home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

containers.nix (4370B)


      1 { config, lib, pkgs, ... }:
      2 
      3 let
      4   cfg = config.modules.dev.containers;
      5   inherit (lib) mkEnableOption mkIf mkMerge mkOption types;
      6 in
      7 {
      8   options = {
      9     modules.dev.containers = {
     10       enable = mkEnableOption "Enable dev containers";
     11       docker = {
     12         enable = mkEnableOption "Enable docker containers";
     13         package = mkOption {
     14           default = pkgs.docker;
     15           description = "docker package to be used";
     16           type = types.package;
     17         };
     18         runcPackage = mkOption {
     19           default = pkgs.runc;
     20           description = "runc package to be used";
     21           type = types.package;
     22         };
     23       };
     24       podman = {
     25         enable = mkEnableOption "Enable podman containers";
     26       };
     27       buildkit = {
     28         enable = mkEnableOption "Enable podman containers";
     29         grpcAddress = mkOption {
     30           type = types.listOf types.str;
     31           default = [ "unix:///run/buildkit/buildkitd.sock" ];
     32           example = [ "unix:///run/buildkit/buildkitd.sock" "tcp://0.0.0.0:1234" ];
     33           description = lib.mdDoc ''
     34             A list of address to listen to for the grpc service.
     35           '';
     36         };
     37       };
     38     };
     39   };
     40   config = mkIf cfg.enable (mkMerge [
     41     {
     42       networking.firewall.checkReversePath = false;
     43       virtualisation.containers = {
     44         enable = true;
     45         containersConf.settings = {
     46           network = {
     47             default_subnet_pools = [
     48               # See https://github.com/kubernetes-sigs/kind/issues/2872 for this
     49               { "base" = "11.0.0.0/24"; "size" = 24; }
     50               {
     51                 "base" = "192.168.129.0/24";
     52                 "size" = 24;
     53               }
     54               { "base" = "192.168.130.0/24"; "size" = 24; }
     55               { "base" = "192.168.131.0/24"; "size" = 24; }
     56               { "base" = "192.168.132.0/24"; "size" = 24; }
     57             ];
     58           };
     59         };
     60       };
     61     }
     62     (mkIf cfg.docker.enable {
     63       virtualisation = {
     64         containerd = {
     65           enable = true;
     66         };
     67         buildkitd = {
     68           enable = true;
     69           settings = {
     70             grpc = {
     71               address = cfg.buildkit.grpcAddress;
     72             };
     73             worker.oci = {
     74               enabled = false;
     75             };
     76             worker.containerd = {
     77               enabled = true;
     78               platforms = [ "linux/amd64" "linux/arm64" ];
     79               namespace = "buildkit";
     80             };
     81             # FIXME: move to home
     82             registry = {
     83               "r.svc.home:5000" = {
     84                 http = true;
     85                 insecure = true;
     86               };
     87               "r.svc.home" = {
     88                 http = true;
     89                 insecure = true;
     90               };
     91             };
     92           };
     93         };
     94         docker = {
     95           enable = true;
     96           package = cfg.docker.package;
     97           liveRestore = false;
     98           storageDriver = "overlay2";
     99           daemon.settings = {
    100             experimental = true;
    101             bip = "172.26.0.1/16";
    102             runtimes = {
    103               "docker-runc" = {
    104                 path = "${cfg.docker.runcPackage}/bin/runc";
    105               };
    106             };
    107             default-runtime = "docker-runc";
    108             containerd = "/run/containerd/containerd.sock";
    109             features = { buildkit = true; };
    110             insecure-registries = [ "172.30.0.0/16" "192.168.1.0/16" "10.100.0.0/16" "shikoku.home:5000" "r.svc.home:5000" "r.svc.home" ];
    111             seccomp-profile = ./my-seccomp.json;
    112           };
    113         };
    114       };
    115       environment.systemPackages = with pkgs; [
    116         docker-buildx
    117       ];
    118       networking.firewall.trustedInterfaces = [ "docker0" "podman" ];
    119     })
    120     (mkIf cfg.podman.enable {
    121       virtualisation.podman.enable = true;
    122     })
    123     (mkIf config.modules.profiles.work.redhat {
    124       # Red Hat specific setup for virtualisation (buildah, podman, skopeo)
    125       virtualisation = {
    126         containers = {
    127           registries = {
    128             search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ];
    129           };
    130           policy = {
    131             default = [{ type = "insecureAcceptAnything"; }];
    132             transports = {
    133               docker-daemon = {
    134                 "" = [{ type = "insecureAcceptAnything"; }];
    135               };
    136             };
    137           };
    138         };
    139       };
    140     })
    141   ]);
    142 }