84 lines
2 KiB
Nix
84 lines
2 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.eboskma.podman;
|
|
|
|
podmanInterfaces = if config.networking.nftables.enable then "podman*" else "podman+";
|
|
in
|
|
{
|
|
options.eboskma.podman = {
|
|
enable = mkEnableOption "podman";
|
|
enableNvidia = mkEnableOption "podman NVidia support";
|
|
# enableTcpSocket = mkEnableOption "podman TCP socket";
|
|
insecureRegistries = mkOption {
|
|
description = "List of insecure registries that don't have a (valid) certificate";
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = [
|
|
pkgs.podman-compose
|
|
pkgs.netavark
|
|
];
|
|
|
|
virtualisation.podman = {
|
|
enable = true;
|
|
dockerCompat = true;
|
|
|
|
autoPrune = {
|
|
enable = true;
|
|
dates = "weekly";
|
|
};
|
|
|
|
defaultNetwork.settings.dns_enabled = true;
|
|
};
|
|
|
|
virtualisation.containers = {
|
|
enable = true;
|
|
registries = {
|
|
insecure = cfg.insecureRegistries;
|
|
};
|
|
# containersConf.settings = {
|
|
# engine = {
|
|
# helper_binaries_dir = [
|
|
# "${pkgs.podman}/libexec/podman"
|
|
# ];
|
|
# };
|
|
# containers = {
|
|
# log_driver = "k8s-file";
|
|
# events_logger = "journald";
|
|
# };
|
|
# };
|
|
};
|
|
|
|
hardware.nvidia-container-toolkit.enable = cfg.enableNvidia;
|
|
|
|
users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ];
|
|
|
|
# Make DNS work in containers
|
|
networking.firewall.interfaces.${podmanInterfaces} = {
|
|
allowedUDPPorts = [ 53 ];
|
|
};
|
|
|
|
# services.ghostunnel = mkIf cfg.enableTcpSocket {
|
|
# enable = true;
|
|
# servers."podman-socket" = {
|
|
# listen = "0.0.0.0:2376";
|
|
# target = "unix:/run/podman/podman.sock";
|
|
# allowAll = mkDefault true;
|
|
# extraArguments = ''
|
|
# --auto-acme-cert=mimir.internal.horus.nu
|
|
# --auto-acme-email=erwin@horus.nu
|
|
# --auto-acme-ca=https://mimir.internal.horus.nu
|
|
# '';
|
|
# };
|
|
# };
|
|
};
|
|
}
|