apptainer: always specify either --with-suid or --without-suid build flag

pkgs/applications/virtualization/singularity/generic.nix

@@ -52,6 +52,9 @@ in
   # SingularityCE 3.10.0 and above requires explicit --without-seccomp when libseccomp is not available.
 , enableSeccomp ? true
   # Whether the configure script treat SUID support as default
+  # When equal to enableSuid, it supress the --with-suid / --without-suid build flag
+  # It can be set to `null` to always pass either --with-suid or --without-suided
+  # Type: null or boolean
 , defaultToSuid ? true
   # Whether to compile with SUID support
 , enableSuid ? false
@@ -131,8 +134,7 @@ buildGoModule {
     "--runstatedir=/var/run"
   ]
   ++ lib.optional (!enableSeccomp) "--without-seccomp"
-  ++ lib.optional (defaultToSuid && !enableSuid) "--without-suid"
-  ++ lib.optional (!defaultToSuid && enableSuid) "--with-suid"
+  ++ lib.optional (enableSuid != defaultToSuid) (if enableSuid then "--with-suid" else "--without-suid")
   ++ extraConfigureFlags
   ;
 

pkgs/applications/virtualization/singularity/packages.nix

@@ -29,10 +29,10 @@ let
       # Apptainer doesn't depend on conmon
       conmon = null;
 
-      # defaultToSuid becomes false since Apptainer 1.1.0
-      # https://github.com/apptainer/apptainer/pull/495
-      # https://github.com/apptainer/apptainer/releases/tag/v1.1.0
-      defaultToSuid = false;
+      # Apptainer builders require explicit --with-suid / --without-suid flag
+      # when building on a system with disabled unprivileged namespace.
+      # See https://github.com/NixOS/nixpkgs/pull/215690#issuecomment-1426954601
+      defaultToSuid = null;
     };
 
   singularity = callPackage