2024-02-05 11:46:52 +01:00
|
|
|
{
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
config,
|
|
|
|
|
...
|
2022-03-01 22:19:03 +01:00
|
|
|
}:
|
2024-02-05 11:46:52 +01:00
|
|
|
with lib;
|
|
|
|
|
let
|
2023-12-20 11:25:45 +01:00
|
|
|
cfg = config.eboskma.podman;
|
2024-01-02 22:44:04 +01:00
|
|
|
|
|
|
|
|
podmanInterfaces = if config.networking.nftables.enable then "podman*" else "podman+";
|
2022-04-27 00:21:19 +02:00
|
|
|
in
|
|
|
|
|
{
|
2023-12-20 11:25:45 +01:00
|
|
|
options.eboskma.podman = {
|
|
|
|
|
enable = mkEnableOption "podman";
|
|
|
|
|
enableNvidia = mkEnableOption "podman NVidia support";
|
|
|
|
|
# enableTcpSocket = mkEnableOption "podman TCP socket";
|
2024-01-24 17:11:29 +01:00
|
|
|
insecureRegistries = mkOption {
|
|
|
|
|
description = "List of insecure registries that don't have a (valid) certificate";
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
default = [ ];
|
|
|
|
|
};
|
2022-12-06 13:43:00 +01:00
|
|
|
};
|
2021-11-21 19:07:12 +01:00
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
2024-02-05 11:46:52 +01:00
|
|
|
environment.systemPackages = [
|
|
|
|
|
pkgs.podman-compose
|
|
|
|
|
pkgs.netavark
|
|
|
|
|
];
|
2021-11-21 19:07:12 +01:00
|
|
|
|
2023-07-04 20:30:36 +02:00
|
|
|
virtualisation.podman = {
|
2021-11-21 19:07:12 +01:00
|
|
|
enable = true;
|
2023-07-04 20:30:36 +02:00
|
|
|
dockerCompat = true;
|
2022-12-09 10:42:31 +01:00
|
|
|
|
|
|
|
|
autoPrune = {
|
2022-12-06 13:43:00 +01:00
|
|
|
enable = true;
|
2022-12-09 10:42:31 +01:00
|
|
|
dates = "weekly";
|
2022-12-06 13:43:00 +01:00
|
|
|
};
|
2022-12-22 11:35:17 +01:00
|
|
|
|
2024-01-03 01:15:01 +01:00
|
|
|
defaultNetwork.settings.dns_enabled = true;
|
2022-10-25 09:40:08 +02:00
|
|
|
};
|
2022-12-09 10:42:31 +01:00
|
|
|
|
2022-11-11 20:40:08 +01:00
|
|
|
virtualisation.containers = {
|
2024-01-24 17:11:29 +01:00
|
|
|
enable = true;
|
2022-11-11 20:40:08 +01:00
|
|
|
registries = {
|
2024-01-24 17:11:29 +01:00
|
|
|
insecure = cfg.insecureRegistries;
|
2023-07-10 13:42:56 +02:00
|
|
|
};
|
2024-01-24 17:11:29 +01:00
|
|
|
# containersConf.settings = {
|
|
|
|
|
# engine = {
|
|
|
|
|
# helper_binaries_dir = [
|
|
|
|
|
# "${pkgs.podman}/libexec/podman"
|
|
|
|
|
# ];
|
|
|
|
|
# };
|
|
|
|
|
# containers = {
|
|
|
|
|
# log_driver = "k8s-file";
|
|
|
|
|
# events_logger = "journald";
|
|
|
|
|
# };
|
|
|
|
|
# };
|
2021-11-21 19:07:12 +01:00
|
|
|
};
|
|
|
|
|
|
2024-04-26 15:40:12 +02:00
|
|
|
hardware.nvidia-container-toolkit.enable = cfg.enableNvidia;
|
|
|
|
|
|
2023-12-20 11:25:45 +01:00
|
|
|
users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ];
|
2022-12-09 10:42:31 +01:00
|
|
|
|
2023-07-04 20:30:36 +02:00
|
|
|
# Make DNS work in containers
|
2024-01-02 22:44:04 +01:00
|
|
|
networking.firewall.interfaces.${podmanInterfaces} = {
|
2023-07-04 20:30:36 +02:00
|
|
|
allowedUDPPorts = [ 53 ];
|
|
|
|
|
};
|
|
|
|
|
|
2022-12-09 10:42:31 +01:00
|
|
|
# services.ghostunnel = mkIf cfg.enableTcpSocket {
|
|
|
|
|
# enable = true;
|
|
|
|
|
# servers."podman-socket" = {
|
|
|
|
|
# listen = "0.0.0.0:2376";
|
|
|
|
|
# target = "unix:/run/podman/podman.sock";
|
|
|
|
|
# allowAll = mkDefault true;
|
|
|
|
|
# extraArguments = ''
|
|
|
|
|
# --auto-acme-cert=mimir.internal.horus.nu
|
|
|
|
|
# --auto-acme-email=erwin@horus.nu
|
|
|
|
|
# --auto-acme-ca=https://mimir.internal.horus.nu
|
|
|
|
|
# '';
|
|
|
|
|
# };
|
|
|
|
|
# };
|
2021-11-21 19:07:12 +01:00
|
|
|
};
|
|
|
|
|
}
|
