82 lines
1.7 KiB
Nix
82 lines
1.7 KiB
Nix
# Podman Module
|
|
# Provides: Rootless Podman container runtime with Docker compatibility
|
|
#
|
|
# Usage:
|
|
# myModules.podman = {
|
|
# enable = true;
|
|
# dockerCompat = true; # default: true
|
|
# enableDns = true; # default: true
|
|
# };
|
|
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
let
|
|
cfg = config.myModules.podman;
|
|
in
|
|
{
|
|
options.myModules.podman = {
|
|
enable = lib.mkEnableOption "Podman container runtime";
|
|
|
|
dockerCompat = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = "Enable Docker CLI compatibility (docker alias)";
|
|
};
|
|
|
|
enableDns = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = "Enable DNS for container networking";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
virtualisation = {
|
|
containers.enable = true;
|
|
podman = {
|
|
enable = true;
|
|
dockerCompat = cfg.dockerCompat;
|
|
defaultNetwork.settings.dns_enabled = cfg.enableDns;
|
|
};
|
|
oci-containers.backend = "podman";
|
|
};
|
|
|
|
environment.systemPackages = [ pkgs.podman ];
|
|
|
|
# Ensure required kernel modules are loaded at boot for locked kernel
|
|
boot.kernelModules = [
|
|
"veth" # Required for netavark to create container network interfaces
|
|
"bridge"
|
|
"br_netfilter"
|
|
"tap"
|
|
"tun"
|
|
"loop"
|
|
"nft_ct"
|
|
"nft_nat"
|
|
"nft_chain_nat"
|
|
"nft_compat"
|
|
"nft_masq"
|
|
"nft_reject_inet"
|
|
"nft_reject_ipv4"
|
|
"nft_reject_ipv6"
|
|
"nft_fib_inet"
|
|
# IPTables extensions commonly used by Podman/Docker
|
|
"xt_conntrack"
|
|
"xt_comment"
|
|
"xt_addrtype"
|
|
"xt_mark"
|
|
"xt_multiport"
|
|
"xt_nat"
|
|
|
|
# NAT/Masquerade support
|
|
"xt_MASQUERADE"
|
|
"iptable_nat"
|
|
"iptable_filter"
|
|
];
|
|
};
|
|
}
|