commit 52844efcd67028a481a24103d8e93c7ef2bf4f08 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

nixos/podman: Add generic networkSocket interface

Robert Hensing 4 years ago 52844efc ff4d83a6

+92

2 changed files

expand all

unified split

nixos

modules

virtualisation

podman-network-socket.nix

podman.nix

+91

nixos/modules/virtualisation/podman-network-socket.nix

··· 1 + { config, lib, pkg, ... }: 2 + let 3 + inherit (lib) 4 + mkOption 5 + types 6 + ; 7 + 8 + cfg = config.virtualisation.podman.networkSocket; 9 + 10 + in 11 + { 12 + options.virtualisation.podman.networkSocket = { 13 + enable = mkOption { 14 + type = types.bool; 15 + default = false; 16 + description = '' 17 + Make the Podman and Docker compatibility API available over the network 18 + with TLS client certificate authentication. 19 + 20 + This allows Docker clients to connect with the equivalents of the Docker 21 + CLI <code>-H</code> and <code>--tls*</code> family of options. 22 + 23 + For certificate setup, see https://docs.docker.com/engine/security/protect-access/ 24 + 25 + This option is independent of <xref linkend="opt-virtualisation.podman.dockerSocket.enable"/>. 26 + ''; 27 + }; 28 + 29 + server = mkOption { 30 + type = types.enum []; 31 + description = '' 32 + Choice of TLS proxy server. 33 + ''; 34 + example = "ghostunnel"; 35 + }; 36 + 37 + openFirewall = mkOption { 38 + type = types.bool; 39 + default = false; 40 + description = '' 41 + Whether to open the port in the firewall. 42 + ''; 43 + }; 44 + 45 + tls.cacert = mkOption { 46 + type = types.path; 47 + description = '' 48 + Path to CA certificate to use for client authentication. 49 + ''; 50 + }; 51 + 52 + tls.cert = mkOption { 53 + type = types.path; 54 + description = '' 55 + Path to certificate describing the server. 56 + ''; 57 + }; 58 + 59 + tls.key = mkOption { 60 + type = types.path; 61 + description = '' 62 + Path to the private key corresponding to the server certificate. 63 + 64 + Use a string for this setting. Otherwise it will be copied to the Nix 65 + store first, where it is readable by any system process. 66 + ''; 67 + }; 68 + 69 + port = mkOption { 70 + type = types.port; 71 + default = 2376; 72 + description = '' 73 + TCP port number for receiving TLS connections. 74 + ''; 75 + }; 76 + listenAddress = mkOption { 77 + type = types.str; 78 + default = "0.0.0.0"; 79 + description = '' 80 + Interface address for receiving TLS connections. 81 + ''; 82 + }; 83 + }; 84 + 85 + config = { 86 + networking.firewall.allowedTCPPorts = 87 + lib.optional (cfg.enable && cfg.openFirewall) cfg.port; 88 + }; 89 + 90 + meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ]; 91 + }

nixos/modules/virtualisation/podman.nix

··· 25 25 in 26 26 { 27 27 imports = [ 28 + ./podman-network-socket.nix 28 29 (lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ]) 29 30 ]; 30 31