
+          ProtectKernelLogs=no
+          ProtectKernelModules=no
+          ReadWritePaths=
+        '';
+      })
+    ];
 
     # Allow the user to login as root without password.
     users.users.root.initialHashedPassword = mkOverride 150 "";
author	Aaron Andersen <aaron@fosslib.net>	2022-11-29 09:16:28 -0500
committer	Aaron Andersen <aaron@fosslib.net>	2022-11-30 10:09:59 -0500
commit	ecf7441d25f82544f2f091f2fb734cf260a3667d (patch)
tree	422d46b17da1e3bbaffaba07f1877a0600d804b9 /nixos/modules/virtualisation
parent	582a78f910d6beb65a9752d9125b85e129fd66c5 (diff)