2020-10-24 13:00:50 +02:00
{ pkgs
, . . .
} :
let
cniConfigDir = let
loopback = pkgs . writeText " 0 0 - l o o p b a c k . c o n f " ''
{
" c n i V e r s i o n " : " 0 . 3 . 0 " ,
" t y p e " : " l o o p b a c k "
}
'' ;
podman-bridge = pkgs . writeText " 8 7 - p o d m a n - b r i d g e . c o n f l i s t " ''
{
" c n i V e r s i o n " : " 0 . 3 . 0 " ,
" n a m e " : " p o d m a n " ,
" p l u g i n s " : [
{
" t y p e " : " b r i d g e " ,
" b r i d g e " : " c n i 0 " ,
" i s G a t e w a y " : true ,
" i p M a s q " : true ,
" i p a m " : {
" t y p e " : " h o s t - l o c a l " ,
" s u b n e t " : " 1 0 . 8 8 . 0 . 0 / 1 6 " ,
" r o u t e s " : [
{ " d s t " : " 0 . 0 . 0 . 0 / 0 " }
]
}
} ,
{
" t y p e " : " p o r t m a p " ,
" c a p a b i l i t i e s " : {
" p o r t M a p p i n g s " : true
}
}
]
}
'' ;
in pkgs . runCommand " c n i C o n f i g " { } ''
set - x
mkdir $ out ;
ln - s $ { loopback } $ out / $ { loopback . name }
ln - s $ { podman-bridge } $ out / $ { podman-bridge . name }
'' ;
containersConf = pkgs . writeText " c o n t a i n e r s . c o n f " ''
# containers.conf is the default configuration file for all tools using libpod to
# manage containers
# Default transport method for pulling and pushing for images
image_default_transport = " d o c k e r : / / "
# Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback.
conmon_path = [
" ${ pkgs . conmon } / b i n / c o n m o n "
]
# --runtime ${pkgs.crun}/bin/crun \
runtime = " c r u n "
# Environment variables to pass into conmon
conmon_env_vars = [
]
# CGroup Manager - valid values are "systemd" and "cgroupfs"
# cgroup_manager = "systemd"
cgroup_manager = " c g r o u p f s "
# Maximum size of log files (in bytes)
# -1 is unlimited
max_log_size = -1
# Whether to use chroot instead of pivot_root in the runtime
no_pivot_root = false
# Directory containing CNI plugin configuration files
cni_config_dir = " ${ cniConfigDir } "
# Directories where the CNI plugin binaries may be located
cni_plugin_dir = [
" ${ pkgs . cni-plugins } / b i n "
]
# Default CNI network for libpod.
# If multiple CNI network configs are present, libpod will use the network with
# the name given here for containers unless explicitly overridden.
# The default here is set to the name we set in the
# 87-podman-bridge.conflist included in the repository.
# Not setting this, or setting it to the empty string, will use normal CNI
# precedence rules for selecting between multiple networks.
cni_default_network = " p o d m a n "
# Default libpod namespace
# If libpod is joined to a namespace, it will see only containers and pods
# that were created in the same namespace, and will create new containers and
# pods in that namespace.
# The default namespace is "", which corresponds to no namespace. When no
# namespace is set, all containers and pods are visible.
#namespace = ""
# Default pause image name for pod pause containers
pause_image = " k 8 s . g c r . i o / p a u s e : 3 . 1 "
# Default command to run the pause container
pause_command = " / p a u s e "
# Determines whether libpod will reserve ports on the host when they are
# forwarded to containers. When enabled, when ports are forwarded to containers,
# they are held open by conmon as long as the container is running, ensuring that
# they cannot be reused by other programs on the host. However, this can cause
# significant memory usage if a container has many ports forwarded to it.
# Disabling this can save memory.
enable_port_reservation = true
# Default libpod support for container labeling
# label=true
'' ;
in {
home . packages = with pkgs ; [
podman
] ;
home . file . " . c o n f i g / c o n t a i n e r s / c o n t a i n e r s . c o n f " . source = containersConf ;
home . file . " . c o n f i g / c o n t a i n e r s / r e g i s t r i e s . c o n f " . text = ''
[ registries . search ]
registries = [ ' docker . io' , ' quay . io' , ' registry . fedoraproject . org' ]
[ registries . insecure ]
registries = [ ]
#blocked (docker only)
[ registries . block ]
registries = [ ]
'' ;
2020-10-26 13:41:13 +01:00
home . file . " . c o n f i g / c o n t a i n e r s / s t o r a g e . c o n f " . text = ''
[ storage ]
driver = " b t r f s "
'' ;
2020-10-24 13:00:50 +02:00
home . file . " . c o n f i g / c o n t a i n e r s / p o l i c y . j s o n " . text = ''
{
" d e f a u l t " : [
{
" t y p e " : " i n s e c u r e A c c e p t A n y t h i n g "
}
] ,
" t r a n s p o r t s " :
{
" d o c k e r - d a e m o n " :
{
" " : [ { " t y p e " : " i n s e c u r e A c c e p t A n y t h i n g " } ]
}
}
}
'' ;
}
