Add a podman module

.github/CODEOWNERS

@@ -398,6 +398,9 @@
 
 /modules/services/systembus-notify.nix                @asymmetric
 
+/modules/virtualisation/podman.nix                    @MaeIsBad	
+/modules/virtualisation/containers.nix                @MaeIsBad	
+
 /modules/targets/darwin                               @midchildan
 /tests/modules/targets-darwin                         @midchildan
 

modules/lib/maintainers.nix

@@ -169,4 +169,10 @@
     github = "pltanton";
     githubId = 4561823;
   };
+  bad = {
+    name = "Mae Lib";
+    email = "git@badat.dev";
+    github = "MaeIsBad";
+    githubId = 26093674;
+  };
 }

modules/modules.nix

@@ -251,6 +251,9 @@ let
     ./xcursor.nix
     ./xresources.nix
     ./xsession.nix
+    ./virtualisation/containers.nix
+    ./virtualisation/podman/podman.nix
+    ./virtualisation/podman/podman-dnsname.nix
     (pkgs.path + "/nixos/modules/misc/assertions.nix")
     (pkgs.path + "/nixos/modules/misc/meta.nix")
   ] ++ optional useNixpkgsModule ./misc/nixpkgs.nix

modules/virtualisation/containers.nix

@@ -0,0 +1,118 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.virtualisation.containers;
+
+  inherit (lib) mkOption types;
+
+  toml = pkgs.formats.toml { };
+in {
+  meta.maintainers = [ lib.hm.maintainers.bad ];
+  options.virtualisation.containers = {
+
+    enable = lib.mkEnableOption "the common containers configuration module";
+
+    ociSeccompBpfHook.enable = lib.mkEnableOption "the OCI seccomp BPF hook";
+
+    containersConf.settings = mkOption {
+      type = toml.type;
+      default = { };
+      description = "containers.conf configuration";
+    };
+
+    containersConf.cniPlugins = mkOption {
+      type = types.listOf types.package;
+      defaultText = ''
+        [
+          pkgs.cni-plugins
+        ]
+      '';
+      example = lib.literalExample ''
+        [
+          pkgs.cniPlugins.dnsname
+        ]
+      '';
+      description = ''
+        CNI plugins to install on the system.
+      '';
+    };
+
+    registries = {
+      search = mkOption {
+        type = types.listOf types.str;
+        default = [ "docker.io" "quay.io" ];
+        description = ''
+          List of repositories to search.
+        '';
+      };
+
+      insecure = mkOption {
+        default = [ ];
+        type = types.listOf types.str;
+        description = ''
+          List of insecure repositories.
+        '';
+      };
+
+      block = mkOption {
+        default = [ ];
+        type = types.listOf types.str;
+        description = ''
+          List of blocked repositories.
+        '';
+      };
+    };
+
+    policy = mkOption {
+      default = { };
+      type = types.attrs;
+      example = lib.literalExample ''
+        {
+          default = [ { type = "insecureAcceptAnything"; } ];
+          transports = {
+            docker-daemon = {
+              "" = [ { type = "insecureAcceptAnything"; } ];
+            };
+          };
+        }
+      '';
+      description = ''
+        Signature verification policy file.
+        If this option is empty the default policy file from
+        <literal>skopeo</literal> will be used.
+      '';
+    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+      assertions = [
+        (lib.hm.assertions.assertPlatform "virtualisation.containers" pkgs lib.platforms.linux)
+      ];
+
+    virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];
+
+    virtualisation.containers.containersConf.settings = {
+      network.cni_plugin_dirs =
+        map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins;
+      engine = {
+        init_path = "${pkgs.catatonit}/bin/catatonit";
+      } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable {
+        hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ];
+      };
+    };
+
+    xdg.configFile."containers/containers.conf".source =
+      toml.generate "containers.conf" cfg.containersConf.settings;
+
+    xdg.configFile."containers/registries.conf".source =
+      toml.generate "registries.conf" {
+        registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
+      };
+
+    xdg.configFile."containers/policy.json".source = if cfg.policy != { } then
+      pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
+    else
+      "${pkgs.skopeo.src}/default-policy.json";
+  };
+
+}

modules/virtualisation/podman/podman-dnsname.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkOption mkIf types;
+
+  cfg = config.services.podman;
+
+in {
+  meta.maintainers = [ lib.maintainers.bad ];
+  options = {
+    services.podman = {
+
+      defaultNetwork.dnsname.enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable DNS resolution in the default podman network.
+        '';
+      };
+
+    };
+  };
+
+  config = {
+    virtualisation.containers.containersConf.cniPlugins =
+      mkIf cfg.defaultNetwork.dnsname.enable [ pkgs.dnsname-cni ];
+    services.podman.defaultNetwork.extraPlugins =
+      lib.optional cfg.defaultNetwork.dnsname.enable {
+        type = "dnsname";
+        domainName = "dns.podman";
+        capabilities.aliases = true;
+      };
+  };
+}

modules/virtualisation/podman/podman.nix

@@ -0,0 +1,183 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.podman;
+  toml = pkgs.formats.toml { };
+  json = pkgs.formats.json { };
+
+  inherit (lib) mkOption types;
+
+  podmanPackage = (pkgs.podman.override { inherit (cfg) extraPackages; });
+
+  # Provides a fake "docker" binary mapping to podman
+  dockerCompat = pkgs.runCommandNoCC
+    "${podmanPackage.pname}-docker-compat-${podmanPackage.version}" {
+      outputs = [ "out" "man" ];
+      inherit (podmanPackage) meta;
+    } ''
+      mkdir -p $out/bin
+      ln -s ${podmanPackage}/bin/podman $out/bin/docker
+
+      mkdir -p $man/share/man/man1
+      for f in ${podmanPackage.man}/share/man/man1/*; do
+        basename=$(basename $f | sed s/podman/docker/g)
+        ln -s $f $man/share/man/man1/$basename
+      done
+    '';
+
+  net-conflist = pkgs.runCommand "87-podman-bridge.conflist" {
+    nativeBuildInputs = [ pkgs.jq ];
+    extraPlugins = builtins.toJSON cfg.defaultNetwork.extraPlugins;
+    jqScript = ''
+      . + { "plugins": (.plugins + $extraPlugins) }
+    '';
+  } ''
+    jq <${cfg.package}/etc/cni/net.d/87-podman-bridge.conflist \
+      --argjson extraPlugins "$extraPlugins" \
+      "$jqScript" \
+      >$out
+  '';
+
+in {
+  meta.maintainers = [ lib.maintainers.bad ];
+  imports = [
+    ./podman-dnsname.nix
+    #./podman-network-socket.nix
+    (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [
+      "virtualisation"
+      "containers"
+      "containersConf"
+    ])
+  ];
+  options.services.podman = {
+
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        This option enables Podman, a daemonless container engine for
+        developing, managing, and running OCI Containers on your Linux System.
+
+        It is a drop-in replacement for the <command>docker</command> command.
+      '';
+    };
+
+    dockerSocket = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Make the Podman socket available in place of the Docker socket, so
+        Docker tools can find the Podman socket.
+
+        Podman implements the Docker API.
+      '';
+    };
+
+    dockerCompat = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Create an alias mapping <command>docker</command> to <command>podman</command>.
+      '';
+    };
+
+    enableNvidia = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Enable use of NVidia GPUs from within podman containers.
+      '';
+    };
+
+    extraPackages = mkOption {
+      type = with types; listOf package;
+      default = [ ];
+      example = lib.literalExample ''
+        [
+          pkgs.gvisor
+        ]
+      '';
+      description = ''
+        Extra packages to be installed in the Podman wrapper.
+      '';
+    };
+
+    package = lib.mkOption {
+      type = types.package;
+      default = podmanPackage;
+      internal = true;
+      description = ''
+        The final Podman package (including extra packages).
+      '';
+    };
+
+    defaultNetwork.extraPlugins = lib.mkOption {
+      type = types.listOf json.type;
+      default = [ ];
+      description = ''
+        Extra CNI plugin configurations to add to podman's default network.
+      '';
+    };
+
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      home.packages = [ cfg.package ]
+        ++ lib.optional cfg.dockerCompat dockerCompat;
+
+      xdg.configFile."cni/net.d/87-podman-bridge.conflist".source =
+        net-conflist;
+
+      virtualisation.containers = {
+        enable = true; # Enable common /etc/containers configuration
+        containersConf.settings = lib.optionalAttrs cfg.enableNvidia {
+          engine = {
+            conmon_env_vars =
+              [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ];
+            runtimes.nvidia =
+              [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ];
+          };
+        };
+      };
+
+      systemd.user = {
+
+        services.podman = {
+          Unit = {
+            Description = "Podman API Service";
+            Requires = "podman.socket";
+            After = "podman.socket";
+            Documentation = "man:podman-system-service(1)";
+            StartLimitIntervalSec = 0;
+          };
+          Service = {
+            Type = "exec";
+            KillMode = "process";
+            Environment = ''LOGGING=" --log-level=info"'';
+            ExecStart =
+              [ "" "${cfg.package}/bin/podman $LOGGING system service" ];
+          };
+
+          Install = { WantedBy = [ "default.target" ]; };
+        };
+
+        sockets.podman = {
+          Unit = {
+            Description = "Podman API Socket";
+            Documentation = "man:podman-system-service(1)";
+          };
+          Socket = {
+            ListenStream = "%t/podman/podman.sock";
+            SocketMode = 660;
+          };
+          Install.WantedBy = [ "sockets.target" ];
+        };
+
+      };
+    }
+    (lib.mkIf cfg.dockerSocket {
+      home.sessionVariables."DOCKER_HOST" =
+        "unix:///run/user/$UID/podman/podman.sock";
+    })
+  ]);
+}

tests/default.nix

@@ -160,6 +160,7 @@ import nmt {
     ./modules/services/window-managers/sway
     ./modules/services/wlsunset
     ./modules/services/xsettingsd
+    ./modules/virtualisation/podman
     ./modules/systemd
     ./modules/targets-linux
   ]);

tests/modules/virtualisation/podman/basic-configuration.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, lib, ... }:
+
+{
+  config = {
+    services.podman.enable = true;
+    nmt.script = ''
+      servicePath=home-files/.config/systemd/user
+
+      assertFileExists $servicePath/podman.service $servicePath/podman.socket
+    '';
+  };
+}

tests/modules/virtualisation/podman/default.nix

@@ -0,0 +1,4 @@
+{
+  podman-basic-configuration = ./basic-configuration.nix;
+  podman-docker-compat = ./docker-compat.nix;
+}