2014-04-01 15:42:18 +02:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
with lib;
|
2014-03-17 14:04:39 +01:00
|
|
|
|
|
|
|
{
|
|
|
|
|
2014-04-01 15:42:18 +02:00
|
|
|
config = mkIf config.boot.isContainer {
|
2014-03-17 14:04:39 +01:00
|
|
|
|
2014-04-19 14:41:21 +02:00
|
|
|
# Disable some features that are not useful in a container.
|
2022-10-26 10:52:50 +02:00
|
|
|
|
2022-10-26 17:05:14 +02:00
|
|
|
# containers don't have a kernel
|
2022-10-26 16:51:29 +02:00
|
|
|
boot.kernel.enable = false;
|
2022-10-26 17:05:14 +02:00
|
|
|
boot.modprobeConfig.enable = false;
|
2022-10-26 16:51:29 +02:00
|
|
|
|
2022-10-26 10:52:50 +02:00
|
|
|
console.enable = mkDefault false;
|
|
|
|
|
2019-07-01 12:05:57 +02:00
|
|
|
nix.optimise.automatic = mkDefault false; # the store is host managed
|
2015-04-19 22:40:07 +02:00
|
|
|
powerManagement.enable = mkDefault false;
|
2019-12-15 17:21:52 +01:00
|
|
|
documentation.nixos.enable = mkDefault false;
|
2014-04-16 01:44:43 +02:00
|
|
|
|
2019-10-07 20:44:42 +02:00
|
|
|
networking.useHostResolvConf = mkDefault true;
|
2014-04-18 16:40:27 +02:00
|
|
|
|
2014-04-22 16:07:53 +02:00
|
|
|
# Containers should be light-weight, so start sshd on demand.
|
|
|
|
services.openssh.startWhenNeeded = mkDefault true;
|
|
|
|
|
2022-10-26 11:18:36 +02:00
|
|
|
# containers do not need to setup devices
|
|
|
|
services.udev.enable = false;
|
|
|
|
|
2022-10-26 17:21:07 +02:00
|
|
|
# containers normally do not need to manage logical volumes
|
|
|
|
services.lvm.enable = lib.mkDefault false;
|
|
|
|
|
2014-04-18 17:00:11 +02:00
|
|
|
# Shut up warnings about not having a boot loader.
|
2022-01-20 23:10:13 +01:00
|
|
|
system.build.installBootLoader = lib.mkDefault "${pkgs.coreutils}/bin/true";
|
2014-04-18 17:00:11 +02:00
|
|
|
|
2016-01-18 13:57:27 +01:00
|
|
|
# Not supported in systemd-nspawn containers.
|
|
|
|
security.audit.enable = false;
|
|
|
|
|
2018-11-26 22:22:09 +01:00
|
|
|
# Use the host's nix-daemon.
|
|
|
|
environment.variables.NIX_REMOTE = "daemon";
|
nixos-container: Force container to talk to host nix-daemon
When logging into a container by using
nixos-container root-login
all nix-related commands in the container would fail, as they
tried to modify the nix db and nix store, which are mounted
read-only in the container. We want nixos-container to not
try to modify the nix store at all, but instead delegate
any build commands to the nix daemon of the host operating system.
This already works for non-root users inside a nixos-container,
as it doesn't 'own' the nix-store, and thus defaults
to talking to the daemon socket at /nix/var/nix/daemon-socket/,
which is bind-mounted to the host daemon-socket, causing all nix
commands to be delegated to the host.
However, when we are the root user inside the container, we have the
same uid as the nix store owner, eventhough it's not actually
the same root user (due to user namespaces). Nix gets confused,
and is convinced it's running in single-user mode, and tries
to modify the nix store directly instead.
By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix
to operate in multi-user mode, so that it will talk to the host
daemon instead, which will modify the nix store for the container.
This fixes #40355
2018-10-05 15:42:15 +02:00
|
|
|
|
2014-03-17 14:04:39 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
}
|