nixos-config/modules/docker/default.nix

79 lines
1.9 KiB
Nix

{ lib
, pkgs
, config
, ...
}:
with lib; let
cfg = config.eboskma.podman;
podmanInterfaces = if config.networking.nftables.enable then "podman*" else "podman+";
in
{
options.eboskma.podman = {
enable = mkEnableOption "podman";
enableNvidia = mkEnableOption "podman NVidia support";
# enableTcpSocket = mkEnableOption "podman TCP socket";
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.podman-compose pkgs.netavark ];
virtualisation.podman = {
enable = true;
enableNvidia = cfg.enableNvidia;
dockerCompat = true;
autoPrune = {
enable = true;
dates = "weekly";
};
defaultNetwork.settings.dns_enable = true;
};
virtualisation.containers = {
registries = {
insecure = [ "containers.internal.horus.nu" ];
search = [
"docker.io"
"quay.io"
"containers.internal.horus.nu"
];
};
containersConf.settings = {
engine = {
helper_binaries_dir = [
"${pkgs.podman}/libexec/podman"
];
};
containers = {
log_driver = "k8s-file";
events_logger = "journald";
};
};
};
users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ];
# Make DNS work in containers
networking.firewall.interfaces.${podmanInterfaces} = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
# services.ghostunnel = mkIf cfg.enableTcpSocket {
# enable = true;
# servers."podman-socket" = {
# listen = "0.0.0.0:2376";
# target = "unix:/run/podman/podman.sock";
# allowAll = mkDefault true;
# extraArguments = ''
# --auto-acme-cert=mimir.internal.horus.nu
# --auto-acme-email=erwin@horus.nu
# --auto-acme-ca=https://mimir.internal.horus.nu
# '';
# };
# };
};
}