pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / containers.nix
at 23.11-pre 3.8 kB view raw
1{ config, lib, pkgs, ... }: 2let 3 cfg = config.virtualisation.containers; 4 5 inherit (lib) literalExpression mkOption types; 6 7 toml = pkgs.formats.toml { }; 8in 9{ 10 meta = { 11 maintainers = [ ] ++ lib.teams.podman.members; 12 }; 13 14 options.virtualisation.containers = { 15 16 enable = 17 mkOption { 18 type = types.bool; 19 default = false; 20 description = lib.mdDoc '' 21 This option enables the common /etc/containers configuration module. 22 ''; 23 }; 24 25 ociSeccompBpfHook.enable = mkOption { 26 type = types.bool; 27 default = false; 28 description = lib.mdDoc "Enable the OCI seccomp BPF hook"; 29 }; 30 31 containersConf.settings = mkOption { 32 type = toml.type; 33 default = { }; 34 description = lib.mdDoc "containers.conf configuration"; 35 }; 36 37 containersConf.cniPlugins = mkOption { 38 type = types.listOf types.package; 39 defaultText = literalExpression '' 40 [ 41 pkgs.cni-plugins 42 ] 43 ''; 44 example = literalExpression '' 45 [ 46 pkgs.cniPlugins.dnsname 47 ] 48 ''; 49 description = lib.mdDoc '' 50 CNI plugins to install on the system. 51 ''; 52 }; 53 54 storage.settings = mkOption { 55 type = toml.type; 56 default = { 57 storage = { 58 driver = "overlay"; 59 graphroot = "/var/lib/containers/storage"; 60 runroot = "/run/containers/storage"; 61 }; 62 }; 63 description = lib.mdDoc "storage.conf configuration"; 64 }; 65 66 registries = { 67 search = mkOption { 68 type = types.listOf types.str; 69 default = [ "docker.io" "quay.io" ]; 70 description = lib.mdDoc '' 71 List of repositories to search. 72 ''; 73 }; 74 75 insecure = mkOption { 76 default = [ ]; 77 type = types.listOf types.str; 78 description = lib.mdDoc '' 79 List of insecure repositories. 80 ''; 81 }; 82 83 block = mkOption { 84 default = [ ]; 85 type = types.listOf types.str; 86 description = lib.mdDoc '' 87 List of blocked repositories. 88 ''; 89 }; 90 }; 91 92 policy = mkOption { 93 default = { }; 94 type = types.attrs; 95 example = literalExpression '' 96 { 97 default = [ { type = "insecureAcceptAnything"; } ]; 98 transports = { 99 docker-daemon = { 100 "" = [ { type = "insecureAcceptAnything"; } ]; 101 }; 102 }; 103 } 104 ''; 105 description = lib.mdDoc '' 106 Signature verification policy file. 107 If this option is empty the default policy file from 108 `skopeo` will be used. 109 ''; 110 }; 111 112 }; 113 114 config = lib.mkIf cfg.enable { 115 116 virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ]; 117 118 virtualisation.containers.containersConf.settings = { 119 network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins; 120 engine = { 121 init_path = "${pkgs.catatonit}/bin/catatonit"; 122 } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable { 123 hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ]; 124 }; 125 }; 126 127 environment.etc."containers/containers.conf".source = 128 toml.generate "containers.conf" cfg.containersConf.settings; 129 130 environment.etc."containers/storage.conf".source = 131 toml.generate "storage.conf" cfg.storage.settings; 132 133 environment.etc."containers/registries.conf".source = toml.generate "registries.conf" { 134 registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; 135 }; 136 137 environment.etc."containers/policy.json".source = 138 if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) 139 else "${pkgs.skopeo.policy}/default-policy.json"; 140 }; 141 142}