nixos-module/server/lxc-containers: update permissions

2021-05-31 00:40:19 +02:00 · 2021-05-31 00:40:19 +02:00 · b87b73d358
parent 24b36568ca
commit b87b73d358
1 changed files with 4 additions and 2 deletions
--- a/nix/nixos-module/server/lxc-containers.nix
+++ b/nix/nixos-module/server/lxc-containers.nix
@ -168,16 +168,18 @@ in

            lxc.autodev = 1
            lxc.tty.max = 0
+            lxc.pty.max = 8

-            lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio sys_time mknod
-            lxc.apparmor.profile = unchanged
+            lxc.cap.drop = sys_module sys_time sys_nice sys_pacct sys_rawio
            security.privileged = false
+            lxc.apparmor.profile = lxc-container-default-with-mounting

            lxc.cgroup.memory.limit_in_bytes = 1G
            lxc.cgroup.memory.kmem.tcp.limit_in_bytes = 128M

            # tuntap
            lxc.cgroup.devices.allow = c 10:200 rw
+            lxc.cgroup2.devices.allow = c 10:200 rw

            ${netConfig ctName containers.${ctName}.physicalInterfaces}
          '';