pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / programs / singularity.nix
at 25.11-pre 4.1 kB view raw
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: 7 8let 9 cfg = config.programs.singularity; 10in 11{ 12 13 options.programs.singularity = { 14 enable = lib.mkEnableOption "singularity" // { 15 description = '' 16 Whether to install Singularity/Apptainer with system-level overriding such as SUID support. 17 ''; 18 }; 19 package = lib.mkPackageOption pkgs "singularity" { example = "apptainer"; }; 20 packageOverriden = lib.mkOption { 21 type = lib.types.nullOr lib.types.package; 22 default = null; 23 description = '' 24 This option provides access to the overridden result of `programs.singularity.package`. 25 26 For example, the following configuration makes all the Nixpkgs packages use the overridden `singularity`: 27 ```Nix 28 { config, lib, pkgs, ... }: 29 { 30 nixpkgs.overlays = [ 31 (final: prev: { 32 _singularity-orig = prev.singularity; 33 singularity = config.programs.singularity.packageOverriden; 34 }) 35 ]; 36 programs.singularity.enable = true; 37 programs.singularity.package = pkgs._singularity-orig; 38 } 39 ``` 40 41 Use `lib.mkForce` to forcefully specify the overridden package. 42 ''; 43 }; 44 enableExternalLocalStateDir = lib.mkOption { 45 type = lib.types.bool; 46 default = true; 47 example = false; 48 description = '' 49 Whether to use top-level directories as LOCALSTATEDIR 50 instead of the store path ones. 51 This affects the SESSIONDIR of Apptainer/Singularity. 52 If set to true, the SESSIONDIR will become 53 `/var/lib/''${projectName}/mnt/session`. 54 ''; 55 }; 56 enableFakeroot = lib.mkOption { 57 type = lib.types.bool; 58 default = true; 59 description = '' 60 Whether to enable the `--fakeroot` support of Singularity/Apptainer. 61 62 This option is deprecated and has no effect. 63 `--fakeroot` support is enabled automatically, 64 as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified. 65 ''; 66 }; 67 enableSuid = lib.mkOption { 68 type = lib.types.bool; 69 # SingularityCE requires SETUID for most things. Apptainer prefers user 70 # namespaces, e.g. `apptainer exec --nv` would fail if built 71 # `--with-suid`: 72 # > `FATAL: nvidia-container-cli not allowed in setuid mode` 73 default = cfg.package.projectName != "apptainer"; 74 defaultText = lib.literalExpression ''config.services.singularity.package.projectName != "apptainer"''; 75 example = false; 76 description = '' 77 Whether to enable the SUID support of Singularity/Apptainer. 78 ''; 79 }; 80 systemBinPaths = lib.mkOption { 81 type = lib.types.listOf lib.types.path; 82 default = [ ]; 83 description = '' 84 (Extra) system-wide /**/bin paths 85 for Apptainer/Singularity to find command-line utilities in. 86 87 `"/run/wrappers/bin"` is included by default to make 88 utilities with SUID bit set available to Apptainer/Singularity. 89 Use `lib.mkForce` to shadow the default values. 90 ''; 91 }; 92 }; 93 94 config = lib.mkIf cfg.enable { 95 programs.singularity.packageOverriden = ( 96 cfg.package.override ( 97 { 98 systemBinPaths = cfg.systemBinPaths; 99 } 100 // lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; } 101 // lib.optionalAttrs cfg.enableSuid { 102 enableSuid = true; 103 starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid"; 104 } 105 ) 106 ); 107 programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ]; 108 environment.systemPackages = [ cfg.packageOverriden ]; 109 security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid { 110 setuid = true; 111 owner = "root"; 112 group = "root"; 113 source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig"; 114 }; 115 systemd.tmpfiles.rules = lib.mkIf cfg.enableExternalLocalStateDir [ 116 "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -" 117 ]; 118 }; 119}