modules/server/podman.nix at main · kitten.sh/system

kitten.sh / system
Personal Nix setup
system / modules / server / podman.nix
at main 1.4 kB view raw
 1{ lib, config, user, pkgs, helpers, ... }:
 2
 3with lib;
 4let
 5  cfgRoot = config.modules.server;
 6  cfg = config.modules.server.podman;
 7in helpers.linuxAttrs {
 8  options.modules.server.podman = {
 9    enable = mkOption {
10      default = false;
11      example = true;
12      description = "Whether to enable Podman.";
13      type = types.bool;
14    };
15
16    tweakKernel = mkOption {
17      default = cfg.enable;
18      description = "Whether to tweak kernel configuration";
19      type = types.bool;
20    };
21  };
22
23  config = mkIf (cfg.enable && cfgRoot.enable) {
24    networking.firewall.trustedInterfaces = [ "podman0" ];
25    virtualisation = {
26      oci-containers.backend = "podman";
27      podman = {
28        enable = true;
29        dockerCompat = true;
30        autoPrune.enable = true;
31        extraPackages = with pkgs; [ podman-compose ];
32        defaultNetwork.settings = {
33          dns_enabled = true;
34        };
35      };
36    };
37
38    environment.systemPackages = with pkgs; [ docker-compose ];
39    users.users."${user}".extraGroups = [ "podman" ];
40
41    environment.extraInit = ''
42      if [ -z "$DOCKER_HOST" -a -n "$XDG_RUNTIME_DIR" ]; then
43        export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/podman/podman.sock"
44      fi
45    '';
46
47    boot.kernel.sysctl = mkIf cfg.tweakKernel {
48      "kernel.unprivileged_userns_clone" = true;
49      "net.ipv4.ip_unprivileged_port_start" = "80";
50      "net.ipv4.ping_group_range" = "0 65536";
51    };
52  };
53}