Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

container: init service for linux and mac #4331

Closed
wants to merge 1 commit into from
+521 −0
Closed

container: init service for linux and mac #4331

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions modules/misc/news.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1414,6 +1414,16 @@ in {
A new module is available: 'programs.jetbrains-remote'
'';
}

{
time = "2023-02-14T08:45:52+00:00";
message = ''
Three new modules are available:
'virtualisation.containers',
'virtualisation.oci-containers',
'virtualisation.podman'.
'';
}
];
};
}
3 changes: 3 additions & 0 deletions modules/modules.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,6 +377,9 @@ let
./systemd.nix
./targets/darwin
./targets/generic-linux.nix
./virtualisation/containers.nix
./virtualisation/oci-containers.nix
./virtualisation/podman.nix
./xresources.nix
./xsession.nix
./misc/nix.nix
Expand Down
76 changes: 76 additions & 0 deletions modules/virtualisation/containers.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:

let
cfg = config.virtualisation.containers;

inherit (lib) mkOption types;

toml = pkgs.formats.toml { };
in {
meta.maintainers = [ lib.maintainers.michaelCTS ];

options.virtualisation.containers = {
enable = lib.mkEnableOption "the common containers configuration module";

ociSeccompBpfHook.enable = lib.mkEnableOption "the OCI seccomp BPF hook";

registries = {
search = mkOption {
type = types.listOf types.str;
default = [ "docker.io" "quay.io" ];
description = ''
List of repositories to search.
'';
};

insecure = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
List of insecure repositories.
'';
};

block = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
List of blocked repositories.
'';
};
};

policy = mkOption {
type = types.attrs;
default = { };
example = lib.literalExpression ''
{
default = [ { type = "insecureAcceptAnything"; } ];
transports = {
docker-daemon = {
"" = [ { type = "insecureAcceptAnything"; } ];
};
};
}
'';
description = ''
Signature verification policy file.
If this option is empty the default policy file from
`skopeo` will be used.
'';
};
};

config = lib.mkIf cfg.enable {
xdg.configFile."containers/registries.conf".source =
toml.generate "registries.conf" {
registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
};

xdg.configFile."containers/policy.json".source = if cfg.policy != { } then
pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
else
"${pkgs.skopeo.src}/default-policy.json";
};

}
28 changes: 28 additions & 0 deletions modules/virtualisation/oci-containers.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Equivalent of
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/virtualisation/oci-containers.nix
{ config, lib, pkgs, ... }:

let
cfg = config.virtualisation.oci-containers;

inherit (lib) mkDefault mkIf mkMerge mkOption types;

defaultBackend = "podman";
in {
meta.maintainers = [ pkgs.lib.maintainers.michaelCTS ];

options.virtualisation.oci-containers = {
enable = lib.mkEnableOption
"a convenience option to enable containers in platform-agnostic manner";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what "convenience option" means here? I think this should just be "containers"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is taken from nixpkgs https://github.com/NixOS/nixpkgs/blob/ec68439bdc77ee684a4b2846f03677c5c50920a9/nixos/modules/virtualisation/oci-containers.nix#L335-L349

The problem with containers is that it used by podman. I'm not versed enough in nix and nixpkgs to not create a recursion problem with containers.enable using containers.backend to enable podman which itself then sets containers.enable and configures the settings and other stuff. I gave it a shot and immediately ran into recursion errors.

Since nixpkgs doesn't bother with that, I erred on the side of "they probably know better what they're doing that some 1 year nix scrub like me".


backend = mkOption {
type = types.enum [ "podman" ];
default = defaultBackend;
description = "Which service to use as a backend for containers.";
};
};

config = mkIf (cfg.enable && cfg.backend == "podman") {
virtualisation.podman.enable = true;
};
}
Loading
Loading