From 433bf07407b3c8fcd3fe2efbb5892e9fa4bc938b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 24 Oct 2020 13:00:50 +0200 Subject: [PATCH] nix: add podman to user env and remove from system --- .../configuration/graphical-fullblown.nix | 1 + nix/home-manager/programs/podman.nix | 160 ++++++++++++++++++ .../steveej-t480s-work/configuration.nix | 2 - nix/os/devices/steveej-t480s-work/user.nix | 6 - nix/os/profiles/common/pkg.nix | 2 - nix/os/profiles/common/user.nix | 3 - 6 files changed, 161 insertions(+), 13 deletions(-) create mode 100644 nix/home-manager/programs/podman.nix diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 23ac774..53c469e 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -27,6 +27,7 @@ in { ../programs/neovim.nix ../programs/pass.nix zshCurried + ../programs/podman.nix ]; nixpkgs.config = { diff --git a/nix/home-manager/programs/podman.nix b/nix/home-manager/programs/podman.nix new file mode 100644 index 0000000..a76b4d6 --- /dev/null +++ b/nix/home-manager/programs/podman.nix @@ -0,0 +1,160 @@ +{ pkgs +, ... +}: + +let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in pkgs.runCommand "cniConfig" {} '' + set -x + mkdir $out; + ln -s ${loopback} $out/${loopback.name} + ln -s ${podman-bridge} $out/${podman-bridge.name} + ''; + + containersConf = pkgs.writeText "containers.conf" '' + # containers.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback. + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + # --runtime ${pkgs.crun}/bin/crun \ + runtime = "crun" + + # Environment variables to pass into conmon + conmon_env_vars = [ + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + # cgroup_manager = "systemd" + cgroup_manager = "cgroupfs" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + cni_config_dir = "${cniConfigDir}" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + ''; + + podmanConfigured = pkgs.writeShellScriptBin "podman" '' + ${pkgs.podman}/bin/podman \ + ''${cmd[@]} + ''; +in { + home.packages = with pkgs; [ + podman + ]; + + home.file.".config/containers/containers.conf".source = containersConf; + + home.file.".config/containers/registries.conf".text = '' + [registries.search] + registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org'] + + [registries.insecure] + registries = [] + + #blocked (docker only) + [registries.block] + registries = [] + ''; + + home.file.".config/containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; +} diff --git a/nix/os/devices/steveej-t480s-work/configuration.nix b/nix/os/devices/steveej-t480s-work/configuration.nix index 5b6e97a..3830116 100644 --- a/nix/os/devices/steveej-t480s-work/configuration.nix +++ b/nix/os/devices/steveej-t480s-work/configuration.nix @@ -16,7 +16,5 @@ ./hw.nix ./pkg.nix ./user.nix - - ../../profiles/podman/configuration.nix ]; } diff --git a/nix/os/devices/steveej-t480s-work/user.nix b/nix/os/devices/steveej-t480s-work/user.nix index 0defb97..b5f1244 100644 --- a/nix/os/devices/steveej-t480s-work/user.nix +++ b/nix/os/devices/steveej-t480s-work/user.nix @@ -11,17 +11,11 @@ in { users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - - subUidRanges = [{ startUid = 200000; count = 100000; }]; - subGidRanges = [{ startGid = 200000; count = 100000; }]; }; users.extraUsers.steveej3 = mkUser { uid = 1002; openssh.authorizedKeys.keys = keys.users.steveej.openssh; shell = pkgs.posh { image = "quay.io/enarx/fedora"; }; - - subUidRanges = [{ startUid = 300000; count = 100000; }]; - subGidRanges = [{ startGid = 300000; count = 100000; }]; }; } diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix index f74f7f7..df14e0f 100644 --- a/nix/os/profiles/common/pkg.nix +++ b/nix/os/profiles/common/pkg.nix @@ -37,7 +37,5 @@ usbutils pciutils - - podman ]; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 8b10967..673bc49 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -11,9 +11,6 @@ in { users.extraUsers.root = mkRoot { }; users.extraUsers.steveej = mkUser { uid = 1000; - - subUidRanges = [{ startUid = 100000; count = 100000; }]; - subGidRanges = [{ startGid = 100000; count = 100000; }]; }; security.pam.u2f.enable = true; -- 2.49.0