nixos/containers: add oci-seccomp-bpf-hook
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This commit is contained in:
Sascha Grunert
zowoq
parent
ee0d559dae
commit
27b0c4b151
1 changed files with 12 additions and 0 deletions
|
|
@ -43,6 +43,12 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ociSeccompBpfHook.enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Enable the OCI seccomp BPF hook";
|
||||||
|
};
|
||||||
|
|
||||||
containersConf = mkOption {
|
containersConf = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
description = "containers.conf configuration";
|
description = "containers.conf configuration";
|
||||||
|
|
@ -116,6 +122,12 @@ in
|
||||||
[network]
|
[network]
|
||||||
cni_plugin_dirs = ["${pkgs.cni-plugins}/bin/"]
|
cni_plugin_dirs = ["${pkgs.cni-plugins}/bin/"]
|
||||||
|
|
||||||
|
${lib.optionalString (cfg.ociSeccompBpfHook.enable == true) ''
|
||||||
|
[engine]
|
||||||
|
hooks_dir = [
|
||||||
|
"${config.boot.kernelPackages.oci-seccomp-bpf-hook}",
|
||||||
|
]
|
||||||
|
''}
|
||||||
'' + cfg.containersConf.extraConfig;
|
'' + cfg.containersConf.extraConfig;
|
||||||
|
|
||||||
environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
|
environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue