blob: 2b184960daabc85dba5fdaefbf3116e27a26bd90 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
# LXC Configuration
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.virtualisation.lxc;
in
{
###### interface
options.virtualisation.lxc = {
enable =
mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc ''
This enables Linux Containers (LXC), which provides tools
for creating and managing system or application containers
on Linux.
'';
};
systemConfig =
mkOption {
type = types.lines;
default = "";
description =
''
This is the system-wide LXC config. See
<citerefentry><refentrytitle>lxc.system.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>.
'';
};
defaultConfig =
mkOption {
type = types.lines;
default = "";
description =
''
Default config (default.conf) for new containers, i.e. for
network config. See <citerefentry><refentrytitle>lxc.container.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
'';
};
usernetConfig =
mkOption {
type = types.lines;
default = "";
description =
''
This is the config file for managing unprivileged user network
administration access in LXC. See <citerefentry>
<refentrytitle>lxc-usernet</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
'';
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.lxc ];
environment.etc."lxc/lxc.conf".text = cfg.systemConfig;
environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig;
environment.etc."lxc/default.conf".text = cfg.defaultConfig;
systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
security.apparmor.packages = [ pkgs.lxc ];
security.apparmor.policies = {
"bin.lxc-start".profile = ''
include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start
'';
"lxc-containers".profile = ''
include ${pkgs.lxc}/etc/apparmor.d/lxc-containers
'';
};
};
}
|