From e2b7bdd08d2fccaa5f714d35b78930c6091eb7e1 Mon Sep 17 00:00:00 2001
From: Sascha Grunert <mail@saschagrunert.de>
Date: Thu, 4 Feb 2021 15:01:10 +0100
Subject: [PATCH] nixos/cri-o: add OCI seccomp bpf hook support

We now set the hooks dir correctly if the OCI hook is enabled. CRI-O
supports this specific hook from v1.20.0.

Signed-off-by: Sascha Grunert <mail@saschagrunert.de>
---
 nixos/modules/virtualisation/cri-o.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix
index aa416e7990a8..8d352e36ef99 100644
--- a/nixos/modules/virtualisation/cri-o.nix
+++ b/nixos/modules/virtualisation/cri-o.nix
@@ -103,7 +103,10 @@ in
       cgroup_manager = "systemd"
       log_level = "${cfg.logLevel}"
       pinns_path = "${cfg.package}/bin/pinns"
-      hooks_dir = []
+      hooks_dir = [
+      ${lib.optionalString config.virtualisation.containers.ociSeccompBpfHook.enable
+        ''"${config.boot.kernelPackages.oci-seccomp-bpf-hook}",''}
+      ]
 
       ${optionalString (cfg.runtime != null) ''
       default_runtime = "${cfg.runtime}"