ghoscht/arion
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add service.capabilities option

Browse source
This commit is contained in:
Robert Hensing 2019-03-11 14:36:18 +01:00
parent ac012a1ad1
commit 2f11979597
1 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
src/nix/modules/service/docker-compose-service.nix
View file

@ -10,6 +10,8 @@ let
inherit (lib) mkOption types; inherit (lib) mkOption types;
inherit (types) listOf nullOr attrsOf str either int bool; inherit (types) listOf nullOr attrsOf str either int bool;
link = url: text:
''<link xlink:href="${url}">${text}</link>'';
dockerComposeRef = fragment: dockerComposeRef = fragment:
''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>''; ''See <link xlink:href="https://docs.docker.com/compose/compose-file/#${fragment}">Docker Compose#${fragment}</link>'';
dockerComposeKitchenSink = '' dockerComposeKitchenSink = ''
@ -17,6 +19,10 @@ let
${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"} ${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
''; '';
cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
in in
{ {
options = { options = {
@ -153,6 +159,24 @@ in
default = null; default = null;
description = dockerComposeRef "stop_signal"; description = dockerComposeRef "stop_signal";
}; };
service.capabilities = mkOption {
type = attrsOf (nullOr bool);
default = {};
example = { ALL = true; SYS_ADMIN = false; NET_ADMIN = false; };
description = ''
Enable/disable linux capabilities, or pick Docker's default.
Setting a capability to <code>true</code> means that it will be
"added". Setting it to <code>false</code> means that it will be "dropped".
${dockerComposeRef "cap_add-cap_drop"}
Omitted and <code>null</code> capabilities will therefore be set
according to Docker's ${
link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
"default list of capabilities."
}
'';
};
}; };
config.build.service = { config.build.service = {
@ -163,6 +187,10 @@ in
; ;
} // lib.optionalAttrs (config.service.build.context != null) { } // lib.optionalAttrs (config.service.build.context != null) {
inherit (config.service) build; inherit (config.service) build;
} // lib.optionalAttrs (cap_add != []) {
inherit cap_add;
} // lib.optionalAttrs (cap_drop != []) {
inherit cap_drop;
} // lib.optionalAttrs (config.service.command != null) { } // lib.optionalAttrs (config.service.command != null) {
inherit (config.service) command; inherit (config.service) command;
} // lib.optionalAttrs (config.service.depends_on != []) { } // lib.optionalAttrs (config.service.depends_on != []) {