Skip to content

Commit

Permalink
docker: use fixed high id for unpriv user
Browse files Browse the repository at this point in the history
This should keep us consistent for backup purposes etc.
  • Loading branch information
ahayzen committed Apr 21, 2024
1 parent cb9ce17 commit 386f314
Showing 1 changed file with 35 additions and 3 deletions.
38 changes: 35 additions & 3 deletions nixos/modules/headless/docker.nix
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,40 @@
};

# Define the unpriv user for docker
users.users.unpriv = {
isNormalUser = true;
#
# Set this to a high id so that we remain stable
users = {
groups.unpriv = {
gid = 2000;
};
users.unpriv = {
isNormalUser = true;
group = "unpriv";
uid = 2000;

# Map the root sub id to the same as the user (as it is unpriviledged)
# then map the remaining uids high
subGidRanges = [
{
count = 1;
startGid = 2000;
}
{
count = 65535;
startGid = 200001;
}
];
subUidRanges = [
{
count = 1;
startUid = 2000;
}
{
count = 65535;
startUid = 200001;
}
];
};
};

virtualisation.docker = {
Expand All @@ -73,7 +105,7 @@
daemon.settings = {
dns = [ "9.9.9.9" ];
no-new-privileges = true;
userns-remap = "unpriv:users";
userns-remap = "unpriv:unpriv";
};

# rootless is too problematic as it requires services to run as user services
Expand Down

0 comments on commit 386f314

Please sign in to comment.