podman: add module

This module is a continuation of #2630 by MaeIsBad.

It also adds a module `virtualisation.oci-containers` that is
equivalent to the one in NixOS. Basically it allows a simple toggle to
activate oci-container services and commands.

We also support Podman on mac. Note, Podman requires a VM on mac,
which has to be started before any Podman commands can be executed.
Users might sometimes require VMs that use different architectures
than the default VM started by Podman. Thus, they get the option to
define the VM(s) that will be initialized and started by podman.

Since Podman has to start a machine, it's best to do it using launchd.
The configuration of the machines requires a JSON, generated from an
attrset in Home Manager, which is where Python script comes into play
to take care of diff-ing the `podman machine list` to CRUD them.

PR #4331

Co-authored-by: MaeIsBad <26093674+MaeIsBad@users.noreply.github.com>

modules/misc/news.nix

@@ -1348,6 +1348,16 @@ in
           A new module is available: 'programs.gradle'.
         '';
       }
+
+      {
+        time = "2023-12-23T08:45:52+00:00";
+        message = ''
+          Three new modules are available:
+            'virtualisation.containers',
+            'virtualisation.oci-containers',
+            'virtualisation.podman'.
+        '';
+      }
     ];
   };
 }

modules/modules.nix

@@ -368,6 +368,9 @@ let
     ./systemd.nix
     ./targets/darwin
     ./targets/generic-linux.nix
+    ./virtualisation/containers.nix
+    ./virtualisation/oci-containers.nix
+    ./virtualisation/podman/podman.nix
     ./xresources.nix
     ./xsession.nix
     ./misc/nix.nix

modules/virtualisation/containers.nix

@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.virtualisation.containers;
+
+  inherit (lib) mkOption types;
+
+  toml = pkgs.formats.toml { };
+in {
+  meta.maintainers = [ lib.maintainers.michaelCTS ];
+
+  options.virtualisation.containers = {
+    enable = lib.mkEnableOption "the common containers configuration module";
+
+    ociSeccompBpfHook.enable = lib.mkEnableOption "the OCI seccomp BPF hook";
+
+    registries = {
+      search = mkOption {
+        type = types.listOf types.str;
+        default = [ "docker.io" "quay.io" ];
+        description = ''
+          List of repositories to search.
+        '';
+      };
+
+      insecure = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = ''
+          List of insecure repositories.
+        '';
+      };
+
+      block = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = ''
+          List of blocked repositories.
+        '';
+      };
+    };
+
+    policy = mkOption {
+      type = types.attrs;
+      default = { };
+      example = lib.literalExpression ''
+        {
+          default = [ { type = "insecureAcceptAnything"; } ];
+          transports = {
+            docker-daemon = {
+              "" = [ { type = "insecureAcceptAnything"; } ];
+            };
+          };
+        }
+      '';
+      description = ''
+        Signature verification policy file.
+        If this option is empty the default policy file from
+        `skopeo` will be used.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    xdg.configFile."containers/registries.conf".source =
+      toml.generate "registries.conf" {
+        registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
+      };
+
+    xdg.configFile."containers/policy.json".source = if cfg.policy != { } then
+      pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
+    else
+      "${pkgs.skopeo.src}/default-policy.json";
+  };
+
+}

modules/virtualisation/oci-containers.nix

@@ -0,0 +1,28 @@
+# Equivalent of
+# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/virtualisation/oci-containers.nix
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.virtualisation.oci-containers;
+
+  inherit (lib) mkDefault mkIf mkMerge mkOption types;
+
+  defaultBackend = "podman";
+in {
+  meta.maintainers = [ pkgs.lib.maintainers.michaelCTS ];
+
+  options.virtualisation.oci-containers = {
+    enable = lib.mkEnableOption
+      "a convenience option to enable containers in platform-agnostic manner";
+
+    backend = mkOption {
+      type = types.enum [ "podman" ];
+      default = defaultBackend;
+      description = "Which service to use as a backend for containers.";
+    };
+  };
+
+  config = mkIf (cfg.enable && cfg.backend == "podman") {
+    virtualisation.podman.enable = true;
+  };
+}

modules/virtualisation/podman/podmactl/README.md

@@ -0,0 +1,30 @@
+# podmactl
+
+`podmactl` is a script to manage the podman machines declared in Home
+Manager.
+
+## How it works
+
+`main()` is a (hopefully) straight-forward method to read, but the gist of it is:
+
+1. The declared machines and their configuration are passed in.
+2. Existing machines and their configuration are listed.
+3. A diff is made from the declared machines and existing machines.
+4. New machines are added.
+5. Existing machines are updated.
+6. Old machines are removed.
+7. The machine declared as `active` is started (if necessary).
+
+## Developing
+
+Enter a devshell with `nix-shell`.
+
+Make your changes and then run
+
+```
+# Code autoformatting
+black .
+
+# Unittests
+python -m unittest
+```

modules/virtualisation/podman/podmactl/default.nix

@@ -0,0 +1,28 @@
+{ pkgs ? (import <nixpkgs> { }), }:
+
+pkgs.stdenv.mkDerivation {
+  name = "podmactl";
+  src = ./.;
+
+  buildInputs = [ pkgs.python311 ];
+  doCheck = true;
+  checkPhase = ''
+    runHook preCheck
+    (
+        cd $src
+        black --check .
+        python -m unittest
+    )
+    runHook postCheck
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    cp podmactl.py $out/bin/podmactl
+    chmod +x $out/bin/podmactl
+
+    runHook postInstall
+  '';
+}