[nix] Modularized the container backend so I can easily switch it with an option

system/hosts/mcp/configuration.nix

@@ -62,6 +62,7 @@
       "networkmanager"
       "wheel"
       "docker-registry"
+      "docker"
     ];
     shell = pkgs.zsh;
     # Enable linger so that systemd services run for this user are started and

system/hosts/mcp/containers.nix

@@ -1,5 +1,9 @@
-# Started from https://nixos.wiki/wiki/Podman
+{
-{ config, pkgs, ... }:
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
   # Additional configuration
   imports = [
@@ -30,102 +34,130 @@
     ./static-site-hooks.nix
   ];
 
-  # Enable common container config files in /etc/containers
+  options.local = with lib; {
-  virtualisation.containers.enable = true;
+    container-backend = mkOption {
-  virtualisation = {
+      type = with types; uniq str;
-    # docker = {
+      default = "docker";
-    #   enable = true;
+      example = "docker";
-    #   # Enable rootless so that I can run containers as other users for security.
+      description = "Which backend to use for containers: docker or podman";
-    #   rootless = {
+    };
-    #     enable = true;
+    container-socket = mkOption {
-    #   };
+      type = with types; uniq str;
-    # };
+      default = "/var/run/docker.sock";
-    podman = {
+      example = "/var/run/docker.sock";
-      enable = true;
+      description = "Path to the container management deamon's socket.";
-
-      # Create a `docker` alias for podman, to use it as a drop-in replacement
-      dockerCompat = true;
-
-      # Required for containers under podman-compose to be able to talk to each other.
-      defaultNetwork.settings.dns_enabled = true;
-
-      extraPackages = [ pkgs.zfs ];
     };
   };
-  virtualisation.oci-containers.backend = "podman";
 
-  # Useful other development tools
+  config = {
-  environment.systemPackages = with pkgs; [
+    # local = {
-    dive # look into docker image layers
+    #   container-backend = "docker";
-    podman-tui # status of containers in the terminal
+    #   container-socket = "/var/run/docker.sock";
-    docker-compose # start group of containers for dev
+    # };
-    #podman-compose # start group of containers for dev
+    local = {
-  ];
+      container-backend = "podman";
+      container-socket = "/var/run/podman/podman.sock";
+    };
 
-  virtualisation.oci-containers.containers =
+    # Enable common container config files in /etc/containers
-    let
+
-      inherit (import ./containers/lib.nix config)
+    virtualisation = {
-        localHostRuleHavenisms
+      containers.enable = true;
-        havenisms
+      oci-containers.backend = config.local.container-backend;
-        ;
+
-    in
+      docker = lib.mkIf (config.local.container-backend == "docker") {
-    {
+        enable = true;
-      homepage = {
+        # Enable rootless so that I can run containers as other users for security.
-        image = "ghcr.io/gethomepage/homepage:latest";
+        rootless = {
-        autoStart = true;
+          enable = true;
-        extraOptions = [
+          # Set this to make the default DOCKER_HOST be the rootless version for normal users.
-          "-l=traefik.enable=true"
+          setSocketVariable = true;
-          "-l=traefik.http.routers.homepage.rule=${localHostRuleHavenisms "start"}"
-          "-l=traefik.http.services.homepage.loadbalancer.server.port=3000"
-        ];
-        volumes = [
-          "/tank/config/homepage:/app/config"
-          "/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass"
-          "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key"
-          "/tank/secrets/radarr.key:/app/config/secrets/radarr.key"
-          "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key"
-          "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
-        ];
-        environment = {
-          HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key";
-          HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key";
-          HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key";
-          HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key";
-          HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass";
         };
       };
-      scrutiny = {
+      podman = lib.mkIf (config.local.container-backend == "podman") {
-        image = "ghcr.io/analogj/scrutiny:master-omnibus";
+        enable = true;
-        autoStart = true;
+
-        extraOptions = [
+        # Create a `docker` alias for podman, to use it as a drop-in replacement
-          "-l=traefik.enable=true"
+        dockerCompat = true;
-          "-l=traefik.http.routers.scrutiny.rule=${localHostRuleHavenisms "scrutiny"}"
+
-          "-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080"
+        # Required for containers under podman-compose to be able to talk to each other.
-          "-l=homepage.group=Infra"
+        defaultNetwork.settings.dns_enabled = true;
-          "-l=homepage.name=Scrutiny"
+
-          "-l=homepage.icon=scrutiny-light.png"
+        extraPackages = [ pkgs.zfs ];
-          "-l=homepage.href=https://scrutiny.${havenisms}"
-          "-l=homepage.description=S.M.A.R.T. monitoring"
-          "-l=homepage.widget.type=scrutiny"
-          "-l=homepage.widget.url=http://scrutiny:8080"
-          "--cap-add=SYS_RAWIO"
-          "--device=/dev/sda:/dev/sda"
-          "--device=/dev/sdb:/dev/sdb"
-          "--device=/dev/sdc:/dev/sdc"
-          "--device=/dev/sdd:/dev/sdd"
-        ];
-        volumes = [
-          "/run/udev:/run/udev:ro"
-          "/tank/config/scrutiny/config:/opt/scrutiny/config"
-          "/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb"
-        ];
-      };
-      valkey = {
-        image = "docker.io/valkey/valkey:7-alpine";
-        autoStart = true;
-        volumes = [
-          "/tank/config/valkey:/usr/local/etc/valkey"
-        ];
       };
     };
+
+    # Useful other development tools
+    environment.systemPackages = with pkgs; [
+      dive # look into docker image layers
+      docker-compose # start group of containers for dev
+    ];
+
+    virtualisation.oci-containers.containers =
+      let
+        inherit (import ./containers/lib.nix config)
+          localHostRuleHavenisms
+          havenisms
+          ;
+      in
+      {
+        homepage = {
+          image = "ghcr.io/gethomepage/homepage:latest";
+          autoStart = true;
+          extraOptions = [
+            "-l=traefik.enable=true"
+            "-l=traefik.http.routers.homepage.rule=${localHostRuleHavenisms "start"}"
+            "-l=traefik.http.services.homepage.loadbalancer.server.port=3000"
+          ];
+          volumes = [
+            "/tank/config/homepage:/app/config"
+            "/tank/secrets/deluge.pass:/app/config/secrets/deluge.pass"
+            "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key"
+            "/tank/secrets/radarr.key:/app/config/secrets/radarr.key"
+            "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key"
+            "${config.local.container-socket}:/var/run/docker.sock:ro"
+          ];
+          environment = {
+            HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key";
+            HOMEPAGE_FILE_RADARR_KEY = "/app/config/secrets/radarr.key";
+            HOMEPAGE_FILE_SONARR_KEY = "/app/config/secrets/sonarr.key";
+            HOMEPAGE_FILE_READARR_KEY = "/app/config/secrets/readarr.key";
+            HOMEPAGE_FILE_DELUGE_PASSWORD = "/app/config/secrets/deluge.pass";
+          };
+        };
+        scrutiny = {
+          image = "ghcr.io/analogj/scrutiny:master-omnibus";
+          autoStart = true;
+          extraOptions = [
+            "-l=traefik.enable=true"
+            "-l=traefik.http.routers.scrutiny.rule=${localHostRuleHavenisms "scrutiny"}"
+            "-l=traefik.http.services.scrutiny.loadbalancer.server.port=8080"
+            "-l=homepage.group=Infra"
+            "-l=homepage.name=Scrutiny"
+            "-l=homepage.icon=scrutiny-light.png"
+            "-l=homepage.href=https://scrutiny.${havenisms}"
+            "-l=homepage.description=S.M.A.R.T. monitoring"
+            "-l=homepage.widget.type=scrutiny"
+            "-l=homepage.widget.url=http://scrutiny:8080"
+            "--cap-add=SYS_RAWIO"
+            "--device=/dev/sda:/dev/sda"
+            "--device=/dev/sdb:/dev/sdb"
+            "--device=/dev/sdc:/dev/sdc"
+            "--device=/dev/sdd:/dev/sdd"
+          ];
+          volumes = [
+            "/run/udev:/run/udev:ro"
+            "/tank/config/scrutiny/config:/opt/scrutiny/config"
+            "/tank/config/scrutiny/influxdb:/opt/scrutiny/influxdb"
+          ];
+        };
+        valkey = {
+          image = "docker.io/valkey/valkey:7-alpine";
+          autoStart = true;
+          volumes = [
+            "/tank/config/valkey:/usr/local/etc/valkey"
+          ];
+        };
+      };
+  };
 }

system/hosts/mcp/containers/bookstack.nix

@@ -1,7 +1,8 @@
 { config, ... }:
 let
   inherit (import ./lib.nix config) mkContainer mkMariaDbContainer havenisms;
-in {
+in
+{
   imports = [
     (mkMariaDbContainer {
       name = "bookstack";
@@ -14,12 +15,12 @@ in {
 
   sops.secrets = {
     bookstack_app_key = {
-      restartUnits = [ "podman-bookstack.service" ];
+      restartUnits = [ "${config.local.container-backend}-bookstack.service" ];
       mode = "0400";
       owner = config.users.users.bookstack.name;
     };
     bookstack_db = {
-      restartUnits = [ "podman-bookstack-mariadb.service" ];
+      restartUnits = [ "${config.local.container-backend}-bookstack-mariadb.service" ];
       mode = "0400";
       owner = config.users.users.bookstack.name;
     };

system/hosts/mcp/containers/focalboard.nix

@@ -1,7 +1,8 @@
 { config, ... }:
 let
   inherit (import ./lib.nix config) mkContainer mkPostgresContainer terakoda;
-in {
+in
+{
   imports = [
     (mkPostgresContainer {
       name = "focalboard";
@@ -14,21 +15,26 @@ in {
 
   sops.secrets = {
     "focalboard/database" = {
-      restartUnits = [ "podman-focalboard.service" "podman-focalboard-postgres.service" ];
+      restartUnits = [
+        "${config.local.container-backend}-focalboard.service"
+        "${config.local.container-backend}-focalboard-postgres.service"
+      ];
       mode = "0400";
       owner = config.users.users.focalboard.name;
     };
   };
 
   sops.templates."focalboard-config.json" = {
-    restartUnits = [ "podman-focalboard.service" ];
+    restartUnits = [ "${config.local.container-backend}-focalboard.service" ];
     owner = config.users.users.focalboard.name;
     content = builtins.toJSON {
       # Defaults from https://github.com/mattermost-community/focalboard/blob/main/config.json
       "serverRoot" = "https://focalboard.terakoda.com";
       "port" = 8000;
       "dbtype" = "postgres";
-      "dbconfig" = "postgres://focalboard:${config.sops.placeholder."focalboard/database"}@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10";
+      "dbconfig" = "postgres://focalboard:${
+        config.sops.placeholder."focalboard/database"
+      }@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10";
       "useSSL" = true;
       "prometheus_address" = ":9092";
       "session_expire_time" = 2592000;

system/hosts/mcp/containers/gitea.nix

@@ -5,10 +5,10 @@ in
 {
   sops.secrets = {
     "gitea/db_password" = {
-      restartUnits = [ "podman-gitea.service" ];
+      restartUnits = [ "${config.local.container-backend}-gitea.service" ];
     };
     "gitea/registration_token" = {
-      restartUnits = [ "podman-gitea-runner.service" ];
+      restartUnits = [ "${config.local.container-backend}-gitea-runner.service" ];
     };
   };
 
@@ -66,7 +66,7 @@ in
     ];
     volumes = [
       # The runner will spawn new containers to run the actions
-      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+      "${config.local.container-socket}:/var/run/docker.sock:ro"
     ];
   };
 }

system/hosts/mcp/containers/havenisms.com/chat.nix

@@ -8,10 +8,10 @@ in
 
   sops.secrets = {
     "matrix/syncv3/db-password" = {
-      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+      restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ];
     };
     "matrix/syncv3/secret" = {
-      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+      restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ];
     };
   };
 

system/hosts/mcp/containers/mariadb.nix

@@ -1,8 +1,8 @@
 # Common config for all mariadb containers
-{ ... }:
+{ config, ... }:
 {
   sops.secrets."mariadb_root_password" = {
-    restartUnits = [ "podman-mariadb.service" ];
+    restartUnits = [ "${config.local.container-backend}-mariadb.service" ];
     mode = "0440";
     group = "mariadb";
   };

system/hosts/mcp/containers/oauth2proxy.nix

@@ -5,11 +5,11 @@ in
 {
   sops.secrets = {
     "oauth2-proxy/cookie-secret" = {
-      restartUnits = [ "podman-oauth2-proxy.service" ];
+      restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ];
       mode = "0400";
     };
     "oauth2-proxy/client-secret" = {
-      restartUnits = [ "podman-oauth2-proxy.service" ];
+      restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ];
       mode = "0400";
     };
   };

system/hosts/mcp/containers/openproject.nix

@@ -2,18 +2,19 @@
 let
   inherit (import ./lib.nix config) mkContainer havenisms;
   hostName = "projects";
-in {
+in
+{
 
   sops.secrets = {
     "openproject/secret-key-base" = {
-      restartUnits = [ "podman-openproject.service" ];
+      restartUnits = [ "${config.local.container-backend}-openproject.service" ];
       mode = "0400";
       owner = config.users.users.bookstack.name;
     };
   };
 
   sops.templates."openproject.env" = {
-    restartUnits = [ "podman-openproject.service" ];
+    restartUnits = [ "${config.local.container-backend}-openproject.service" ];
     content = ''
       OPENPROJECT_SECRET_KEY_BASE=${config.sops.placeholder."openproject/secret-key-base"}
       OPENPROJECT_HOST__NAME=${hostName}.${havenisms}

system/hosts/mcp/containers/traefik.nix

@@ -10,11 +10,11 @@ in
 
   sops.secrets = {
     "traefik/oauth2-client-secret" = {
-      restartUnits = [ "podman-traefik.service" ];
+      restartUnits = [ "${config.local.container-backend}-traefik.service" ];
       mode = "0400";
     };
     "traefik/oauth2-plugin-secret" = {
-      restartUnits = [ "podman-traefik.service" ];
+      restartUnits = [ "${config.local.container-backend}-traefik.service" ];
       mode = "0400";
     };
   };
@@ -47,7 +47,7 @@ in
       "8448:8448"
     ];
     volumes = [
-      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+      "${config.local.container-socket}:/var/run/docker.sock:ro"
       # All the configs from the config directory
       "${traefikConfigDir}:/etc/traefik"
       # Oauth2 config containing secrets