diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 58f4b05c5465a..7244a7e0a8948 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -983,6 +983,7 @@
./testing/service-runner.nix
./virtualisation/anbox.nix
./virtualisation/container-config.nix
+ ./virtualisation/containers.nix
./virtualisation/nixos-containers.nix
./virtualisation/cri-o.nix
./virtualisation/docker.nix
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
new file mode 100644
index 0000000000000..e6127e2848693
--- /dev/null
+++ b/nixos/modules/virtualisation/containers.nix
@@ -0,0 +1,150 @@
+{ config, lib, pkgs, ... }:
+let
+ cfg = config.virtualisation.containers;
+
+ inherit (lib) mkOption types;
+
+ # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
+ toTOML = name: value: pkgs.runCommandNoCC name {
+ nativeBuildInputs = [ pkgs.remarshal ];
+ value = builtins.toJSON value;
+ passAsFile = [ "value" ];
+ } ''
+ json2toml "$valuePath" "$out"
+ '';
+
+ # Copy configuration files to avoid having the entire sources in the system closure
+ copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
+ cp ${filePath} $out
+ '';
+in
+{
+ meta = {
+ maintainers = [] ++ lib.teams.podman.members;
+ };
+
+ options.virtualisation.containers = {
+
+ enable =
+ mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ This option enables the common libpod container configuration module.
+ '';
+ };
+
+ registries = {
+ search = mkOption {
+ type = types.listOf types.str;
+ default = [ "docker.io" "quay.io" ];
+ description = ''
+ List of repositories to search.
+ '';
+ };
+
+ insecure = mkOption {
+ default = [];
+ type = types.listOf types.str;
+ description = ''
+ List of insecure repositories.
+ '';
+ };
+
+ block = mkOption {
+ default = [];
+ type = types.listOf types.str;
+ description = ''
+ List of blocked repositories.
+ '';
+ };
+ };
+
+ policy = mkOption {
+ default = {};
+ type = types.attrs;
+ example = lib.literalExample ''
+ {
+ default = [ { type = "insecureAcceptAnything"; } ];
+ transports = {
+ docker-daemon = {
+ "" = [ { type = "insecureAcceptAnything"; } ];
+ };
+ };
+ }
+ '';
+ description = ''
+ Signature verification policy file.
+ If this option is empty the default policy file from
+ skopeo will be used.
+ '';
+ };
+
+ users = mkOption {
+ default = [];
+ type = types.listOf types.str;
+ description = ''
+ List of users to set up subuid/subgid mappings for.
+ This is a requirement for running rootless containers.
+ '';
+ };
+
+ libpod = mkOption {
+ default = {};
+ description = "Libpod configuration";
+ type = types.submodule {
+ options = {
+
+ extraConfig = mkOption {
+ type = types.lines;
+ default = "";
+ description = ''
+ Extra configuration that should be put in the libpod.conf
+ configuration file
+ '';
+
+ };
+ };
+ };
+ };
+
+ };
+
+ config = lib.mkIf cfg.enable {
+
+ environment.etc."containers/libpod.conf".text = ''
+ cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
+ cni_config_dir = "/etc/cni/net.d/"
+
+ '' + cfg.libpod.extraConfig;
+
+ environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
+ registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
+ };
+
+ users.extraUsers = builtins.listToAttrs (
+ (
+ builtins.foldl' (
+ acc: user: {
+ values = acc.values ++ [
+ {
+ name = user;
+ value = {
+ subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
+ subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
+ };
+ }
+ ];
+ offset = acc.offset + 65536;
+ }
+ )
+ { values = []; offset = 100000; } (lib.unique cfg.users)
+ ).values
+ );
+
+ environment.etc."containers/policy.json".source =
+ if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
+ else copyFile "${pkgs.skopeo.src}/default-policy.json";
+ };
+
+}
diff --git a/nixos/modules/virtualisation/cri-o.nix b/nixos/modules/virtualisation/cri-o.nix
index 14a435f6c8bb9..7882b7fc19deb 100644
--- a/nixos/modules/virtualisation/cri-o.nix
+++ b/nixos/modules/virtualisation/cri-o.nix
@@ -62,9 +62,7 @@ in
log_level = "${cfg.logLevel}"
manage_network_ns_lifecycle = true
'';
- environment.etc."containers/policy.json".text = ''
- {"default": [{"type": "insecureAcceptAnything"}]}
- '';
+
environment.etc."cni/net.d/20-cri-o-bridge.conf".text = ''
{
"cniVersion": "0.3.1",
@@ -83,6 +81,9 @@ in
}
'';
+ # Enable common container configuration, this will create policy.json
+ virtualisation.containers.enable = true;
+
systemd.services.crio = {
description = "Container Runtime Interface for OCI (CRI-O)";
documentation = [ "https://github.com/cri-o/cri-o" ];
diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix
index aa4846837c439..2ec45fa18a46e 100644
--- a/nixos/modules/virtualisation/podman.nix
+++ b/nixos/modules/virtualisation/podman.nix
@@ -4,7 +4,6 @@ let
inherit (lib) mkOption types;
-
# Provides a fake "docker" binary mapping to podman
dockerCompat = pkgs.runCommandNoCC "${pkgs.podman.pname}-docker-compat-${pkgs.podman.version}" {
outputs = [ "out" "bin" "man" ];
@@ -22,19 +21,11 @@ let
done
'';
- # Once https://github.com/NixOS/nixpkgs/pull/75584 is merged we can use the TOML generator
- toTOML = name: value: pkgs.runCommandNoCC name {
- nativeBuildInputs = [ pkgs.remarshal ];
- value = builtins.toJSON value;
- passAsFile = [ "value" ];
- } ''
- json2toml "$valuePath" "$out"
- '';
-
# Copy configuration files to avoid having the entire sources in the system closure
copyFile = filePath: pkgs.runCommandNoCC (builtins.unsafeDiscardStringContext (builtins.baseNameOf filePath)) {} ''
cp ${filePath} $out
'';
+
in
{
meta = {
@@ -63,80 +54,6 @@ in
'';
};
- registries = {
- search = mkOption {
- type = types.listOf types.str;
- default = [ "docker.io" "quay.io" ];
- description = ''
- List of repositories to search.
- '';
- };
-
- insecure = mkOption {
- default = [];
- type = types.listOf types.str;
- description = ''
- List of insecure repositories.
- '';
- };
-
- block = mkOption {
- default = [];
- type = types.listOf types.str;
- description = ''
- List of blocked repositories.
- '';
- };
- };
-
- policy = mkOption {
- default = {};
- type = types.attrs;
- example = lib.literalExample ''
- {
- default = [ { type = "insecureAcceptAnything"; } ];
- transports = {
- docker-daemon = {
- "" = [ { type = "insecureAcceptAnything"; } ];
- };
- };
- }
- '';
- description = ''
- Signature verification policy file.
- If this option is empty the default policy file from
- skopeo will be used.
- '';
- };
-
- users = mkOption {
- default = [];
- type = types.listOf types.str;
- description = ''
- List of users to set up subuid/subgid mappings for.
- This is a requirement for running containers in rootless mode.
- '';
- };
-
- libpod = mkOption {
- default = {};
- description = "Libpod configuration";
- type = types.submodule {
- options = {
-
- extraConfig = mkOption {
- type = types.lines;
- default = "";
- description = ''
- Extra configuration that should be put in the libpod.conf
- configuration file
- '';
-
- };
- };
- };
- };
-
};
config = lib.mkIf cfg.enable {
@@ -154,41 +71,10 @@ in
]
++ lib.optional cfg.dockerCompat dockerCompat;
- environment.etc."containers/libpod.conf".text = ''
- cni_plugin_dir = ["${pkgs.cni-plugins}/bin/"]
- cni_config_dir = "/etc/cni/net.d/"
- ${cfg.libpod.extraConfig}
- '';
-
environment.etc."cni/net.d/87-podman-bridge.conflist".source = copyFile "${pkgs.podman.src}/cni/87-podman-bridge.conflist";
- environment.etc."containers/registries.conf".source = toTOML "registries.conf" {
- registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
- };
+ virtualisation.containers.enable = true;
- users.extraUsers = builtins.listToAttrs (
- (
- builtins.foldl' (
- acc: user: {
- values = acc.values ++ [
- {
- name = user;
- value = {
- subUidRanges = [ { startUid = acc.offset; count = 65536; } ];
- subGidRanges = [ { startGid = acc.offset; count = 65536; } ];
- };
- }
- ];
- offset = acc.offset + 65536;
- }
- )
- { values = []; offset = 100000; } (lib.unique cfg.users)
- ).values
- );
-
- environment.etc."containers/policy.json".source =
- if cfg.policy != {} then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
- else copyFile "${pkgs.skopeo.src}/default-policy.json";
};
}