Add service.capabilities option
This commit is contained in:
Robert Hensing
parent
ac012a1ad1
commit
2f11979597
1 changed files with 28 additions and 0 deletions
|
|
@ -10,6 +10,8 @@ let
|
|||
inherit (lib) mkOption types;
|
||||
inherit (types) listOf nullOr attrsOf str either int bool;
|
||||
|
||||
link = url: text:
|
||||
''<link xlink:href="${url}">${text}</link>'';
|
||||
dockerComposeRef = fragment:
|
||||
''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>'';
|
||||
dockerComposeKitchenSink = ''
|
||||
|
|
@ -17,6 +19,10 @@ let
|
|||
|
||||
${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
|
||||
'';
|
||||
|
||||
cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
|
||||
cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
|
||||
|
||||
in
|
||||
{
|
||||
options = {
|
||||
|
|
@ -153,6 +159,24 @@ in
|
|||
default = null;
|
||||
description = dockerComposeRef "stop_signal";
|
||||
};
|
||||
service.capabilities = mkOption {
|
||||
type = attrsOf (nullOr bool);
|
||||
default = {};
|
||||
example = { ALL = true; SYS_ADMIN = false; NET_ADMIN = false; };
|
||||
description = ''
|
||||
Enable/disable linux capabilities, or pick Docker's default.
|
||||
|
||||
Setting a capability to <code>true</code> means that it will be
|
||||
"added". Setting it to <code>false</code> means that it will be "dropped".
|
||||
${dockerComposeRef "cap_add-cap_drop"}
|
||||
|
||||
Omitted and <code>null</code> capabilities will therefore be set
|
||||
according to Docker's ${
|
||||
link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
|
||||
"default list of capabilities."
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config.build.service = {
|
||||
|
|
@ -163,6 +187,10 @@ in
|
|||
;
|
||||
} // lib.optionalAttrs (config.service.build.context != null) {
|
||||
inherit (config.service) build;
|
||||
} // lib.optionalAttrs (cap_add != []) {
|
||||
inherit cap_add;
|
||||
} // lib.optionalAttrs (cap_drop != []) {
|
||||
inherit cap_drop;
|
||||
} // lib.optionalAttrs (config.service.command != null) {
|
||||
inherit (config.service) command;
|
||||
} // lib.optionalAttrs (config.service.depends_on != []) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue