From 4c80362d2e2963c67e27fb7d8ee63d9ab8e84d87 Mon Sep 17 00:00:00 2001 From: mae Date: Thu, 27 Apr 2023 20:37:44 +0200 Subject: [PATCH] Replace homegrown podman module --- flake.lock | 54 +++++----- profiles/podman/default.nix | 5 + suites/default.nix | 2 +- users/mae/default.nix | 5 +- users/modules/podman/containers.nix | 123 ---------------------- users/modules/podman/default.nix | 7 -- users/modules/podman/docker-compat.nix | 65 ------------ users/modules/podman/podman.nix | 135 ------------------------- users/profiles/podman/default.nix | 21 ++-- 9 files changed, 51 insertions(+), 366 deletions(-) create mode 100644 profiles/podman/default.nix delete mode 100644 users/modules/podman/containers.nix delete mode 100644 users/modules/podman/default.nix delete mode 100644 users/modules/podman/docker-compat.nix delete mode 100644 users/modules/podman/podman.nix diff --git a/flake.lock b/flake.lock index ead4657..1f6858a 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ ] }, "locked": { - "lastModified": 1680281360, - "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=", + "lastModified": 1682101079, + "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=", "owner": "ryantm", "repo": "agenix", - "rev": "e64961977f60388dd0b49572bb0fc453b871f896", + "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447", "type": "github" }, "original": { @@ -65,11 +65,11 @@ ] }, "locked": { - "lastModified": 1681154394, - "narHash": "sha256-avnu1K9AuouygBiwVKuDp6emiTET43az3rcpv0ctLjc=", + "lastModified": 1682009832, + "narHash": "sha256-QdNOeFE7sI+0ddqVfn9vQDCUs7OdxhJ7evo9sdyP82Y=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "025912529dd0b31dead95519e944ea05f1ad56f2", + "rev": "a1ee4d333b092bc055655fb06229eb3013755812", "type": "github" }, "original": { @@ -191,11 +191,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1681280529, - "narHash": "sha256-WDPFJQpnkFFpWW2OSiR0hfPovmpeP004DIq89q6GyLs=", + "lastModified": 1682598812, + "narHash": "sha256-kNX5Au2i6ojBjBD5guay3qeHitm0vEhnnIvbv+BQoh8=", "owner": "nix-community", "repo": "fenix", - "rev": "0d8c62bb906470782a4aa36d93044e660088a3f8", + "rev": "b4616f7fa72bcda1b48511e4043d6813aa2d953b", "type": "github" }, "original": { @@ -372,11 +372,11 @@ ] }, "locked": { - "lastModified": 1681468923, - "narHash": "sha256-+X2oO4juRVhQRs002mn8km6PODccIRiz09c2K1xtSpY=", + "lastModified": 1682535786, + "narHash": "sha256-NH2a8yB8V25cglvcHDrvaTLvohzMgGLLZ4vnXQn4vOw=", "owner": "nix-community", "repo": "home-manager", - "rev": "17198cf5ae27af5b647c7dac58d935a7d0dbd189", + "rev": "d82c9af8175878a461a0fdf914e67cc446664570", "type": "github" }, "original": { @@ -419,11 +419,11 @@ }, "latest_2": { "locked": { - "lastModified": 1681557730, - "narHash": "sha256-j2E3639kS3Qop2jQPyqWCdenZNaqIdxfoTvAHnGuAGI=", + "lastModified": 1682609660, + "narHash": "sha256-Q2lncLCbUpFAs22n4NKjxt8hDsF4lCXq4lDjixjL0us=", "owner": "nixos", "repo": "nixpkgs", - "rev": "85b081528b937df4bfcaee80c3541b58f397df8b", + "rev": "76a85de7a731a037f44f1fcc81165c934c66b0a2", "type": "github" }, "original": { @@ -478,11 +478,11 @@ }, "nixos": { "locked": { - "lastModified": 1681465517, - "narHash": "sha256-EasJh15/jcJNAHtq2SGbiADRXteURAnQbj1NqBoKkzU=", + "lastModified": 1682526928, + "narHash": "sha256-2cKh4O6t1rQ8Ok+v16URynmb0rV7oZPEbXkU0owNLQs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "abe7316dd51a313ce528972b104f4f04f56eefc4", + "rev": "d6b863fd9b7bb962e6f9fdf292419a775e772891", "type": "github" }, "original": { @@ -509,11 +509,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1681126633, - "narHash": "sha256-evQ3Ct/yJDSHej16Hiq+JfxRjgm9FXu/2LBxsyorGdE=", + "lastModified": 1682453498, + "narHash": "sha256-WoWiAd7KZt5Eh6n+qojcivaVpnXKqBsVgpixpV2L9CE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "db24d86dd8a4769c50d6b7295e81aa280cd93f35", + "rev": "c8018361fa1d1650ee8d4b96294783cf564e8a7f", "type": "github" }, "original": { @@ -632,11 +632,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1681234995, - "narHash": "sha256-QQxQAG5QZG8z/uRREhWnq4215Asl7Gh6a8zj7swDyP4=", + "lastModified": 1682502267, + "narHash": "sha256-S1Rk8+lW6GqnfVDyxR7ctJaGRglvhm/DWCeDD3J3ut8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "7501d3b721560637e27f904d9fce79182c41bef7", + "rev": "797c2f1dde0905afa24f567160ed23ba2bc79a81", "type": "github" }, "original": { @@ -648,11 +648,11 @@ }, "stable": { "locked": { - "lastModified": 1681349002, - "narHash": "sha256-9Ckc2WvSwuYrPfk3ZXgPasM1ir/cgs6UV0EpIWyPGZE=", + "lastModified": 1682538316, + "narHash": "sha256-YuHgVsR7S9zxJWHo7lo2ugd+uDC4ESWg1hA4bEZQv3Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2b1bba76a13ed39c7abc0a6e8f74f9e168cf3c7c", + "rev": "15b75800dce80225b44f067c9012b09de37dfad2", "type": "github" }, "original": { diff --git a/profiles/podman/default.nix b/profiles/podman/default.nix new file mode 100644 index 0000000..0431b1f --- /dev/null +++ b/profiles/podman/default.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + boot.enableContainers = false; + virtualisation.podman.enable = true; + virtualisation.podman.defaultNetwork.settings.dns_enabled = true; +} diff --git a/suites/default.nix b/suites/default.nix index 80642ec..e216143 100644 --- a/suites/default.nix +++ b/suites/default.nix @@ -1,7 +1,7 @@ { profiles, ... }: with profiles; rec { base = [ users.root core dns ]; - workstation = base ++ [ sway develop game profiles.workstation ssh flatpak torrents pwn tor rust virtualization java networkmanager pipewire flatpak tailscale users.mae ]; + workstation = base ++ [ sway develop game profiles.workstation ssh flatpak torrents pwn tor rust virtualization java networkmanager pipewire flatpak tailscale podman users.mae ]; desktop = workstation ++ [ amd ]; lap = workstation ++ [ laptop bluetooth print ]; } diff --git a/users/mae/default.nix b/users/mae/default.nix index e37f7e7..e4f0f71 100644 --- a/users/mae/default.nix +++ b/users/mae/default.nix @@ -7,10 +7,11 @@ isNormalUser = true; hashedPassword = "$6$vyS4lqYbl3$OXztJnAC5ZayA4eCBSIRlYtsi9u1HnafsfNL28l4CJh0BISVlSj6D48CA80cshnvYW/EEzfEj7z4zTNFpJAT/."; shell = pkgs.zsh; - extraGroups = [ "wheel" "video" "lp" "scanner" "adbusers" "render" "libvirtd" "podman" "docker" ]; + extraGroups = [ "wheel" "video" "lp" "scanner" "adbusers" "render" "libvirtd" ]; }; + home-manager.users.mae = { pkgs, ... }: { - imports = [ ../profiles/core ../profiles/direnv ../profiles/git ../profiles/zsh ../profiles/neovim ../profiles/syncthing ../profiles/kdeconnect ../profiles/podman ../profiles/tmux ../profiles/mpv ../profiles/sway ]; + imports = [ ../profiles/core ../profiles/direnv ../profiles/git ../profiles/zsh ../profiles/neovim ../profiles/syncthing ../profiles/kdeconnect ../profiles/tmux ../profiles/mpv ../profiles/sway ../profiles/podman ]; mae.alacritty.enable = true; home.sessionVariables = { diff --git a/users/modules/podman/containers.nix b/users/modules/podman/containers.nix deleted file mode 100644 index 35a93cc..0000000 --- a/users/modules/podman/containers.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.virtualisation.containers; - - inherit (lib) mkOption types; - - toml = pkgs.formats.toml { }; -in -{ - options.virtualisation.containers = { - - enable = - mkOption { - type = types.bool; - default = false; - description = '' - This option enables the common /etc/containers configuration module. - ''; - }; - - ociSeccompBpfHook.enable = mkOption { - type = types.bool; - default = false; - description = "Enable the OCI seccomp BPF hook"; - }; - - containersConf.settings = mkOption { - type = toml.type; - default = { }; - description = "containers.conf configuration"; - }; - - containersConf.cniPlugins = mkOption { - type = types.listOf types.package; - defaultText = '' - [ - pkgs.cni-plugins - ] - ''; - example = lib.literalExample '' - [ - pkgs.cniPlugins.dnsname - ] - ''; - description = '' - CNI plugins to install on the system. - ''; - }; - - registries = { - search = mkOption { - type = types.listOf types.str; - default = [ "docker.io" "quay.io" ]; - description = '' - List of repositories to search. - ''; - }; - - insecure = mkOption { - default = [ ]; - type = types.listOf types.str; - description = '' - List of insecure repositories. - ''; - }; - - block = mkOption { - default = [ ]; - type = types.listOf types.str; - description = '' - List of blocked repositories. - ''; - }; - }; - - policy = mkOption { - default = { }; - type = types.attrs; - example = lib.literalExample '' - { - default = [ { type = "insecureAcceptAnything"; } ]; - transports = { - docker-daemon = { - "" = [ { type = "insecureAcceptAnything"; } ]; - }; - }; - } - ''; - description = '' - Signature verification policy file. - If this option is empty the default policy file from - skopeo will be used. - ''; - }; - - }; - - config = lib.mkIf cfg.enable { - - virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ]; - - virtualisation.containers.containersConf.settings = { - network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins; - engine = { - init_path = "${pkgs.catatonit}/bin/catatonit"; - } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable { - hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ]; - }; - }; - - xdg.configFile."containers/containers.conf".source = - toml.generate "containers.conf" cfg.containersConf.settings; - - xdg.configFile."containers/registries.conf".source = toml.generate "registries.conf" { - registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; - }; - - xdg.configFile."containers/policy.json".source = - if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) - else "${pkgs.skopeo.src}/default-policy.json"; - }; - -} diff --git a/users/modules/podman/default.nix b/users/modules/podman/default.nix deleted file mode 100644 index 8c94954..0000000 --- a/users/modules/podman/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - imports = [ - ./podman.nix - ./containers.nix - ./docker-compat.nix - ]; -} diff --git a/users/modules/podman/docker-compat.nix b/users/modules/podman/docker-compat.nix deleted file mode 100644 index 0be0dba..0000000 --- a/users/modules/podman/docker-compat.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ config, lib, pkgs, ... }: -let - # Provides a fake "docker" binary mapping to podman - cfg = config.services.podman; - podmanPackage = cfg.package; - docker_host = "unix:///run/user/$UID/podman/podman.sock"; - - fakeDockerBinary = pkgs.runCommand "${podmanPackage.pname}-docker-compat-${podmanPackage.version}" - { - outputs = [ "out" "man" ]; - inherit (podmanPackage) meta; - } '' - mkdir -p $out/bin - ln -s ${podmanPackage}/bin/podman $out/bin/docker - - mkdir -p $man/share/man/man1 - for f in ${podmanPackage.man}/share/man/man1/*; do - basename=$(basename $f | sed s/podman/docker/g) - ln -s $f $man/share/man/man1/$basename - done - ''; - dockerComposeCompat = pkgs.runCommand "docker-compose-podman-compat" - { - buildInputs = [ pkgs.makeWrapper ]; - } '' - mkdir -p $out/bin - makeWrapper '${pkgs.docker-compose}/libexec/docker/cli-plugins/docker-compose' "$out/bin/docker-compose" \ - --set-default "DOCKER_HOST" 'unix:///run/user/$UID/podman/podman.sock' \ - --set-default DOCKER_BUILDKIT 0 - ''; -in -with lib; { - options.services.podman = { - dockerCompat = - { - fakeDockerBinary.enable = mkEnableOption { - description = '' - Create an alias mapping docker to podman. - ''; - }; - dockerSocket.enable = mkEnableOption { - description = '' - Set the DOCKER_HOST environment variable to make docker tools use the podman docker - ''; - }; - dockerCompose.enable = mkEnableOption { - description = '' - Install a docker-compose binary that uses the podman socket - ''; - }; - }; - }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf cfg.dockerCompat.fakeDockerBinary.enable { - home.packages = [ fakeDockerBinary ]; - }) - (lib.mkIf cfg.dockerCompat.dockerCompose.enable { - home.packages = [ dockerComposeCompat ]; - }) - (lib.mkIf cfg.dockerCompat.dockerSocket.enable { - home.sessionVariables."DOCKER_HOST" = "unix:///run/user/$UID/podman/podman.sock"; - }) - - ]); -} diff --git a/users/modules/podman/podman.nix b/users/modules/podman/podman.nix deleted file mode 100644 index 9649580..0000000 --- a/users/modules/podman/podman.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.podman; - toml = pkgs.formats.toml { }; - json = pkgs.formats.json { }; - - inherit (lib) mkOption types; - - podmanPackage = (pkgs.podman.override { inherit (cfg) extraPackages; }); -in -{ - imports = [ - #./podman-network-socket.nix - (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ]) - ]; - - meta = { - maintainers = lib.teams.podman.members; - }; - - options.services.podman = { - - enable = - mkOption { - type = types.bool; - default = false; - description = '' - This option enables Podman, a daemonless container engine for - developing, managing, and running OCI Containers on your Linux System. - - It is a drop-in replacement for the docker command. - ''; - }; - - enableNvidia = mkOption { - type = types.bool; - default = false; - description = '' - Enable use of NVidia GPUs from within podman containers. - ''; - }; - - extraPackages = mkOption { - type = with types; listOf package; - default = [ ]; - example = lib.literalExample '' - [ - pkgs.gvisor - ] - ''; - description = '' - Extra packages to be installed in the Podman wrapper. - ''; - }; - - package = lib.mkOption { - type = types.package; - default = podmanPackage; - internal = true; - description = '' - The final Podman package (including extra packages). - ''; - }; - - defaultNetwork.extraPlugins = lib.mkOption { - type = types.listOf json.type; - default = [ ]; - description = '' - Extra CNI plugin configurations to add to podman's default network. - ''; - }; - - }; - - config = lib.mkIf cfg.enable - { - home.packages = [ cfg.package ]; - xdg.configFile."containers/networks/podman.json".source = json.generate "podman.json" ({ - dns_enabled = false; - driver = "bridge"; - id = "0000000000000000000000000000000000000000000000000000000000000000"; - internal = false; - ipam_options = { driver = "host-local"; }; - ipv6_enabled = false; - name = "podman"; - network_interface = "podman0"; - subnets = [{ gateway = "10.88.0.1"; subnet = "10.88.0.0/16"; }]; - }); - virtualisation.containers = { - enable = true; # Enable common /etc/containers configuration - containersConf.settings = lib.optionalAttrs cfg.enableNvidia { - network.network_backend = "netavark"; - engine = { - conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ]; - runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ]; - }; - }; - }; - - systemd.user = { - - services.podman = { - Unit = { - Description = "Podman API Service"; - Requires = "podman.socket"; - After = "podman.socket"; - Documentation = "man:podman-system-service(1)"; - StartLimitIntervalSec = 0; - }; - Service = { - Type = "exec"; - KillMode = "process"; - Environment = [ "LOGGING=\" --log-level=info\"" ]; - ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=\"$PATH:/run/wrappers/bin\" ${cfg.package}/bin/podman $LOGGING system service'"; - }; - - Install = { - WantedBy = [ "multi-user.target" ]; - }; - }; - - sockets.podman = { - Unit = { - Description = "Podman API Socket"; - Documentation = "man:podman-system-service(1)"; - }; - Socket = { - ListenStream = "%t/podman/podman.sock"; - SocketMode = 0660; - }; - Install.WantedBy = [ "sockets.target" ]; - }; - }; - }; -} diff --git a/users/profiles/podman/default.nix b/users/profiles/podman/default.nix index 81d4918..1ab3b85 100644 --- a/users/profiles/podman/default.nix +++ b/users/profiles/podman/default.nix @@ -1,8 +1,17 @@ -{ pkgs, ... }: +{ pkgs, config, ... }: +let + podman_sock = "unix://$XDG_RUNTIME_DIR/podman/podman.sock"; + podmanCompose = pkgs.runCommand "docker-compose-podman-compat" + { + buildInputs = [ pkgs.makeWrapper ]; + } '' + mkdir -p $out/bin + makeWrapper '${pkgs.docker-compose}/bin/docker-compose' "$out/bin/podman-compose" \ + --set-default "DOCKER_HOST" '${podman_sock}' \ + --set-default DOCKER_BUILDKIT 0 + ''; +in { - services.podman.enable = true; - services.podman.dockerCompat = { - dockerSocket.enable = true; - dockerCompose.enable = true; - }; + home.packages = [ podmanCompose ]; + home.sessionVariables.DOCKER_HOST = podman_sock; }