Skip to content
Permalink
Browse files

nixos/podman: support configuring registries and policy

  • Loading branch information
peterhoeg committed Sep 9, 2019
1 parent aeb464d commit b8435df4761867004e05e540f25bc479c6712dc5
Showing with 98 additions and 0 deletions.
  1. +1 −0 nixos/modules/module-list.nix
  2. +97 −0 nixos/modules/programs/podman.nix
@@ -118,6 +118,7 @@
./programs/npm.nix
./programs/oblogout.nix
./programs/plotinus.nix
./programs/podman.nix
./programs/qt5ct.nix
./programs/screen.nix
./programs/sedutil.nix
@@ -0,0 +1,97 @@
{ config, pkgs, lib, ... }:

let
cfg = config.programs.podman;

surroundEachWith = str: list:
map (e: str + (toString e) + str) list;

registriesConf = let
registryList = list:
"registries = [" + (lib.concatStringsSep ", " (surroundEachWith "'" list)) + "]";
in lib.concatStringsSep "\n" (lib.mapAttrsToList (type: registries: ''
[registries.${type}]
${registryList registries}
'') { inherit (cfg.registries) block insecure search; });

in {
###### interface

options = {
programs.podman = with lib; {

enable = mkOption {
type = types.bool;
default = false;
description = "Whenever to configure <command>podman</command> system-wide.";
};

installSystemWide = mkOption {
type = types.bool;
default = true;
description = "Install packages system-wide.";
};

registries = {
search = mkOption {
type = types.listOf types.str;
default = [ "docker.io" "quay.io" ];
description = ''
List of repositories to search.
'';
};

insecure = mkOption {
default = [ ];
type = types.listOf types.str;
description = ''
List of insecure repositories.
'';
};

block = mkOption {
default = [ ];
type = types.listOf types.str;
description = ''
List of blocked repositories.
'';
};
};

policy = mkOption {
default = {
default = [ { type = "reject"; }];
};
type = types.attrs;
literalExample = ''
{
default = [ { type = "insecureAcceptAnything"; } ];
transports = {
docker-daemon = {
"" = [ { type = "insecureAcceptAnything"; } ];
};
};
}
'';
description = ''
Signature verification policy file
</para>
<para>
The default will simply reject everything.
'';
};
};
};

###### implementation

config = lib.mkIf cfg.enable {
environment = {
etc."containers/registries.conf".text = registriesConf;
etc."containers/policy.json".text = builtins.toJSON cfg.policy;

systemPackages = lib.mkIf cfg.installSystemWide
(with pkgs; [ buildah fuse-overlayfs podman runc slirp4netns ]);
};
};
}

0 comments on commit b8435df

Please sign in to comment.
You can’t perform that action at this time.