| blob | d1115b361593b21e52fdf46ac86de3a90c0944af |
1 {
2 config,
3 pkgs,
4 lib,
5 ...
6 }:
8 let
9 cfg = config.programs.singularity;
10 in
11 {
13 options.programs.singularity = {
14 enable = lib.mkEnableOption "singularity" // {
15 description = ''
16 Whether to install Singularity/Apptainer with system-level overriding such as SUID support.
17 '';
18 };
19 package = lib.mkPackageOption pkgs "singularity" { example = "apptainer"; };
20 packageOverriden = lib.mkOption {
21 type = lib.types.nullOr lib.types.package;
22 default = null;
23 description = ''
24 This option provides access to the overridden result of `programs.singularity.package`.
26 For example, the following configuration makes all the Nixpkgs packages use the overridden `singularity`:
27 ```Nix
28 { config, lib, pkgs, ... }:
29 {
30 nixpkgs.overlays = [
31 (final: prev: {
32 _singularity-orig = prev.singularity;
33 singularity = config.programs.singularity.packageOverriden;
34 })
35 ];
36 programs.singularity.enable = true;
37 programs.singularity.package = pkgs._singularity-orig;
38 }
39 ```
41 Use `lib.mkForce` to forcefully specify the overridden package.
42 '';
43 };
44 enableExternalLocalStateDir = lib.mkOption {
45 type = lib.types.bool;
46 default = true;
47 example = false;
48 description = ''
49 Whether to use top-level directories as LOCALSTATEDIR
50 instead of the store path ones.
51 This affects the SESSIONDIR of Apptainer/Singularity.
52 If set to true, the SESSIONDIR will become
53 `/var/lib/''${projectName}/mnt/session`.
54 '';
55 };
56 enableFakeroot = lib.mkOption {
57 type = lib.types.bool;
58 default = true;
59 description = ''
60 Whether to enable the `--fakeroot` support of Singularity/Apptainer.
62 This option is deprecated and has no effect.
63 `--fakeroot` support is enabled automatically,
64 as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified.
65 '';
66 };
67 enableSuid = lib.mkOption {
68 type = lib.types.bool;
69 # SingularityCE requires SETUID for most things. Apptainer prefers user
70 # namespaces, e.g. `apptainer exec --nv` would fail if built
71 # `--with-suid`:
72 # > `FATAL: nvidia-container-cli not allowed in setuid mode`
73 default = cfg.package.projectName != "apptainer";
74 defaultText = lib.literalExpression ''config.services.singularity.package.projectName != "apptainer"'';
75 example = false;
76 description = ''
77 Whether to enable the SUID support of Singularity/Apptainer.
78 '';
79 };
80 systemBinPaths = lib.mkOption {
81 type = lib.types.listOf lib.types.path;
82 default = [ ];
83 description = ''
84 (Extra) system-wide /**/bin paths
85 for Apptainer/Singularity to find command-line utilities in.
87 `"/run/wrappers/bin"` is included by default to make
88 utilities with SUID bit set available to Apptainer/Singularity.
89 Use `lib.mkForce` to shadow the default values.
90 '';
91 };
92 };
94 config = lib.mkIf cfg.enable {
95 programs.singularity.packageOverriden = (
96 cfg.package.override (
97 {
98 systemBinPaths = cfg.systemBinPaths;
99 }
100 // lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
101 // lib.optionalAttrs cfg.enableSuid {
102 enableSuid = true;
103 starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
104 }
105 )
106 );
107 programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ];
108 environment.systemPackages = [ cfg.packageOverriden ];
109 security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid {
110 setuid = true;
111 owner = "root";
112 group = "root";
113 source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig";
114 };
115 systemd.tmpfiles.rules = lib.mkIf cfg.enableExternalLocalStateDir [
116 "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -"
117 ];
118 };
119 }