nixpkgs/nixos/modules/programs/singularity.nix
Yueh-Shun Li ac77669531 apptainer, singularity: make LOCALSTATEDIR internal by default
Use "$out/var/lib" as LOCALSTATEDIR configuration value
by default intsead of "/var/lib"
as a way toward top-level-directory independent runtime.

Add input argument externalLocalStateDir to optionally specify the
path to external LOCALSTATEDIR if not null.

Add NixOS module option
programs.singularity.enableExternalLocalStateDir (default to true)
to use "/var/lib" as LOCALSTATEDIR.
2023-08-23 18:40:20 +08:00

103 lines
3.3 KiB
Nix

{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.singularity;
in
{
options.programs.singularity = {
enable = mkEnableOption (mdDoc "singularity") // {
description = mdDoc ''
Whether to install Singularity/Apptainer with system-level overriding such as SUID support.
'';
};
package = mkOption {
type = types.package;
default = pkgs.singularity;
defaultText = literalExpression "pkgs.singularity";
example = literalExpression "pkgs.apptainer";
description = mdDoc ''
Singularity/Apptainer package to override and install.
'';
};
packageOverriden = mkOption {
type = types.nullOr types.package;
default = null;
description = mdDoc ''
This option provides access to the overridden result of `programs.singularity.package`.
For example, the following configuration makes all the Nixpkgs packages use the overridden `singularity`:
```Nix
{ config, lib, pkgs, ... }:
{
nixpkgs.overlays = [
(final: prev: {
_singularity-orig = prev.singularity;
singularity = config.programs.singularity.packageOverriden;
})
];
programs.singularity.enable = true;
programs.singularity.package = pkgs._singularity-orig;
}
```
Use `lib.mkForce` to forcefully specify the overridden package.
'';
};
enableExternalLocalStateDir = mkOption {
type = types.bool;
default = true;
example = false;
description = mdDoc ''
Whether to use top-level directories as LOCALSTATEDIR
instead of the store path ones.
This affects the SESSIONDIR of Apptainer/Singularity.
If set to true, the SESSIONDIR will become
`/var/lib/''${projectName}/mnt/session`.
'';
};
enableFakeroot = mkOption {
type = types.bool;
default = true;
example = false;
description = mdDoc ''
Whether to enable the `--fakeroot` support of Singularity/Apptainer.
'';
};
enableSuid = mkOption {
type = types.bool;
default = true;
example = false;
description = mdDoc ''
Whether to enable the SUID support of Singularity/Apptainer.
'';
};
};
config = mkIf cfg.enable {
programs.singularity.packageOverriden = (cfg.package.override (
optionalAttrs cfg.enableExternalLocalStateDir {
externalLocalStateDir = "/var/lib";
} // optionalAttrs cfg.enableFakeroot {
newuidmapPath = "/run/wrappers/bin/newuidmap";
newgidmapPath = "/run/wrappers/bin/newgidmap";
} // optionalAttrs cfg.enableSuid {
enableSuid = true;
starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
}
));
environment.systemPackages = [ cfg.packageOverriden ];
security.wrappers."${cfg.packageOverriden.projectName}-suid" = mkIf cfg.enableSuid {
setuid = true;
owner = "root";
group = "root";
source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig";
};
systemd.tmpfiles.rules = mkIf cfg.enableExternalLocalStateDir [
"d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -"
];
};
}