diff options
Diffstat (limited to 'nixos/modules/virtualisation')
-rw-r--r-- | nixos/modules/virtualisation/amazon-image.nix | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/incus.nix | 9 | ||||
-rw-r--r-- | nixos/modules/virtualisation/lxd.nix | 6 | ||||
-rw-r--r-- | nixos/modules/virtualisation/oci-containers.nix | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/podman/default.nix | 33 |
5 files changed, 29 insertions, 21 deletions
diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index aa44f26426970..f0d9b95f81f6b 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -71,6 +71,7 @@ in systemd.services.fetch-ec2-metadata = { wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; after = ["network-online.target"]; path = [ pkgs.curl ]; script = builtins.readFile ./ec2-metadata-fetcher.sh; diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix index 3e48f8873ed4f..ea4cb916aa08d 100644 --- a/nixos/modules/virtualisation/incus.nix +++ b/nixos/modules/virtualisation/incus.nix @@ -150,10 +150,12 @@ in after = [ "network-online.target" "lxcfs.service" - ] ++ (lib.optional cfg.socketActivation "incus.socket"); + "incus.socket" + ]; requires = [ "lxcfs.service" - ] ++ (lib.optional cfg.socketActivation "incus.socket"); + "incus.socket" + ]; wants = [ "network-online.target" ]; @@ -183,7 +185,7 @@ in }; }; - systemd.sockets.incus = lib.mkIf cfg.socketActivation { + systemd.sockets.incus = { description = "Incus UNIX socket"; wantedBy = [ "sockets.target" ]; @@ -191,7 +193,6 @@ in ListenStream = "/var/lib/incus/unix.socket"; SocketMode = "0660"; SocketGroup = "incus-admin"; - Service = "incus.service"; }; }; diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 885fb4e078530..e0d61b1754949 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -214,16 +214,14 @@ in { LimitNPROC = "infinity"; TasksMax = "infinity"; - Restart = "on-failure"; - TimeoutStartSec = "${cfg.startTimeout}s"; - TimeoutStopSec = "30s"; - # By default, `lxd` loads configuration files from hard-coded # `/usr/share/lxc/config` - since this is a no-go for us, we have to # explicitly tell it where the actual configuration files are Environment = lib.mkIf (config.virtualisation.lxc.lxcfs.enable) "LXD_LXC_TEMPLATE_CONFIG=${pkgs.lxcfs}/share/lxc/config"; }; + + unitConfig.ConditionPathExists = "!/var/lib/incus/.migrated-from-lxd"; }; systemd.services.lxd-preseed = lib.mkIf (cfg.preseed != null) { diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index a4a40346f093b..07ed08ab2f84d 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -267,6 +267,7 @@ let }; in { wantedBy = [] ++ optional (container.autoStart) "multi-user.target"; + wants = lib.optional (container.imageFile == null) "network-online.target"; after = lib.optionals (cfg.backend == "docker") [ "docker.service" "docker.socket" ] # if imageFile is not set, the service needs the network to download the image from the registry ++ lib.optionals (container.imageFile == null) [ "network-online.target" ] diff --git a/nixos/modules/virtualisation/podman/default.nix b/nixos/modules/virtualisation/podman/default.nix index ec0b713e58b38..47382f9beab00 100644 --- a/nixos/modules/virtualisation/podman/default.nix +++ b/nixos/modules/virtualisation/podman/default.nix @@ -150,26 +150,33 @@ in }; - config = lib.mkIf cfg.enable - { + config = + let + networkConfig = ({ + dns_enabled = false; + driver = "bridge"; + id = "0000000000000000000000000000000000000000000000000000000000000000"; + internal = false; + ipam_options = { driver = "host-local"; }; + ipv6_enabled = false; + name = "podman"; + network_interface = "podman0"; + subnets = [{ gateway = "10.88.0.1"; subnet = "10.88.0.0/16"; }]; + } // cfg.defaultNetwork.settings); + inherit (networkConfig) dns_enabled network_interface; + in + lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ] ++ lib.optional cfg.dockerCompat dockerCompat; # https://github.com/containers/podman/blob/097cc6eb6dd8e598c0e8676d21267b4edb11e144/docs/tutorials/basic_networking.md#default-network environment.etc."containers/networks/podman.json" = lib.mkIf (cfg.defaultNetwork.settings != { }) { - source = json.generate "podman.json" ({ - dns_enabled = false; - driver = "bridge"; - id = "0000000000000000000000000000000000000000000000000000000000000000"; - internal = false; - ipam_options = { driver = "host-local"; }; - ipv6_enabled = false; - name = "podman"; - network_interface = "podman0"; - subnets = [{ gateway = "10.88.0.1"; subnet = "10.88.0.0/16"; }]; - } // cfg.defaultNetwork.settings); + source = json.generate "podman.json" networkConfig; }; + # containers cannot reach aardvark-dns otherwise + networking.firewall.interfaces.${network_interface}.allowedUDPPorts = lib.mkIf dns_enabled [ 53 ]; + virtualisation.containers = { enable = true; # Enable common /etc/containers configuration containersConf.settings = { |