From 02dfe57e5df47218009ce0b5c313523dec52a585 Mon Sep 17 00:00:00 2001 From: Dawid Dziurla Date: Mon, 4 Nov 2024 11:36:05 +0100 Subject: [PATCH] podman: install package if enabled and create config files --- modules/services/podman-linux/default.nix | 85 ++++++++++++++++++- .../configuration-containers-expected.conf | 10 +++ .../configuration-policy-expected.json | 1 + .../configuration-registries-expected.conf | 8 ++ .../configuration-storage-expected.conf | 4 + .../services/podman-linux/configuration.nix | 61 +++++++++++++ .../modules/services/podman-linux/default.nix | 1 + 7 files changed, 167 insertions(+), 3 deletions(-) create mode 100644 tests/modules/services/podman-linux/configuration-containers-expected.conf create mode 100644 tests/modules/services/podman-linux/configuration-policy-expected.json create mode 100644 tests/modules/services/podman-linux/configuration-registries-expected.conf create mode 100644 tests/modules/services/podman-linux/configuration-storage-expected.conf create mode 100644 tests/modules/services/podman-linux/configuration.nix diff --git a/modules/services/podman-linux/default.nix b/modules/services/podman-linux/default.nix index 3a77d1595..0eae79ce7 100644 --- a/modules/services/podman-linux/default.nix +++ b/modules/services/podman-linux/default.nix @@ -1,6 +1,8 @@ { config, pkgs, lib, ... }: - -{ +let + cfg = config.services.podman; + toml = pkgs.formats.toml { }; +in { meta.maintainers = with lib.hm.maintainers; [ bamhm182 n-hass ]; imports = @@ -8,10 +10,87 @@ options.services.podman = { enable = lib.mkEnableOption "Podman, a daemonless container engine"; + + containersConf.settings = lib.mkOption { + type = toml.type; + default = { }; + description = "containers.conf configuration"; + }; + + storage.settings = lib.mkOption { + type = toml.type; + description = "storage.conf configuration"; + }; + + registries = { + search = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ "docker.io" ]; + description = '' + List of repositories to search. + ''; + }; + + insecure = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + List of insecure repositories. + ''; + }; + + block = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + List of blocked repositories. + ''; + }; + }; + + policy = lib.mkOption { + default = { }; + type = lib.types.attrs; + example = lib.literalExpression '' + { + default = [ { type = "insecureAcceptAnything"; } ]; + transports = { + docker-daemon = { + "" = [ { type = "insecureAcceptAnything"; } ]; + }; + }; + } + ''; + description = '' + Signature verification policy file. + If this option is empty the default policy file from + `skopeo` will be used. + ''; + }; }; - config = lib.mkIf config.services.podman.enable { + config = lib.mkIf cfg.enable { assertions = [ (lib.hm.assertions.assertPlatform "podman" pkgs lib.platforms.linux) ]; + + home.packages = [ cfg.package ]; + + services.podman.storage.settings = { + storage.driver = lib.mkDefault "overlay"; + }; + + xdg.configFile = { + "containers/policy.json".source = if cfg.policy != { } then + pkgs.writeText "policy.json" (builtins.toJSON cfg.policy) + else + "${pkgs.skopeo.policy}/default-policy.json"; + "containers/registries.conf".source = toml.generate "registries.conf" { + registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries; + }; + "containers/storage.conf".source = + toml.generate "storage.conf" cfg.storage.settings; + "containers/containers.conf".source = + toml.generate "containers.conf" cfg.containersConf.settings; + }; }; } diff --git a/tests/modules/services/podman-linux/configuration-containers-expected.conf b/tests/modules/services/podman-linux/configuration-containers-expected.conf new file mode 100644 index 000000000..3b77b570a --- /dev/null +++ b/tests/modules/services/podman-linux/configuration-containers-expected.conf @@ -0,0 +1,10 @@ +[network] +default_subnet = "172.16.10.0/24" + +[[network.default_subnet_pools]] +base = "172.16.11.0/24" +size = 24 + +[[network.default_subnet_pools]] +base = "172.16.12.0/24" +size = 24 diff --git a/tests/modules/services/podman-linux/configuration-policy-expected.json b/tests/modules/services/podman-linux/configuration-policy-expected.json new file mode 100644 index 000000000..d247fb9b8 --- /dev/null +++ b/tests/modules/services/podman-linux/configuration-policy-expected.json @@ -0,0 +1 @@ +{"default":[{"type":"insecureAcceptAnything"}]} \ No newline at end of file diff --git a/tests/modules/services/podman-linux/configuration-registries-expected.conf b/tests/modules/services/podman-linux/configuration-registries-expected.conf new file mode 100644 index 000000000..9d458f36b --- /dev/null +++ b/tests/modules/services/podman-linux/configuration-registries-expected.conf @@ -0,0 +1,8 @@ +[registries.block] +registries = ["ghcr.io", "gallery.ecr.aws"] + +[registries.insecure] +registries = ["quay.io"] + +[registries.search] +registries = ["docker.io"] diff --git a/tests/modules/services/podman-linux/configuration-storage-expected.conf b/tests/modules/services/podman-linux/configuration-storage-expected.conf new file mode 100644 index 000000000..dc25b5ec1 --- /dev/null +++ b/tests/modules/services/podman-linux/configuration-storage-expected.conf @@ -0,0 +1,4 @@ +[storage] +driver = "overlay" +graphroot = "$HOME/.containers/graphroot" +runroot = "$HOME/.containers/runroot" diff --git a/tests/modules/services/podman-linux/configuration.nix b/tests/modules/services/podman-linux/configuration.nix new file mode 100644 index 000000000..e6e1e4f16 --- /dev/null +++ b/tests/modules/services/podman-linux/configuration.nix @@ -0,0 +1,61 @@ +{ ... }: + +{ + services.podman = { + enable = true; + containersConf.settings = { + network = { + default_subnet = "172.16.10.0/24"; + default_subnet_pools = [ + { + base = "172.16.11.0/24"; + size = 24; + } + { + base = "172.16.12.0/24"; + size = 24; + } + ]; + }; + }; + storage.settings = { + storage = { + runroot = "$HOME/.containers/runroot"; + graphroot = "$HOME/.containers/graphroot"; + }; + }; + registries = { + block = [ "ghcr.io" "gallery.ecr.aws" ]; + insecure = [ "quay.io" ]; + search = [ "docker.io" ]; + }; + policy = { default = [{ type = "insecureAcceptAnything"; }]; }; + }; + + nmt.script = '' + configPath=home-files/.config/containers + containersFile=$configPath/containers.conf + policyFile=$configPath/policy.json + registriesFile=$configPath/registries.conf + storageFile=$configPath/storage.conf + + assertFileExists $containersFile + assertFileExists $policyFile + assertFileExists $registriesFile + assertFileExists $storageFile + + containersFile=$(normalizeStorePaths $containersFile) + policyFile=$(normalizeStorePaths $policyFile) + registriesFile=$(normalizeStorePaths $registriesFile) + storageFile=$(normalizeStorePaths $storageFile) + + assertFileContent $containersFile ${ + ./configuration-containers-expected.conf + } + assertFileContent $policyFile ${./configuration-policy-expected.json} + assertFileContent $registriesFile ${ + ./configuration-registries-expected.conf + } + assertFileContent $storageFile ${./configuration-storage-expected.conf} + ''; +} diff --git a/tests/modules/services/podman-linux/default.nix b/tests/modules/services/podman-linux/default.nix index e17ffddf5..a5ba9467e 100644 --- a/tests/modules/services/podman-linux/default.nix +++ b/tests/modules/services/podman-linux/default.nix @@ -1,4 +1,5 @@ { + podman-configuration = ./configuration.nix; podman-container = ./container.nix; podman-integration = ./integration.nix; podman-manifest = ./manifest.nix;