pkgs/posh: change userns and $HOME handling, switch to crun runtime

Since version 0.10.4 [0] the crun runtime understands an annotation to
keep the original groups of the user who runs the container.

[0]: https://github.com/containers/crun/releases/tag/0.10.4

nix/pkgs/posh.nix

@@ -51,37 +51,13 @@ let
     # Default transport method for pulling and pushing for images
     image_default_transport = "docker://"
 
-    # Paths to search for the Conmon container manager binary
-    runtime_path = [
-      "${pkgs.runc}/bin/runc"
-    ]
-
-
-    # Paths to look for the Conmon container manager binary
-    conmon_path = [
-      "${pkgs.conmon}/bin/conmon"
-    ]
-
-
     # Environment variables to pass into conmon
     conmon_env_vars = [
-      # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     ]
 
     # CGroup Manager - valid values are "systemd" and "cgroupfs"
-    cgroup_manager = "systemd"
+    # cgroup_manager = "systemd"
-
+    cgroup_manager = "cgroupfs"
-    # Container init binary
-    #init_path = "/usr/libexec/podman/catatonit"
-
-    # Directory for persistent libpod files (database, etc)
-    # By default, this will be configured relative to where containers/storage
-    # stores containers
-    # Uncomment to change location from this default
-    #static_dir = "/var/lib/containers/storage/libpod"
-
-    # Directory for temporary files. Must be tmpfs (wiped after reboot)
-    # tmp_dir = "/var/run/libpod"
 
     # Maximum size of log files (in bytes)
     # -1 is unlimited
@@ -91,14 +67,13 @@ let
     no_pivot_root = false
 
     # Directory containing CNI plugin configuration files
-    # cni_config_dir = "${cniConfigDir}"
+    cni_config_dir = "${cniConfigDir}"
 
     # Directories where the CNI plugin binaries may be located
     cni_plugin_dir = [
       "${pkgs.cni-plugins}/bin"
     ]
 
-
     # Default CNI network for libpod.
     # If multiple CNI network configs are present, libpod will use the network with
     # the name given here for containers unless explicitly overridden.
@@ -128,17 +103,10 @@ let
     # they cannot be reused by other programs on the host. However, this can cause
     # significant memory usage if a container has many ports forwarded to it.
     # Disabling this can save memory.
-    #enable_port_reservation = true
+    enable_port_reservation = true
 
     # Default libpod support for container labeling
     # label=true
-
-    # Paths to look for a valid OCI runtime (runc, runv, etc)
-    # FIXME: this doesn't seem to take effect
-    [runtimes]
-    runc = [
-      "${pkgs.runc}/bin/runc"
-    ]
   '';
 
   policy-json = pkgs.writeText "policy.json" ''
@@ -160,7 +128,9 @@ let
 
 in
 
-{ image, pull ? "always", global_args ? "", run_args ? "" }:
+{ image, pull ? "always", global_args ? "", run_args ? ""
+, userns ? "keep-id"
+}:
 
 (pkgs.writeScriptBin "posh" ''
   #! ${pkgs.bash}/bin/bash
@@ -186,10 +156,18 @@ in
   test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR
   ln -sf ${policy-json} $HOME_POLICY_JSON
 
+
+  set -x
   exec ${pkgs.podman}/bin/podman \
-    ${global_args} run --rm -i $tty $ssh -v ~/:/root -w /root --network host --pull=''${POSH_PULL} \
+    --cgroup-manager=cgroupfs \
-    --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.runc}/bin/runc \
+    ${global_args} \
+    run \
+    --annotation=io.crun.keep_original_groups=1 \
     --config ${podmanConfig} \
+    --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \
+    --rm -i --network host --pull=''${POSH_PULL} \
+    $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \
+    ${if userns != null then "--userns="+userns else ""} \
     ${run_args} \
     ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}"
 '')