-
-
Notifications
You must be signed in to change notification settings - Fork 14.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
nixos.virtualisation.containers: Init common /etc/containers configur…
…ation module What's happening now is that both cri-o and podman are creating /etc/containers/policy.json. By splitting out the creation of configuration files we can make the podman module leaner & compose better with other container software.
- Loading branch information
1 parent
650df70
commit 43f383c
Showing
4 changed files
with
157 additions
and
119 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
{ config, lib, pkgs, ... }: | ||
let | ||
cfg = config.virtualisation.containers; | ||
|
||
inherit (lib) mkOption types; | ||
|
||
# Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator | ||
toTOML = name: value: pkgs.runCommandNoCC name { | ||
nativeBuildInputs = [ pkgs.remarshal ]; | ||
value = builtins.toJSON value; | ||
passAsFile = [ "value" ]; | ||
} '' | ||
json2toml "$valuePath" "$out" | ||
''; | ||
|
||
# Copy configuration files to avoid having the entire sources in the system closure | ||
copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} '' | ||
cp ${filePath} $out | ||
''; | ||
in | ||
{ | ||
meta = { | ||
maintainers = [] ++ lib.teams.podman.members; | ||
}; | ||
|
||
options.virtualisation.containers = { | ||
|
||
enable = | ||
mkOption { | ||
type = types.bool; | ||
default = false; | ||
description = '' | ||
This option enables the common libpod container configuration module. | ||
''; | ||
}; | ||
|
||
registries = { | ||
search = mkOption { | ||
type = types.listOf types.str; | ||
default = [ "docker.io" "quay.io" ]; | ||
description = '' | ||
List of repositories to search. | ||
''; | ||
}; | ||
|
||
insecure = mkOption { | ||
default = []; | ||
type = types.listOf types.str; | ||
description = '' | ||
List of insecure repositories. | ||
''; | ||
}; | ||
|
||
block = mkOption { | ||
default = []; | ||
type = types.listOf types.str; | ||
description = '' | ||
List of blocked repositories. | ||
''; | ||
}; | ||
}; | ||
|
||
policy = mkOption { | ||
default = {}; | ||
type = types.attrs; | ||
example = lib.literalExample '' | ||
{ | ||
default = [ { type = "insecureAcceptAnything"; } ]; | ||
transports = { | ||
docker-daemon = { | ||
"" = [ { type = "insecureAcceptAnything"; } ]; | ||
}; | ||
}; | ||
} | ||
''; | ||
description = '' | ||
Signature verification policy file. | ||
If this option is empty the default policy file from | ||
<literal>skopeo</literal> will be used. | ||
''; | ||
}; | ||
|
||
users = mkOption { | ||
default = []; | ||
type = types.listOf types.str; | ||
description = '' | ||
List of users to set up subuid/subgid mappings for. | ||
This is a requirement for running rootless containers. | ||
''; | ||
}; | ||
|
||
libpod = mkOption { | ||
default = {}; | ||
description = "Libpod configuration"; | ||
type = types.submodule { | ||
options = { | ||
|
||
extraConfig = mkOption { | ||
type = types.lines; | ||
default = ""; | ||
description = '' | ||
Extra configuration that should be put in the libpod.conf | ||
configuration file | ||
''; | ||
|
||
}; | ||
}; | ||
}; | ||
}; | ||
|
||
}; | ||
|
||
config = lib.mkIf cfg.enable { | ||
|
||
environment.etc."containers/libpod.conf".text = '' | ||
cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"] | ||
cni_config_dir = "/etc/cni/net.d/" | ||
'' + cfg.libpod.extraConfig; | ||
|
||
environment.etc."containers/registries.conf".source = toTOML "registries.conf" { | ||
registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; | ||
}; | ||
|
||
users.extraUsers = builtins.listToAttrs ( | ||
( | ||
builtins.foldl' ( | ||
acc: user: { | ||
values = acc.values ++ [ | ||
{ | ||
name = user; | ||
value = { | ||
subUidRanges = [ { startUid = acc.offset; count = 65536; } ]; | ||
subGidRanges = [ { startGid = acc.offset; count = 65536; } ]; | ||
}; | ||
} | ||
]; | ||
offset = acc.offset + 65536; | ||
} | ||
) | ||
{ values = []; offset = 100000; } (lib.unique cfg.users) | ||
).values | ||
); | ||
|
||
environment.etc."containers/policy.json".source = | ||
if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) | ||
else copyFile "${pkgs.skopeo.src}/default-policy.json"; | ||
}; | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters