2016-10-08 16:10:56 +02:00
|
|
|
{ config, lib , pkgs, ...}:
|
|
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
with import ./systemd-unit-options.nix { inherit config lib; };
|
|
|
|
|
with import ./systemd-lib.nix { inherit config lib pkgs; };
|
|
|
|
|
|
|
|
|
|
let
|
|
|
|
|
cfg = config.systemd.nspawn;
|
|
|
|
|
|
|
|
|
|
checkExec = checkUnitConfig "Exec" [
|
|
|
|
|
(assertOnlyFields [
|
|
|
|
|
"Boot" "ProcessTwo" "Parameters" "Environment" "User" "WorkingDirectory"
|
2018-12-08 14:41:37 +01:00
|
|
|
"PivotRoot" "Capability" "DropCapability" "NoNewPrivileges" "KillSignal"
|
|
|
|
|
"Personality" "MachineId" "PrivateUsers" "NotifyReady" "SystemCallFilter"
|
|
|
|
|
"LimitCPU" "LimitFSIZE" "LimitDATA" "LimitSTACK" "LimitCORE" "LimitRSS"
|
|
|
|
|
"LimitNOFILE" "LimitAS" "LimitNPROC" "LimitMEMLOCK" "LimitLOCKS"
|
|
|
|
|
"LimitSIGPENDING" "LimitMSGQUEUE" "LimitNICE" "LimitRTPRIO" "LimitRTTIME"
|
|
|
|
|
"OOMScoreAdjust" "CPUAffinity" "Hostname" "ResolvConf" "Timezone"
|
|
|
|
|
"LinkJournal"
|
2016-10-08 16:10:56 +02:00
|
|
|
])
|
|
|
|
|
(assertValueOneOf "Boot" boolValues)
|
|
|
|
|
(assertValueOneOf "ProcessTwo" boolValues)
|
2017-05-20 20:32:45 +01:00
|
|
|
(assertValueOneOf "NotifyReady" boolValues)
|
2016-10-08 16:10:56 +02:00
|
|
|
];
|
|
|
|
|
|
|
|
|
|
checkFiles = checkUnitConfig "Files" [
|
|
|
|
|
(assertOnlyFields [
|
2018-12-08 14:41:37 +01:00
|
|
|
"ReadOnly" "Volatile" "Bind" "BindReadOnly" "TemporaryFileSystem"
|
|
|
|
|
"Overlay" "OverlayReadOnly" "PrivateUsersChown"
|
2016-10-08 16:10:56 +02:00
|
|
|
])
|
|
|
|
|
(assertValueOneOf "ReadOnly" boolValues)
|
|
|
|
|
(assertValueOneOf "Volatile" (boolValues ++ [ "state" ]))
|
|
|
|
|
(assertValueOneOf "PrivateUsersChown" boolValues)
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
checkNetwork = checkUnitConfig "Network" [
|
|
|
|
|
(assertOnlyFields [
|
|
|
|
|
"Private" "VirtualEthernet" "VirtualEthernetExtra" "Interface" "MACVLAN"
|
|
|
|
|
"IPVLAN" "Bridge" "Zone" "Port"
|
|
|
|
|
])
|
|
|
|
|
(assertValueOneOf "Private" boolValues)
|
|
|
|
|
(assertValueOneOf "VirtualEthernet" boolValues)
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
instanceOptions = {
|
2017-05-21 19:23:09 +01:00
|
|
|
options = sharedOptions // {
|
2016-10-21 01:31:54 +09:00
|
|
|
execConfig = mkOption {
|
|
|
|
|
default = {};
|
|
|
|
|
example = { Parameters = "/bin/sh"; };
|
|
|
|
|
type = types.addCheck (types.attrsOf unitOption) checkExec;
|
|
|
|
|
description = ''
|
|
|
|
|
Each attribute in this set specifies an option in the
|
|
|
|
|
<literal>[Exec]</literal> section of this unit. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2016-10-08 16:10:56 +02:00
|
|
|
|
2016-10-21 01:31:54 +09:00
|
|
|
filesConfig = mkOption {
|
|
|
|
|
default = {};
|
|
|
|
|
example = { Bind = [ "/home/alice" ]; };
|
|
|
|
|
type = types.addCheck (types.attrsOf unitOption) checkFiles;
|
|
|
|
|
description = ''
|
|
|
|
|
Each attribute in this set specifies an option in the
|
|
|
|
|
<literal>[Files]</literal> section of this unit. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2016-10-08 16:10:56 +02:00
|
|
|
|
2016-10-21 01:31:54 +09:00
|
|
|
networkConfig = mkOption {
|
|
|
|
|
default = {};
|
|
|
|
|
example = { Private = false; };
|
|
|
|
|
type = types.addCheck (types.attrsOf unitOption) checkNetwork;
|
|
|
|
|
description = ''
|
|
|
|
|
Each attribute in this set specifies an option in the
|
|
|
|
|
<literal>[Network]</literal> section of this unit. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2016-10-08 16:10:56 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
2017-05-19 21:42:20 +01:00
|
|
|
instanceToUnit = name: def:
|
2017-05-21 19:23:09 +01:00
|
|
|
let base = {
|
|
|
|
|
text = ''
|
|
|
|
|
[Exec]
|
|
|
|
|
${attrsToSection def.execConfig}
|
2016-10-08 16:10:56 +02:00
|
|
|
|
2017-05-21 19:23:09 +01:00
|
|
|
[Files]
|
|
|
|
|
${attrsToSection def.filesConfig}
|
2016-10-08 16:10:56 +02:00
|
|
|
|
2017-05-21 19:23:09 +01:00
|
|
|
[Network]
|
|
|
|
|
${attrsToSection def.networkConfig}
|
|
|
|
|
'';
|
|
|
|
|
} // def;
|
|
|
|
|
in base // { unit = makeUnit name base; };
|
2016-10-08 16:10:56 +02:00
|
|
|
|
|
|
|
|
in {
|
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
|
|
systemd.nspawn = mkOption {
|
|
|
|
|
default = {};
|
2016-10-21 01:31:54 +09:00
|
|
|
type = with types; attrsOf (submodule instanceOptions);
|
2016-10-08 16:10:56 +02:00
|
|
|
description = "Definition of systemd-nspawn configurations.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config =
|
|
|
|
|
let
|
2017-07-04 21:12:47 +08:00
|
|
|
units = mapAttrs' (n: v: let nspawnFile = "${n}.nspawn"; in nameValuePair nspawnFile (instanceToUnit nspawnFile v)) cfg;
|
2019-09-25 18:27:19 +02:00
|
|
|
in
|
|
|
|
|
mkMerge [
|
|
|
|
|
(mkIf (cfg != {}) {
|
2020-04-04 21:11:21 +02:00
|
|
|
environment.etc."systemd/nspawn".source = mkIf (cfg != {}) (generateUnits' false "nspawn" units [] []);
|
2019-09-25 18:27:19 +02:00
|
|
|
})
|
|
|
|
|
{
|
|
|
|
|
systemd.targets.multi-user.wants = [ "machines.target" ];
|
|
|
|
|
|
|
|
|
|
# Workaround for https://github.com/NixOS/nixpkgs/pull/67232#issuecomment-531315437 and https://github.com/systemd/systemd/issues/13622
|
|
|
|
|
# Once systemd fixes this upstream, we can re-enable -U
|
|
|
|
|
systemd.services."systemd-nspawn@".serviceConfig.ExecStart = [
|
|
|
|
|
"" # deliberately empty. signals systemd to override the ExecStart
|
|
|
|
|
# Only difference between upstream is that we do not pass the -U flag
|
2019-12-21 17:07:38 +01:00
|
|
|
"${config.systemd.package}/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%i"
|
2019-09-25 18:27:19 +02:00
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
];
|
2016-10-08 16:10:56 +02:00
|
|
|
}
|
