nixpkgs/nixos/modules/virtualisation/anbox.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

177 lines
4.5 KiB
Nix
Raw Normal View History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.virtualisation.anbox;
addrOpts = v: addr: pref: name: {
address = mkOption {
default = addr;
type = types.str;
description = ''
IPv${toString v} ${name} address.
'';
};
prefixLength = mkOption {
default = pref;
type = types.addCheck types.int (n: n >= 0 && n <= (if v == 4 then 32 else 128));
description = ''
Subnet mask of the ${name} address, specified as the number of
bits in the prefix (`${if v == 4 then "24" else "64"}`).
'';
};
};
finalImage = if cfg.imageModifications == "" then cfg.image else ( pkgs.callPackage (
{ runCommandNoCC, squashfsTools }:
runCommandNoCC "${cfg.image.name}-modified.img" {
nativeBuildInputs = [
squashfsTools
];
} ''
echo "-> Extracting Anbox root image..."
unsquashfs -dest rootfs ${cfg.image}
echo "-> Modifying Anbox root image..."
(
cd rootfs
${cfg.imageModifications}
)
echo "-> Packing modified Anbox root image..."
mksquashfs rootfs $out -comp xz -no-xattrs -all-root
''
) { });
in
{
options.virtualisation.anbox = {
enable = mkEnableOption "Anbox";
image = mkOption {
default = pkgs.anbox.image;
defaultText = literalExpression "pkgs.anbox.image";
type = types.package;
description = ''
Base android image for Anbox.
'';
};
imageModifications = mkOption {
default = "";
type = types.lines;
description = ''
Commands to edit the image filesystem.
This can be used to e.g. bundle a privileged F-Droid.
Commands are ran with PWD being at the root of the filesystem.
'';
};
extraInit = mkOption {
type = types.lines;
default = "";
description = ''
Extra shell commands to be run inside the container image during init.
'';
};
ipv4 = {
container = addrOpts 4 "192.168.250.2" 24 "Container";
gateway = addrOpts 4 "192.168.250.1" 24 "Host";
dns = mkOption {
default = "1.1.1.1";
type = types.str;
description = ''
Container DNS server.
'';
};
};
};
config = mkIf cfg.enable {
assertions = singleton {
assertion = with config.boot.kernelPackages; kernelAtLeast "5.5" && kernelOlder "5.18";
message = "Anbox needs a kernel with binder and ashmem support";
};
environment.systemPackages = with pkgs; [ anbox ];
systemd.mounts = singleton {
requiredBy = [ "anbox-container-manager.service" ];
description = "Anbox Binder File System";
what = "binder";
where = "/dev/binderfs";
type = "binder";
};
virtualisation.lxc.enable = true;
networking.bridges.anbox0.interfaces = [];
networking.interfaces.anbox0.ipv4.addresses = [ cfg.ipv4.gateway ];
networking.nat = {
enable = true;
internalInterfaces = [ "anbox0" ];
};
# Ensures NetworkManager doesn't touch anbox0
networking.networkmanager.unmanaged = [ "anbox0" ];
systemd.services.anbox-container-manager = let
anboxloc = "/var/lib/anbox";
in {
description = "Anbox Container Management Daemon";
environment.XDG_RUNTIME_DIR="${anboxloc}";
wantedBy = [ "multi-user.target" ];
preStart = let
initsh = pkgs.writeText "nixos-init" (''
#!/system/bin/sh
setprop nixos.version ${config.system.nixos.version}
# we don't have radio
setprop ro.radio.noril yes
stop ril-daemon
# speed up boot
setprop debug.sf.nobootanimation 1
'' + cfg.extraInit);
initshloc = "${anboxloc}/rootfs-overlay/system/etc/init.goldfish.sh";
in ''
mkdir -p ${anboxloc}
mkdir -p $(dirname ${initshloc})
[ -f ${initshloc} ] && rm ${initshloc}
cp ${initsh} ${initshloc}
chown 100000:100000 ${initshloc}
chmod +x ${initshloc}
'';
serviceConfig = {
ExecStart = ''
${pkgs.anbox}/bin/anbox container-manager \
--data-path=${anboxloc} \
--android-image=${finalImage} \
--container-network-address=${cfg.ipv4.container.address} \
--container-network-gateway=${cfg.ipv4.gateway.address} \
--container-network-dns-servers=${cfg.ipv4.dns} \
--use-rootfs-overlay \
--privileged \
--daemon
'';
};
};
};
}