2023-02-07 18:24:28 +01:00
{ pkgs , . . . }: let
2020-10-24 13:00:50 +02:00
cniConfigDir = let
2022-10-31 11:04:38 +01:00
loopback = pkgs . writeText " 0 0 - l o o p b a c k . c o n f " ''
{
" c n i V e r s i o n " : " 0 . 3 . 0 " ,
" t y p e " : " l o o p b a c k "
}
'' ;
podman-bridge = pkgs . writeText " 8 7 - p o d m a n - b r i d g e . c o n f l i s t " ''
{
2020-10-24 13:00:50 +02:00
" c n i V e r s i o n " : " 0 . 3 . 0 " ,
2022-10-31 11:04:38 +01:00
" n a m e " : " p o d m a n " ,
" p l u g i n s " : [
{
" t y p e " : " b r i d g e " ,
" b r i d g e " : " c n i 0 " ,
" i s G a t e w a y " : true ,
" i p M a s q " : true ,
" i p a m " : {
" t y p e " : " h o s t - l o c a l " ,
" s u b n e t " : " 1 0 . 8 8 . 0 . 0 / 1 6 " ,
" r o u t e s " : [
{ " d s t " : " 0 . 0 . 0 . 0 / 0 " }
]
2020-10-24 13:00:50 +02:00
}
2022-10-31 11:04:38 +01:00
} ,
{
" t y p e " : " p o r t m a p " ,
" c a p a b i l i t i e s " : {
" p o r t M a p p i n g s " : true
}
}
]
}
2020-10-24 13:00:50 +02:00
'' ;
2023-02-07 18:24:28 +01:00
in
pkgs . runCommand " c n i C o n f i g " { } ''
set - x
mkdir $ out ;
ln - s $ { loopback } $ out / $ { loopback . name }
ln - s $ { podman-bridge } $ out / $ { podman-bridge . name }
'' ;
2020-10-24 13:00:50 +02:00
containersConf = pkgs . writeText " c o n t a i n e r s . c o n f " ''
# containers.conf is the default configuration file for all tools using libpod to
# manage containers
2021-12-10 23:17:44 +01:00
[ containers ]
# Maximum size of log files (in bytes)
# -1 is unlimited
log_size_max = -1
[ engine ]
2020-10-24 13:00:50 +02:00
# Default transport method for pulling and pushing for images
image_default_transport = " d o c k e r : / / "
# Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback.
2023-02-07 18:24:28 +01:00
conmon_path = [
2020-10-24 13:00:50 +02:00
" ${ pkgs . conmon } / b i n / c o n m o n "
]
# --runtime ${pkgs.crun}/bin/crun \
runtime = " c r u n "
# Environment variables to pass into conmon
conmon_env_vars = [
]
# CGroup Manager - valid values are "systemd" and "cgroupfs"
2021-12-10 23:17:44 +01:00
cgroup_manager = " s y s t e m d "
2020-10-24 13:00:50 +02:00
# Whether to use chroot instead of pivot_root in the runtime
no_pivot_root = false
2021-12-10 23:17:44 +01:00
# Determines whether libpod will reserve ports on the host when they are
# forwarded to containers. When enabled, when ports are forwarded to containers,
# they are held open by conmon as long as the container is running, ensuring that
# they cannot be reused by other programs on the host. However, this can cause
# significant memory usage if a container has many ports forwarded to it.
# Disabling this can save memory.
enable_port_reservation = true
[ network ]
2020-10-24 13:00:50 +02:00
# Directory containing CNI plugin configuration files
2021-12-10 23:17:44 +01:00
network_config_dir = " ${ cniConfigDir } "
2020-10-24 13:00:50 +02:00
# Directories where the CNI plugin binaries may be located
2021-12-10 23:17:44 +01:00
cni_plugin_dirs = [
2020-10-24 13:00:50 +02:00
" ${ pkgs . cni-plugins } / b i n "
]
# Default CNI network for libpod.
# If multiple CNI network configs are present, libpod will use the network with
# the name given here for containers unless explicitly overridden.
# The default here is set to the name we set in the
# 87-podman-bridge.conflist included in the repository.
# Not setting this, or setting it to the empty string, will use normal CNI
# precedence rules for selecting between multiple networks.
2021-12-10 23:17:44 +01:00
default_network = " p o d m a n "
2020-10-24 13:00:50 +02:00
'' ;
in {
2023-02-07 18:24:28 +01:00
home . packages = with pkgs ; [ podman ] ;
2020-10-24 13:00:50 +02:00
home . file . " . c o n f i g / c o n t a i n e r s / c o n t a i n e r s . c o n f " . source = containersConf ;
home . file . " . c o n f i g / c o n t a i n e r s / r e g i s t r i e s . c o n f " . text = ''
[ registries . search ]
registries = [ ' docker . io' , ' quay . io' , ' registry . fedoraproject . org' ]
[ registries . insecure ]
registries = [ ]
#blocked (docker only)
[ registries . block ]
registries = [ ]
'' ;
2020-10-26 13:41:13 +01:00
home . file . " . c o n f i g / c o n t a i n e r s / s t o r a g e . c o n f " . text = ''
[ storage ]
driver = " b t r f s "
'' ;
2020-10-24 13:00:50 +02:00
home . file . " . c o n f i g / c o n t a i n e r s / p o l i c y . j s o n " . text = ''
{
" d e f a u l t " : [
{
" t y p e " : " i n s e c u r e A c c e p t A n y t h i n g "
}
] ,
" t r a n s p o r t s " :
{
" d o c k e r - d a e m o n " :
{
" " : [ { " t y p e " : " i n s e c u r e A c c e p t A n y t h i n g " } ]
}
}
}
'' ;
}
