nixos/filesystems: fix special file-systems for systemd-nspawn

This is a subset of aba55d1b960b4b1817bc2a32deeba447ae51f0a3 (#67336)[1] that I (Ma27) am using for quite a while in my systemd-nspawn setup (without `nixos-container`) to have unprivileged containers. Recently, Linus reminded me that this isn't part of upstream NixOS and their setup fails like this when activating config in an nspawn instance (no shared store): stderr) activating the configuration... stdout) setting up /etc... stderr) mount: /dev: permission denied. stderr) dmesg(1) may have more information after failed mount system call. stderr) mount: /dev/pts: permission denied. stderr) dmesg(1) may have more information after failed mount system call. stderr) mount: /dev/shm: permission denied. stderr) dmesg(1) may have more information after failed mount system call. stderr) mount: /run: permission denied. stderr) dmesg(1) may have more information after failed mount system call. stdout) Activation script snippet 'specialfs' failed (32) So I decided to submit this portion again. [1] Hence I retained the original authorship. Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
2021-09-02 00:05:44 +02:00
parent eabbe2ae48
commit 4de40fc8a8
1 changed files with 23 additions and 23 deletions
--- a/nixos/modules/tasks/filesystems.nix
+++ b/nixos/modules/tasks/filesystems.nix
@@ -545,6 +545,29 @@ in

    # Sync mount options with systemd's src/core/mount-setup.c: mount_table.
    boot.specialFileSystems = {
+      # To hold secrets that shouldn't be written to disk
+      "/run/keys" = {
+        fsType = "ramfs";
+        options = [
+          "nosuid"
+          "nodev"
+          "mode=750"
+        ];
+      };
+    }
+    // optionalAttrs (!config.boot.isContainer) {
+      # systemd-nspawn populates /sys by itself, and remounting it causes all
+      # kinds of weird issues (most noticeably, waiting for host disk device
+      # nodes).
+      "/sys" = {
+        fsType = "sysfs";
+        options = [
+          "nosuid"
+          "noexec"
+          "nodev"
+        ];
+      };
+
      "/proc" = {
        fsType = "proc";
        options = [
@@ -592,29 +615,6 @@ in
          "gid=${toString config.ids.gids.tty}"
        ];
      };
-
-      # To hold secrets that shouldn't be written to disk
-      "/run/keys" = {
-        fsType = "ramfs";
-        options = [
-          "nosuid"
-          "nodev"
-          "mode=750"
-        ];
-      };
-    }
-    // optionalAttrs (!config.boot.isContainer) {
-      # systemd-nspawn populates /sys by itself, and remounting it causes all
-      # kinds of weird issues (most noticeably, waiting for host disk device
-      # nodes).
-      "/sys" = {
-        fsType = "sysfs";
-        options = [
-          "nosuid"
-          "noexec"
-          "nodev"
-        ];
-      };
    };

  };