fix(virtualisation): add & extend sub{u,g}id ranges

2023-09-18 23:39:37 +02:00 · 2023-09-18 23:39:37 +02:00 · 5ba17c8ccf
parent 7fae92e31d
commit 5ba17c8ccf
3 changed files with 36 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -145,6 +145,7 @@ rec {
                user.extraGroups = [ "wheel" "audio" "disk" "media" ];
                modules = [ homeManagerModules.git ];
                config = ./home/felschr.nix;
+                usesContainers = true;
              })
              ({ pkgs, ... }: {
                environment.systemPackages =
@ -168,6 +169,7 @@ rec {
                user.extraGroups = [ "wheel" "audio" "disk" ];
                modules = [ homeManagerModules.git ];
                config = ./home/felschr-work.nix;
+                usesContainers = true;
              })
            ];
            specialArgs = { inherit inputs nixConfig; };
--- a/lib/createUser.nix
+++ b/lib/createUser.nix
@ -1,5 +1,5 @@
 name:
-{ user ? { }, hm ? { }, modules ? [ ], config, ... }:
+{ user ? { }, hm ? { }, modules ? [ ], config, usesContainers ? false, ... }:

 { pkgs, lib, home-manager, ... }: {
  imports = [ home-manager.nixosModules.home-manager ];
@ -7,6 +7,16 @@ name:
  users.users."${name}" = {
    isNormalUser = true;
    shell = pkgs.zsh;
+
+    # increase sub{u,g}id range for container user namespaces
+    subUidRanges = lib.optionals usesContainers [{
+      startUid = 100000;
+      count = 60000000;
+    }];
+    subGidRanges = lib.optionals usesContainers [{
+      startGid = 100000;
+      count = 60000000;
+    }];
  } // user;

  home-manager = {
--- a/virtualisation/containers.nix
+++ b/virtualisation/containers.nix
@ -7,4 +7,27 @@ _:
    # Create unique User Namespace for the container
    containers.userns = "auto";
  };
+  virtualisation.containers.storage.settings = {
+    # defaults
+    storage = {
+      driver = "overlay";
+      graphroot = "/var/lib/containers/storage";
+      runroot = "/run/containers/storage";
+    };
+
+    # SUB_UID_MAX: https://man7.org/linux/man-pages/man5/login.defs.5.html
+    storage.options.auto-userns-max-size = 600100000;
+  };
+
+  # Increase sub{u,g}id range
+  users.users."root" = {
+    subUidRanges = [{
+      startUid = 60100000;
+      count = 60000000;
+    }];
+    subGidRanges = [{
+      startGid = 60100000;
+      count = 60000000;
+    }];
+  };
 }