pyrox.dev
1# LXC Configuration
2
3{ config, lib, pkgs, ... }:
4
5with lib;
6
7let
8
9 cfg = config.virtualisation.lxc;
10
11in
12
13{
14 ###### interface
15
16 options.virtualisation.lxc = {
17 enable =
18 mkOption {
19 type = types.bool;
20 default = false;
21 description =
22 lib.mdDoc ''
23 This enables Linux Containers (LXC), which provides tools
24 for creating and managing system or application containers
25 on Linux.
26 '';
27 };
28
29 systemConfig =
30 mkOption {
31 type = types.lines;
32 default = "";
33 description =
34 lib.mdDoc ''
35 This is the system-wide LXC config. See
36 {manpage}`lxc.system.conf(5)`.
37 '';
38 };
39
40 defaultConfig =
41 mkOption {
42 type = types.lines;
43 default = "";
44 description =
45 lib.mdDoc ''
46 Default config (default.conf) for new containers, i.e. for
47 network config. See {manpage}`lxc.container.conf(5)`.
48 '';
49 };
50
51 usernetConfig =
52 mkOption {
53 type = types.lines;
54 default = "";
55 description =
56 lib.mdDoc ''
57 This is the config file for managing unprivileged user network
58 administration access in LXC. See {manpage}`lxc-usernet(5)`.
59 '';
60 };
61 };
62
63 ###### implementation
64
65 config = mkIf cfg.enable {
66 environment.systemPackages = [ pkgs.lxc ];
67 environment.etc."lxc/lxc.conf".text = cfg.systemConfig;
68 environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig;
69 environment.etc."lxc/default.conf".text = cfg.defaultConfig;
70 systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
71
72 security.apparmor.packages = [ pkgs.lxc ];
73 security.apparmor.policies = {
74 "bin.lxc-start".profile = ''
75 include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start
76 '';
77 "lxc-containers".profile = ''
78 include ${pkgs.lxc}/etc/apparmor.d/lxc-containers
79 '';
80 };
81 };
82}