From ca27e8893f2885227e91dce7254778fdd08fddc8 Mon Sep 17 00:00:00 2001 From: Andreas Fuchs Date: Tue, 29 Aug 2023 14:16:04 -0400 Subject: [PATCH] Attempt a rootless container after all --- nixos/default.nix | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/nixos/default.nix b/nixos/default.nix index dc0f225..37f6883 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -255,6 +255,18 @@ in { users.users.tsnsrv-sidecar = { isSystemUser = true; group = config.users.groups.tsnsrv.name; + subUidRanges = [ + { + startUid = 200000; + count = 100000; + } + ]; + subGidRanges = [ + { + startGid = 200000; + count = 100000; + } + ]; }; virtualisation.oci-containers.containers = @@ -276,19 +288,9 @@ in { # The tsnet auth key. "${config.virtualisation.oci-sidecars.tsnsrv.authKeyPath}:${config.virtualisation.oci-sidecars.tsnsrv.authKeyPath}" ]; - extraOptions = - [ - "--network=container:${sidecar.forContainer}" - ] - ++ ( - if (config.virtualisation.oci-containers.backend == "podman") - then [ - "--passwd" - "--hostuser=${config.users.users.tsnsrv-sidecar.name}" - "--group-add=keep-groups" - ] - else [] - ); + extraOptions = [ + "--network=container:${sidecar.forContainer}" + ]; cmd = ["-stateDir=/state"] ++ (serviceArgs { @@ -308,11 +310,19 @@ in { in { name = serviceName; value = { + path = ["/run/wrappers"]; serviceConfig = { + User = config.users.users.tsnsrv-sidecar.name; + Group = config.users.groups.tsnsrv.name; StateDirectory = serviceName; + RuntimeDirectory = serviceName; StateDirectoryMode = "0700"; SupplementaryGroups = [config.users.groups.tsnsrv.name] ++ service.supplementalGroups; }; + environment = { + HOME = "%S"; + XDG_RUNTIME_DIR = "%t"; + }; }; }) config.virtualisation.oci-sidecars.tsnsrv.containers