pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / virtualisation / containers.nix
at 25.11-pre 3.7 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 cfg = config.virtualisation.containers; 9 10 inherit (lib) literalExpression mkOption types; 11 12 toml = pkgs.formats.toml { }; 13in 14{ 15 meta = { 16 maintainers = [ ] ++ lib.teams.podman.members; 17 }; 18 19 options.virtualisation.containers = { 20 21 enable = mkOption { 22 type = types.bool; 23 default = false; 24 description = '' 25 This option enables the common /etc/containers configuration module. 26 ''; 27 }; 28 29 ociSeccompBpfHook.enable = mkOption { 30 type = types.bool; 31 default = false; 32 description = "Enable the OCI seccomp BPF hook"; 33 }; 34 35 containersConf.settings = mkOption { 36 type = toml.type; 37 default = { }; 38 description = "containers.conf configuration"; 39 }; 40 41 containersConf.cniPlugins = mkOption { 42 type = types.listOf types.package; 43 defaultText = literalExpression '' 44 [ 45 pkgs.cni-plugins 46 ] 47 ''; 48 example = literalExpression '' 49 [ 50 pkgs.cniPlugins.dnsname 51 ] 52 ''; 53 description = '' 54 CNI plugins to install on the system. 55 ''; 56 }; 57 58 storage.settings = mkOption { 59 type = toml.type; 60 description = "storage.conf configuration"; 61 }; 62 63 registries = { 64 search = mkOption { 65 type = types.listOf types.str; 66 default = [ 67 "docker.io" 68 "quay.io" 69 ]; 70 description = '' 71 List of repositories to search. 72 ''; 73 }; 74 75 insecure = mkOption { 76 default = [ ]; 77 type = types.listOf types.str; 78 description = '' 79 List of insecure repositories. 80 ''; 81 }; 82 83 block = mkOption { 84 default = [ ]; 85 type = types.listOf types.str; 86 description = '' 87 List of blocked repositories. 88 ''; 89 }; 90 }; 91 92 policy = mkOption { 93 default = { }; 94 type = types.attrs; 95 example = literalExpression '' 96 { 97 default = [ { type = "insecureAcceptAnything"; } ]; 98 transports = { 99 docker-daemon = { 100 "" = [ { type = "insecureAcceptAnything"; } ]; 101 }; 102 }; 103 } 104 ''; 105 description = '' 106 Signature verification policy file. 107 If this option is empty the default policy file from 108 `skopeo` will be used. 109 ''; 110 }; 111 112 }; 113 114 config = lib.mkIf cfg.enable { 115 116 virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ]; 117 118 virtualisation.containers.containersConf.settings = { 119 network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins; 120 engine = 121 { 122 init_path = "${pkgs.catatonit}/bin/catatonit"; 123 } 124 // lib.optionalAttrs cfg.ociSeccompBpfHook.enable { 125 hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ]; 126 }; 127 }; 128 129 virtualisation.containers.storage.settings.storage = { 130 driver = lib.mkDefault "overlay"; 131 graphroot = lib.mkDefault "/var/lib/containers/storage"; 132 runroot = lib.mkDefault "/run/containers/storage"; 133 }; 134 135 environment.etc = { 136 "containers/containers.conf".source = toml.generate "containers.conf" cfg.containersConf.settings; 137 138 "containers/storage.conf".source = toml.generate "storage.conf" cfg.storage.settings; 139 140 "containers/registries.conf".source = toml.generate "registries.conf" { 141 registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; 142 }; 143 144 "containers/policy.json".source = 145 if cfg.policy != { } then 146 pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) 147 else 148 "${pkgs.skopeo.policy}/default-policy.json"; 149 }; 150 151 }; 152 153}