{ lib, pkgs, config, ... }: with lib; let cfg = config.eboskma.podman; podmanInterfaces = if config.networking.nftables.enable then "podman*" else "podman+"; in { options.eboskma.podman = { enable = mkEnableOption "podman"; enableNvidia = mkEnableOption "podman NVidia support"; # enableTcpSocket = mkEnableOption "podman TCP socket"; insecureRegistries = mkOption { description = "List of insecure registries that don't have a (valid) certificate"; type = types.listOf types.str; default = [ ]; }; }; config = mkIf cfg.enable { environment.systemPackages = [ pkgs.podman-compose pkgs.netavark ]; virtualisation.podman = { enable = true; dockerCompat = true; autoPrune = { enable = true; dates = "weekly"; }; defaultNetwork.settings.dns_enabled = true; }; virtualisation.containers = { enable = true; cdi.dynamic.nvidia.enable = cfg.enableNvidia; registries = { insecure = cfg.insecureRegistries; }; # containersConf.settings = { # engine = { # helper_binaries_dir = [ # "${pkgs.podman}/libexec/podman" # ]; # }; # containers = { # log_driver = "k8s-file"; # events_logger = "journald"; # }; # }; }; users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ]; # Make DNS work in containers networking.firewall.interfaces.${podmanInterfaces} = { allowedUDPPorts = [ 53 ]; }; # services.ghostunnel = mkIf cfg.enableTcpSocket { # enable = true; # servers."podman-socket" = { # listen = "0.0.0.0:2376"; # target = "unix:/run/podman/podman.sock"; # allowAll = mkDefault true; # extraArguments = '' # --auto-acme-cert=mimir.internal.horus.nu # --auto-acme-email=erwin@horus.nu # --auto-acme-ca=https://mimir.internal.horus.nu # ''; # }; # }; }; }