apptainer, singularity: add argument systemBinPaths

Use systemBinPaths as the new way to specify system bin paths, especifally for SUID'ed binaries. Deprecate arguments setuidmapPath and setgidmapPath in favour of systemBinPaths. Add NixOS configuration option programs.singularity.systemBinPath, with "/run/wrappers/bin" included by default.
2025-06-11 12:15:34 +03:00 · 2024-04-24 03:55:30 +08:00 · 2024-04-24 03:55:30 +08:00 · f6d9b4b6fc
commit f6d9b4b6fc
parent 409cbbe61a
2 changed files with 44 additions and 12 deletions
--- a/nixos/modules/programs/singularity.nix
+++ b/nixos/modules/programs/singularity.nix
@ -56,9 +56,12 @@ in
    enableFakeroot = lib.mkOption {
      type = lib.types.bool;
      default = true;
-      example = false;
      description = ''
        Whether to enable the `--fakeroot` support of Singularity/Apptainer.
+
+        This option is deprecated and has no effect.
+        `--fakeroot` support is enabled automatically,
+        as `systemBinPaths = [ "/run/wrappers/bin" ]` is always specified.
      '';
    };
    enableSuid = lib.mkOption {
@ -74,22 +77,34 @@ in
        Whether to enable the SUID support of Singularity/Apptainer.
      '';
    };
+    systemBinPaths = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [ ];
+      description = ''
+        (Extra) system-wide /**/bin paths
+        for Apptainer/Singularity to find command-line utilities in.
+
+        `"/run/wrappers/bin"` is included by default to make
+        utilities with SUID bit set available to Apptainer/Singularity.
+        Use `lib.mkForce` to shadow the default values.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable {
    programs.singularity.packageOverriden = (
      cfg.package.override (
-        lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
-        // lib.optionalAttrs cfg.enableFakeroot {
-          newuidmapPath = "/run/wrappers/bin/newuidmap";
-          newgidmapPath = "/run/wrappers/bin/newgidmap";
+        {
+          systemBinPaths = cfg.systemBinPaths;
        }
+        // lib.optionalAttrs cfg.enableExternalLocalStateDir { externalLocalStateDir = "/var/lib"; }
        // lib.optionalAttrs cfg.enableSuid {
          enableSuid = true;
          starterSuidPath = "/run/wrappers/bin/${cfg.package.projectName}-suid";
        }
      )
    );
+    programs.singularity.systemBinPaths = [ "/run/wrappers/bin" ];
    environment.systemPackages = [ cfg.packageOverriden ];
    security.wrappers."${cfg.packageOverriden.projectName}-suid" = lib.mkIf cfg.enableSuid {
      setuid = true;