nix: add podman to user env and remove from system

nix/home-manager/configuration/graphical-fullblown.nix

@@ -27,6 +27,7 @@ in {
     ../programs/neovim.nix
     ../programs/pass.nix
     zshCurried
+    ../programs/podman.nix
   ];
 
   nixpkgs.config = {

nix/home-manager/programs/podman.nix

@@ -0,0 +1,160 @@
+{ pkgs
+, ...
+}:
+
+let
+  cniConfigDir = let
+      loopback = pkgs.writeText "00-loopback.conf" ''
+        {
+          "cniVersion": "0.3.0",
+          "type": "loopback"
+        }
+      '';
+
+      podman-bridge = pkgs.writeText "87-podman-bridge.conflist" ''
+        {
+            "cniVersion": "0.3.0",
+            "name": "podman",
+            "plugins": [
+              {
+                "type": "bridge",
+                "bridge": "cni0",
+                "isGateway": true,
+                "ipMasq": true,
+                "ipam": {
+                    "type": "host-local",
+                    "subnet": "10.88.0.0/16",
+                    "routes": [
+                        { "dst": "0.0.0.0/0" }
+                    ]
+                }
+              },
+              {
+                "type": "portmap",
+                "capabilities": {
+                  "portMappings": true
+                }
+              }
+            ]
+        }
+      '';
+    in pkgs.runCommand "cniConfig" {} ''
+      set -x
+      mkdir $out;
+      ln -s ${loopback} $out/${loopback.name}
+      ln -s ${podman-bridge} $out/${podman-bridge.name}
+    '';
+
+  containersConf = pkgs.writeText "containers.conf" ''
+    # containers.conf is the default configuration file for all tools using libpod to
+    # manage containers
+
+    # Default transport method for pulling and pushing for images
+    image_default_transport = "docker://"
+
+    #  Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback.
+    conmon_path = [ 
+      "${pkgs.conmon}/bin/conmon"
+    ]
+
+    # --runtime ${pkgs.crun}/bin/crun \
+    runtime = "crun"
+
+    # Environment variables to pass into conmon
+    conmon_env_vars = [
+    ]
+
+    # CGroup Manager - valid values are "systemd" and "cgroupfs"
+    # cgroup_manager = "systemd"
+    cgroup_manager = "cgroupfs"
+
+    # Maximum size of log files (in bytes)
+    # -1 is unlimited
+    max_log_size = -1
+
+    # Whether to use chroot instead of pivot_root in the runtime
+    no_pivot_root = false
+
+    # Directory containing CNI plugin configuration files
+    cni_config_dir = "${cniConfigDir}"
+
+    # Directories where the CNI plugin binaries may be located
+    cni_plugin_dir = [
+      "${pkgs.cni-plugins}/bin"
+    ]
+
+    # Default CNI network for libpod.
+    # If multiple CNI network configs are present, libpod will use the network with
+    # the name given here for containers unless explicitly overridden.
+    # The default here is set to the name we set in the
+    # 87-podman-bridge.conflist included in the repository.
+    # Not setting this, or setting it to the empty string, will use normal CNI
+    # precedence rules for selecting between multiple networks.
+    cni_default_network = "podman"
+
+    # Default libpod namespace
+    # If libpod is joined to a namespace, it will see only containers and pods
+    # that were created in the same namespace, and will create new containers and
+    # pods in that namespace.
+    # The default namespace is "", which corresponds to no namespace. When no
+    # namespace is set, all containers and pods are visible.
+    #namespace = ""
+
+    # Default pause image name for pod pause containers
+    pause_image = "k8s.gcr.io/pause:3.1"
+
+    # Default command to run the pause container
+    pause_command = "/pause"
+
+    # Determines whether libpod will reserve ports on the host when they are
+    # forwarded to containers. When enabled, when ports are forwarded to containers,
+    # they are held open by conmon as long as the container is running, ensuring that
+    # they cannot be reused by other programs on the host. However, this can cause
+    # significant memory usage if a container has many ports forwarded to it.
+    # Disabling this can save memory.
+    enable_port_reservation = true
+
+    # Default libpod support for container labeling
+    # label=true
+  '';
+
+  podmanConfigured = pkgs.writeShellScriptBin "podman" ''
+      ${pkgs.podman}/bin/podman \
+        ''${cmd[@]}
+    '';
+in {
+  home.packages = with pkgs; [
+    podman
+  ];
+
+  home.file.".config/containers/containers.conf".source = containersConf;
+
+  home.file.".config/containers/registries.conf".text = ''
+    [registries.search]
+    registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org']
+
+    [registries.insecure]
+    registries = []
+
+    #blocked (docker only)
+    [registries.block]
+    registries = []
+  '';
+
+  home.file.".config/containers/policy.json".text = ''
+    {
+        "default": [
+            {
+                "type": "insecureAcceptAnything"
+            }
+        ],
+        "transports":
+            {
+                "docker-daemon":
+                    {
+                        "": [{"type":"insecureAcceptAnything"}]
+                    }
+            }
+    }
+  '';
+}

nix/os/devices/steveej-t480s-work/configuration.nix

@@ -16,7 +16,5 @@
     ./hw.nix
     ./pkg.nix
     ./user.nix
-
-    ../../profiles/podman/configuration.nix
   ];
 }

nix/os/devices/steveej-t480s-work/user.nix

@@ -11,17 +11,11 @@ in {
   users.extraUsers.steveej2 = mkUser {
     uid = 1001;
     openssh.authorizedKeys.keys = keys.users.steveej.openssh;
-
-    subUidRanges = [{ startUid = 200000; count = 100000; }];
-    subGidRanges = [{ startGid = 200000; count = 100000; }];
   };
 
   users.extraUsers.steveej3 = mkUser {
     uid = 1002;
     openssh.authorizedKeys.keys = keys.users.steveej.openssh;
     shell = pkgs.posh { image = "quay.io/enarx/fedora"; };
-
-    subUidRanges = [{ startUid = 300000; count = 100000; }];
-    subGidRanges = [{ startGid = 300000; count = 100000; }];
   };
 }

nix/os/profiles/common/pkg.nix

@@ -37,7 +37,5 @@
 
     usbutils
     pciutils
-
-    podman
   ];
 }

nix/os/profiles/common/user.nix

@@ -11,9 +11,6 @@ in {
   users.extraUsers.root = mkRoot { };
   users.extraUsers.steveej = mkUser {
     uid = 1000;
-
-    subUidRanges = [{ startUid = 100000; count = 100000; }];
-    subGidRanges = [{ startGid = 100000; count = 100000; }];
   };
 
   security.pam.u2f.enable = true;