forked from mirrors/nixpkgs
03d9e5cda0
By enabling ‘services.openssh.startWhenNeeded’, sshd is started on-demand by systemd using socket activation. This is particularly useful if you have a zillion containers and don't want to have sshd running permanently. Note that socket activation is not noticeable slower, contrary to what the manpage for ‘sshd -i’ says, so we might want to make this the default one day.
95 lines
2.7 KiB
Nix
95 lines
2.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
{
|
|
|
|
config = mkIf config.boot.isContainer {
|
|
|
|
# Disable some features that are not useful in a container.
|
|
sound.enable = mkDefault false;
|
|
services.udisks2.enable = mkDefault false;
|
|
|
|
networking.useHostResolvConf = true;
|
|
|
|
# Containers should be light-weight, so start sshd on demand.
|
|
services.openssh.startWhenNeeded = mkDefault true;
|
|
|
|
# Shut up warnings about not having a boot loader.
|
|
system.build.installBootLoader = "${pkgs.coreutils}/bin/true";
|
|
|
|
# Provide a root login prompt on /var/lib/root-login.socket that
|
|
# doesn't ask for a password. This socket can only be used by root
|
|
# on the host.
|
|
systemd.sockets.root-login =
|
|
{ description = "Root Login Socket";
|
|
wantedBy = [ "sockets.target" ];
|
|
socketConfig =
|
|
{ ListenStream = "/var/lib/root-login.socket";
|
|
SocketMode = "0600";
|
|
Accept = true;
|
|
};
|
|
};
|
|
|
|
systemd.services."root-login@" =
|
|
{ description = "Root Login %i";
|
|
environment.TERM = "linux";
|
|
serviceConfig =
|
|
{ Type = "simple";
|
|
StandardInput = "socket";
|
|
ExecStart = "${pkgs.socat}/bin/socat -t0 - \"exec:${pkgs.shadow}/bin/login -f root,pty,setsid,setpgid,stderr,ctty\"";
|
|
TimeoutStopSec = 1; # FIXME
|
|
};
|
|
restartIfChanged = false;
|
|
};
|
|
|
|
# Provide a daemon on /var/lib/run-command.socket that reads a
|
|
# command from stdin and executes it.
|
|
systemd.sockets.run-command =
|
|
{ description = "Run Command Socket";
|
|
wantedBy = [ "sockets.target" ];
|
|
socketConfig =
|
|
{ ListenStream = "/var/lib/run-command.socket";
|
|
SocketMode = "0600"; # only root can connect
|
|
Accept = true;
|
|
};
|
|
};
|
|
|
|
systemd.services."run-command@" =
|
|
{ description = "Run Command %i";
|
|
environment.TERM = "linux";
|
|
serviceConfig =
|
|
{ Type = "simple";
|
|
StandardInput = "socket";
|
|
TimeoutStopSec = 1; # FIXME
|
|
};
|
|
script =
|
|
''
|
|
#! ${pkgs.stdenv.shell} -e
|
|
source /etc/bashrc
|
|
read c
|
|
eval "command=($c)"
|
|
exec "''${command[@]}"
|
|
'';
|
|
restartIfChanged = false;
|
|
};
|
|
|
|
systemd.services.container-startup-done =
|
|
{ description = "Container Startup Notification";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "multi-user.target" ];
|
|
script =
|
|
''
|
|
if [ -p /var/lib/startup-done ]; then
|
|
echo done > /var/lib/startup-done
|
|
fi
|
|
'';
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.RemainAfterExit = true;
|
|
restartIfChanged = false;
|
|
};
|
|
|
|
};
|
|
|
|
}
|