Unverified Commit ea9923c6 authored by Dawid Dziurla's avatar Dawid Dziurla
Browse files

nixos/incus: add incus-user service and socket

parent e92d5eb3

nixos/doc/manual/release-notes/rl-2411.section.md

+2 −0
Original line number Diff line number Diff line
@@ -860,6 +860,8 @@ 


- `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.



- `virtualisation.incus` module gained new `incus-user.service` and `incus-user.socket` systemd units. It is now possible to add a user to `incus` group instead of `incus-admin` for increased security.



## Detailed Migration Information {#sec-release-24.11-migration}



### `sound` options removal {#sec-release-24.11-migration-sound}

nixos/modules/virtualisation/incus.nix

+37 −1
Original line number Diff line number Diff line
@@ -153,7 +153,10 @@ in 


        Users in the "incus-admin" group can interact with

        the daemon (e.g. to start or stop containers) using the

        {command}`incus` command line tool, among others

        {command}`incus` command line tool, among others.

        Users in the "incus" group can also interact with

        the daemon, but with lower permissions

        (i.e. administrative operations are forbidden).

      '';



      package = lib.mkPackageOption pkgs "incus-lts" { };
@@ -359,6 +362,27 @@ in 
      };

    };



    systemd.services.incus-user = {

      description = "Incus Container and Virtual Machine Management User Daemon";



      inherit environment;



      after = [

        "incus.service"

        "incus-user.socket"

      ];



      requires = [

        "incus-user.socket"

      ];



      serviceConfig = {

        ExecStart = "${cfg.package}/bin/incus-user --group incus";



        Restart = "on-failure";

      };

    };



    systemd.services.incus-startup = lib.mkIf cfg.softDaemonRestart {

      description = "Incus Instances Startup/Shutdown";
@@ -391,6 +415,17 @@ in 
      };

    };



    systemd.sockets.incus-user = {

      description = "Incus user UNIX socket";

      wantedBy = [ "sockets.target" ];



      socketConfig = {

        ListenStream = "/var/lib/incus/unix.socket.user";

        SocketMode = "0660";

        SocketGroup = "incus";

      };

    };



    systemd.services.incus-preseed = lib.mkIf (cfg.preseed != null) {

      description = "Incus initialization with preseed file";
@@ -409,6 +444,7 @@ in 
      };

    };



    users.groups.incus = { };

    users.groups.incus-admin = { };



    users.users.root = {