From ecf7441d25f82544f2f091f2fb734cf260a3667d Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Tue, 29 Nov 2022 09:16:28 -0500 Subject: [PATCH] nixos/lxc: apply recommendations from distrobuilder --- .../modules/virtualisation/lxc-container.nix | 41 ++++++++++++++++--- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/nixos/modules/virtualisation/lxc-container.nix b/nixos/modules/virtualisation/lxc-container.nix index f05f04baa35d..a71b69341051 100644 --- a/nixos/modules/virtualisation/lxc-container.nix +++ b/nixos/modules/virtualisation/lxc-container.nix @@ -88,6 +88,16 @@ in }; ''; }; + + privilegedContainer = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether this LXC container will be running as a privileged container or not. If set to `true` then + additional configuration will be applied to the `systemd` instance running within the container as + recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/). + ''; + }; }; }; @@ -146,12 +156,31 @@ in }; # Add the overrides from lxd distrobuilder - systemd.extraConfig = '' - [Service] - ProtectProc=default - ProtectControlGroups=no - ProtectKernelTunables=no - ''; + # https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630 + systemd.packages = [ + (pkgs.writeTextFile { + name = "systemd-lxc-service-overrides"; + destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf"; + text = '' + [Service] + ProcSubset=all + ProtectProc=default + ProtectControlGroups=no + ProtectKernelTunables=no + NoNewPrivileges=no + LoadCredential= + '' + optionalString cfg.privilegedContainer '' + # Additional settings for privileged containers + ProtectHome=no + ProtectSystem=no + PrivateDevices=no + PrivateTmp=no + ProtectKernelLogs=no + ProtectKernelModules=no + ReadWritePaths= + ''; + }) + ]; # Allow the user to login as root without password. users.users.root.initialHashedPassword = mkOverride 150 "";