1 files changed, 20 insertions, 5 deletions

diff --git a/nixos/modules/programs/singularity.nix b/nixos/modules/programs/singularity.nix
index bc989ad2dbaf5..d1115b361593b 100644
--- a/nixos/modules/programs/singularity.nix
+++ b/nixos/modules/programs/singularity.nix
@@ -56,9 +56,12 @@ in
     enableFakeroot = lib.mkOption {
       type = lib.types.bool;
       default = true;
-      example = false;
       description = ''
         Whether to enable the `--fakeroot` support of Singularity/Apptainer.
+
+        This option is deprecated and has no effect.
+        `--fakeroot` support is enabled automatically,
+        as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified.
       '';
     };
     enableSuid = lib.mkOption {
@@ -74,22 +77,34 @@ in
         Whether to enable the SUID support of Singularity/Apptainer.
       '';
     };
+    systemBinPaths = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [ ];
+      description = ''
+        (Extra) system-wide /**/bin paths
+        for Apptainer/Singularity to find command-line utilities in.
+
+        `"/run/wrappers/bin"` is included by default to make
+        utilities with SUID bit set available to Apptainer/Singularity.
+        Use `lib.mkForce` to shadow the default values.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.enable {
     programs.singularity.packageOverriden = (
       cfg.package.override (
-        lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
-        // lib.optionalAttrs cfg.enableFakeroot {
-          newuidmapPath = "/run/wrappers/bin/newuidmap";
-          newgidmapPath = "/run/wrappers/bin/newgidmap";
+        {
+          systemBinPaths = cfg.systemBinPaths;
         }
+        // lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
         // lib.optionalAttrs cfg.enableSuid {
           enableSuid = true;
           starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
         }
       )
     );
+    programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ];
     environment.systemPackages = [ cfg.packageOverriden ];
     security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid {
       setuid = true;