Merge pull request #270175 from ShamrockLee/backport-23.11-apptainer-localstatedir

- A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing `virtualisation.vlans` is still supported for cases where the name of the network interface is irrelevant.

- Apptainer/Singularity now defaults to using `"$out/var/lib"` for the `LOCALSTATEDIR` configuration option instead of the top-level `"/var/lib"`. This change impacts the `SESSIONDIR` (container-run-time mount point) configuration, which is set to `$LOCALSTATEDIR/<apptainer or singularity>/mnt/session`. This detaches the packages from the top-level directory, rendering the NixOS module optional.

  The default behavior of the NixOS module `programs.singularity` stays unchanged. We add a new option `programs.singularity.enableExternalSysConfDir` (default to `true`) to specify whether to set the top-level `"/var/lib"` as `LOCALSTATEDIR` or not.

- DocBook option documentation is no longer supported, all module documentation now uses markdown.

- `services.outline` can now be configured to use local filesystem storage instead of S3 storage using [services.outline.storage.storageType](#opt-services.outline.storage.storageType).

        Use `lib.mkForce` to forcefully specify the overridden package.

      '';

    };

    enableExternalLocalStateDir = mkOption {

      type = types.bool;

      default = true;

      example = false;

      description = mdDoc ''

        Whether to use top-level directories as LOCALSTATEDIR

        instead of the store path ones.

        This affects the SESSIONDIR of Apptainer/Singularity.

        If set to true, the SESSIONDIR will become

        `/var/lib/''${projectName}/mnt/session`.

      '';

    };

    enableFakeroot = mkOption {

      type = types.bool;

      default = true;

  config = mkIf cfg.enable {

    programs.singularity.packageOverriden = (cfg.package.override (

      optionalAttrs cfg.enableFakeroot {

      optionalAttrs cfg.enableExternalLocalStateDir {

        externalLocalStateDir = "/var/lib";

      } // optionalAttrs cfg.enableFakeroot {

        newuidmapPath = "/run/wrappers/bin/newuidmap";

        newgidmapPath = "/run/wrappers/bin/newgidmap";

      } // optionalAttrs cfg.enableSuid {

      group = "root";

      source = "${cfg.packageOverriden}/libexec/${cfg.packageOverriden.projectName}/bin/starter-suid.orig";

    };

    systemd.tmpfiles.rules = [

    systemd.tmpfiles.rules = mkIf cfg.enableExternalLocalStateDir [

      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/session 0770 root root -"

      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/final 0770 root root -"

      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/overlay 0770 root root -"

      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/container 0770 root root -"

      "d /var/lib/${cfg.packageOverriden.projectName}/mnt/source 0770 root root -"

    ];

  };

, newuidmapPath ? null

  # Path to SUID-ed newgidmap executable

, newgidmapPath ? null

  # External LOCALSTATEDIR

, externalLocalStateDir ? null

  # Remove the symlinks to `singularity*` when projectName != "singularity"

, removeCompat ? false

  # Workaround #86349

    inherit

      enableSeccomp

      enableSuid

      externalLocalStateDir

      projectName

      removeCompat

      starterSuidPath

  configureScript = "./mconfig";

  configureFlags = [

    "--localstatedir=/var/lib"

    "--localstatedir=${if externalLocalStateDir != null then externalLocalStateDir else "${placeholder "out"}/var/lib"}"

    "--runstatedir=/var/run"

  ]

  ++ lib.optional (!enableSeccomp) "--without-seccomp"

            touch .${projectName}.d/env/94-appsbase.sh

            cd ..

            mkdir -p /var/lib/${projectName}/mnt/{container,final,overlay,session,source}

            mkdir -p /var/lib/${projectName}/mnt/session

            echo "root:x:0:0:System administrator:/root:/bin/sh" > /etc/passwd

            echo > /etc/resolv.conf

            TMPDIR=$(pwd -P) ${projectName} build $out ./img