nixos/incus: add incus-user service and socket

This commit is contained in:
Dawid Dziurla 2024-11-13 11:56:12 +01:00
parent e92d5eb308
commit ea9923c62f
No known key found for this signature in database
GPG Key ID: 7B6D8368172E9B0B
2 changed files with 39 additions and 1 deletions

View File

@ -860,6 +860,8 @@
- `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.
- `virtualisation.incus` module gained new `incus-user.service` and `incus-user.socket` systemd units. It is now possible to add a user to `incus` group instead of `incus-admin` for increased security.
## Detailed Migration Information {#sec-release-24.11-migration}
### `sound` options removal {#sec-release-24.11-migration-sound}

View File

@ -153,7 +153,10 @@ in
Users in the "incus-admin" group can interact with
the daemon (e.g. to start or stop containers) using the
{command}`incus` command line tool, among others
{command}`incus` command line tool, among others.
Users in the "incus" group can also interact with
the daemon, but with lower permissions
(i.e. administrative operations are forbidden).
'';
package = lib.mkPackageOption pkgs "incus-lts" { };
@ -359,6 +362,27 @@ in
};
};
systemd.services.incus-user = {
description = "Incus Container and Virtual Machine Management User Daemon";
inherit environment;
after = [
"incus.service"
"incus-user.socket"
];
requires = [
"incus-user.socket"
];
serviceConfig = {
ExecStart = "${cfg.package}/bin/incus-user --group incus";
Restart = "on-failure";
};
};
systemd.services.incus-startup = lib.mkIf cfg.softDaemonRestart {
description = "Incus Instances Startup/Shutdown";
@ -391,6 +415,17 @@ in
};
};
systemd.sockets.incus-user = {
description = "Incus user UNIX socket";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = "/var/lib/incus/unix.socket.user";
SocketMode = "0660";
SocketGroup = "incus";
};
};
systemd.services.incus-preseed = lib.mkIf (cfg.preseed != null) {
description = "Incus initialization with preseed file";
@ -409,6 +444,7 @@ in
};
};
users.groups.incus = { };
users.groups.incus-admin = { };
users.users.root = {