pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / containers.nix
at 24.11-pre 3.7 kB view raw
1{ config, lib, pkgs, ... }: 2let 3 cfg = config.virtualisation.containers; 4 5 inherit (lib) literalExpression mkOption types; 6 7 toml = pkgs.formats.toml { }; 8in 9{ 10 meta = { 11 maintainers = [ ] ++ lib.teams.podman.members; 12 }; 13 14 options.virtualisation.containers = { 15 16 enable = 17 mkOption { 18 type = types.bool; 19 default = false; 20 description = '' 21 This option enables the common /etc/containers configuration module. 22 ''; 23 }; 24 25 ociSeccompBpfHook.enable = mkOption { 26 type = types.bool; 27 default = false; 28 description = "Enable the OCI seccomp BPF hook"; 29 }; 30 31 containersConf.settings = mkOption { 32 type = toml.type; 33 default = { }; 34 description = "containers.conf configuration"; 35 }; 36 37 containersConf.cniPlugins = mkOption { 38 type = types.listOf types.package; 39 defaultText = literalExpression '' 40 [ 41 pkgs.cni-plugins 42 ] 43 ''; 44 example = literalExpression '' 45 [ 46 pkgs.cniPlugins.dnsname 47 ] 48 ''; 49 description = '' 50 CNI plugins to install on the system. 51 ''; 52 }; 53 54 storage.settings = mkOption { 55 type = toml.type; 56 description = "storage.conf configuration"; 57 }; 58 59 registries = { 60 search = mkOption { 61 type = types.listOf types.str; 62 default = [ "docker.io" "quay.io" ]; 63 description = '' 64 List of repositories to search. 65 ''; 66 }; 67 68 insecure = mkOption { 69 default = [ ]; 70 type = types.listOf types.str; 71 description = '' 72 List of insecure repositories. 73 ''; 74 }; 75 76 block = mkOption { 77 default = [ ]; 78 type = types.listOf types.str; 79 description = '' 80 List of blocked repositories. 81 ''; 82 }; 83 }; 84 85 policy = mkOption { 86 default = { }; 87 type = types.attrs; 88 example = literalExpression '' 89 { 90 default = [ { type = "insecureAcceptAnything"; } ]; 91 transports = { 92 docker-daemon = { 93 "" = [ { type = "insecureAcceptAnything"; } ]; 94 }; 95 }; 96 } 97 ''; 98 description = '' 99 Signature verification policy file. 100 If this option is empty the default policy file from 101 `skopeo` will be used. 102 ''; 103 }; 104 105 }; 106 107 config = lib.mkIf cfg.enable { 108 109 virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ]; 110 111 virtualisation.containers.containersConf.settings = { 112 network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins; 113 engine = { 114 init_path = "${pkgs.catatonit}/bin/catatonit"; 115 } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable { 116 hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ]; 117 }; 118 }; 119 120 virtualisation.containers.storage.settings.storage = { 121 driver = lib.mkDefault "overlay"; 122 graphroot = lib.mkDefault "/var/lib/containers/storage"; 123 runroot = lib.mkDefault "/run/containers/storage"; 124 }; 125 126 environment.etc = { 127 "containers/containers.conf".source = 128 toml.generate "containers.conf" cfg.containersConf.settings; 129 130 "containers/storage.conf".source = 131 toml.generate "storage.conf" cfg.storage.settings; 132 133 "containers/registries.conf".source = toml.generate "registries.conf" { 134 registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; 135 }; 136 137 "containers/policy.json".source = 138 if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) 139 else "${pkgs.skopeo.policy}/default-policy.json"; 140 }; 141 142 }; 143 144}