nixos/modules/virtualisation/lxc.nix

   1 # LXC Configuration
   2
   3 { config, lib, pkgs, ... }:
   4
   5 with lib;
   6
   7 let
   8
   9   cfg = config.virtualisation.lxc;
  10
  11 in
  12
  13 {
  14   ###### interface
  15
  16   options.virtualisation.lxc = {
  17     enable =
  18       mkOption {
  19         type = types.bool;
  20         default = false;
  21         description =
  22           ''
  23             This enables Linux Containers (LXC), which provides tools
  24             for creating and managing system or application containers
  25             on Linux.
  26           '';
  27       };
  28
  29     systemConfig =
  30       mkOption {
  31         type = types.lines;
  32         default = "";
  33         description =
  34           ''
  35             This is the system-wide LXC config. See
  36             <citerefentry><refentrytitle>lxc.system.conf</refentrytitle>
  37             <manvolnum>5</manvolnum></citerefentry>.
  38           '';
  39       };
  40
  41     defaultConfig =
  42       mkOption {
  43         type = types.lines;
  44         default = "";
  45         description =
  46           ''
  47             Default config (default.conf) for new containers, i.e. for
  48             network config. See <citerefentry><refentrytitle>lxc.container.conf
  49             </refentrytitle><manvolnum>5</manvolnum></citerefentry>.
  50           '';
  51       };
  52
  53     usernetConfig =
  54       mkOption {
  55         type = types.lines;
  56         default = "";
  57         description =
  58           ''
  59             This is the config file for managing unprivileged user network
  60             administration access in LXC. See <citerefentry>
  61             <refentrytitle>lxc-usernet</refentrytitle><manvolnum>5</manvolnum>
  62             </citerefentry>.
  63           '';
  64       };
  65   };
  66
  67   ###### implementation
  68
  69   config = mkIf cfg.enable {
  70     environment.systemPackages = [ pkgs.lxc ];
  71     environment.etc."lxc/lxc.conf".text = cfg.systemConfig;
  72     environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig;
  73     environment.etc."lxc/default.conf".text = cfg.defaultConfig;
  74     systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
  75
  76     security.apparmor.packages = [ pkgs.lxc ];
  77     security.apparmor.policies = {
  78       "bin/lxc-start".profile = ''
  79         #include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start
  80       '';
  81       "lxc-containers".profile = ''
  82         #include ${pkgs.lxc}/etc/apparmor.d/lxc-containers
  83       '';
  84     };
  85   };
  86 }