containers.nix
1 { config, lib, pkgs, ... }: 2 3 let 4 cfg = config.modules.dev.containers; 5 inherit (lib) mkEnableOption mkIf mkMerge mkOption types; 6 in 7 { 8 options = { 9 modules.dev.containers = { 10 enable = mkEnableOption "Enable dev containers"; 11 docker = { 12 enable = mkEnableOption "Enable docker containers"; 13 package = mkOption { 14 default = pkgs.docker; 15 description = "docker package to be used"; 16 type = types.package; 17 }; 18 runcPackage = mkOption { 19 default = pkgs.runc; 20 description = "runc package to be used"; 21 type = types.package; 22 }; 23 }; 24 podman = { 25 enable = mkEnableOption "Enable podman containers"; 26 }; 27 buildkit = { 28 enable = mkEnableOption "Enable podman containers"; 29 grpcAddress = mkOption { 30 type = types.listOf types.str; 31 default = [ "unix:///run/buildkit/buildkitd.sock" ]; 32 example = [ "unix:///run/buildkit/buildkitd.sock" "tcp://0.0.0.0:1234" ]; 33 description = lib.mdDoc '' 34 A list of address to listen to for the grpc service. 35 ''; 36 }; 37 }; 38 }; 39 }; 40 config = mkIf cfg.enable (mkMerge [ 41 { 42 networking.firewall.checkReversePath = false; 43 virtualisation.containers = { 44 enable = true; 45 containersConf.settings = { 46 network = { 47 default_subnet_pools = [ 48 # See https://github.com/kubernetes-sigs/kind/issues/2872 for this 49 { "base" = "11.0.0.0/24"; "size" = 24; } 50 { 51 "base" = "192.168.129.0/24"; 52 "size" = 24; 53 } 54 { "base" = "192.168.130.0/24"; "size" = 24; } 55 { "base" = "192.168.131.0/24"; "size" = 24; } 56 { "base" = "192.168.132.0/24"; "size" = 24; } 57 ]; 58 }; 59 }; 60 }; 61 } 62 (mkIf cfg.docker.enable { 63 virtualisation = { 64 containerd = { 65 enable = true; 66 }; 67 buildkitd = { 68 enable = true; 69 settings = { 70 grpc = { 71 address = cfg.buildkit.grpcAddress; 72 }; 73 worker.oci = { 74 enabled = false; 75 }; 76 worker.containerd = { 77 enabled = true; 78 platforms = [ "linux/amd64" "linux/arm64" ]; 79 namespace = "buildkit"; 80 }; 81 # FIXME: move to home 82 registry = { 83 "r.svc.home:5000" = { 84 http = true; 85 insecure = true; 86 }; 87 "r.svc.home" = { 88 http = true; 89 insecure = true; 90 }; 91 }; 92 }; 93 }; 94 docker = { 95 enable = true; 96 package = cfg.docker.package; 97 liveRestore = false; 98 storageDriver = "overlay2"; 99 daemon.settings = { 100 userland-proxy = false; 101 experimental = true; 102 bip = "172.26.0.1/16"; 103 runtimes = { 104 "docker-runc" = { 105 path = "${cfg.docker.runcPackage}/bin/runc"; 106 }; 107 }; 108 default-runtime = "docker-runc"; 109 containerd = "/run/containerd/containerd.sock"; 110 features = { buildkit = true; }; 111 insecure-registries = [ "172.30.0.0/16" "192.168.1.0/16" "10.100.0.0/16" "shikoku.home:5000" "r.svc.home:5000" "r.svc.home" ]; 112 seccomp-profile = ./my-seccomp.json; 113 }; 114 }; 115 }; 116 environment.systemPackages = with pkgs; [ 117 docker-buildx 118 ]; 119 networking.firewall.trustedInterfaces = [ "docker0" "podman" ]; 120 }) 121 (mkIf cfg.podman.enable { 122 virtualisation.podman.enable = true; 123 }) 124 (mkIf config.modules.profiles.work.redhat { 125 # Red Hat specific setup for virtualisation (buildah, podman, skopeo) 126 virtualisation = { 127 containers = { 128 registries = { 129 search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; 130 }; 131 policy = { 132 default = [{ type = "insecureAcceptAnything"; }]; 133 transports = { 134 docker-daemon = { 135 "" = [{ type = "insecureAcceptAnything"; }]; 136 }; 137 }; 138 }; 139 }; 140 }; 141 }) 142 ]); 143 }