feat(virtualisation): enable gvisor for containers

2024-03-07 20:47:24 +01:00 · 2024-03-07 20:47:24 +01:00 · 5da5d66d6a
parent 4eab62fe3b
commit 5da5d66d6a
4 changed files with 12 additions and 1 deletions
--- a/services/collabora-office.nix
+++ b/services/collabora-office.nix
@ -18,6 +18,8 @@ in {
      extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
    };
    extraOptions = [
      "--runtime-flag=directfs=false"
      "--runtime-flag=network=host"
      "--uidmap=0:65534:1"
      "--gidmap=0:65534:1"
      "--uidmap=100:${toString uid}:1"
--- a/services/focalboard.nix
+++ b/services/focalboard.nix
@ -59,6 +59,8 @@ in {
    # only secrets need to be included, e.g. FOCALBOARD_DBCONFIG
    environmentFiles = [ config.age.secrets.focalboard-env.path ];
    extraOptions = [
      "--runtime-flag=directfs=false"
      "--runtime-flag=network=host"
      "--uidmap=0:65534:1"
      "--gidmap=0:65534:1"
      "--uidmap=65534:${toString uid}:1"
--- a/services/immich.nix
+++ b/services/immich.nix
@ -37,6 +37,8 @@ let
      config.age.secrets.immich-typesense-env.path
    ];
    extraOptions = [
      "--runtime-flag=directfs=false"
      "--runtime-flag=network=host"
      "--uidmap=0:65534:1"
      "--gidmap=0:65534:1"
      "--uidmap=${toString uid}:${toString uid}:1"
--- a/virtualisation/containers.nix
+++ b/virtualisation/containers.nix
@ -1,4 +1,4 @@
-_:
+{ pkgs, lib, ... }:
 {
  # Enable /etc/containers configuration (used by podman, cri-o, etc.)
@ -6,6 +6,11 @@ _:
  virtualisation.containers.containersConf.settings = {
    # Create unique User Namespace for the container
    containers.userns = "auto";
    engine = {
      conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.gvisor ]}" ];
      runtimes.runsc = [ "${pkgs.gvisor}/bin/runsc" ];
      runtime = "runsc";
    };
  };
  virtualisation.containers.storage.settings = {
    # defaults