[containers] Disables some containers, adds some docker config.

[nix] Modularized the container backend so I can easily switch it with an option
2025-06-24 18:32:15 -07:00 · 2025-06-24 17:31:30 -07:00
10 changed files with 181 additions and 120 deletions
--- a/system/hosts/mcp/configuration.nix
+++ b/system/hosts/mcp/configuration.nix
@@ -62,6 +62,7 @@
      "networkmanager"
      "wheel"
      "docker-registry"
+      "docker"
    ];
    shell = pkgs.zsh;
    # Enable linger so that systemd services run for this user are started and
--- a/system/hosts/mcp/containers.nix
+++ b/system/hosts/mcp/containers.nix
@@ -1,5 +1,9 @@
-# Started from https://nixos.wiki/wiki/Podman
-{ config, pkgs, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 {
  # Additional configuration
  imports = [
@@ -12,17 +16,17 @@
    ./containers/gitea.nix
    ./containers/goatcounter.nix
    ./containers/grafana.nix
-    ./containers/jobhunt.nix
+    # ./containers/jobhunt.nix
    ./containers/mariadb.nix
    ./containers/media-system.nix
    ./containers/nextcloud.nix
-    ./containers/offen.nix
+    # ./containers/offen.nix
    ./containers/pocket-id.nix
    ./containers/prometheus.nix
    ./containers/public-homepage.nix
    ./containers/searxng.nix
    ./containers/shared-postgres.nix
-    ./containers/timetagger.nix
+    # ./containers/timetagger.nix
    ./containers/traefik.nix
    ./containers/users.nix

@@ -30,17 +34,67 @@
    ./static-site-hooks.nix
  ];

+  options.local = with lib; {
+    container-backend = mkOption {
+      type = with types; uniq str;
+      default = "docker";
+      example = "docker";
+      description = "Which backend to use for containers: docker or podman";
+    };
+    container-socket = mkOption {
+      type = with types; uniq str;
+      default = "/var/run/docker.sock";
+      example = "/var/run/docker.sock";
+      description = "Path to the container management deamon's socket.";
+    };
+  };
+
+  config = {
+    # local = {
+    #   container-backend = "docker";
+    #   container-socket = "/var/run/docker.sock";
+    # };
+    local = {
+      container-backend = "podman";
+      container-socket = "/var/run/podman/podman.sock";
+    };
+
    # Enable common container config files in /etc/containers
-  virtualisation.containers.enable = true;
+
    virtualisation = {
-    # docker = {
-    #   enable = true;
-    #   # Enable rootless so that I can run containers as other users for security.
-    #   rootless = {
-    #     enable = true;
-    #   };
-    # };
-    podman = {
+      containers.enable = true;
+      oci-containers.backend = config.local.container-backend;
+
+      docker = lib.mkIf (config.local.container-backend == "docker") {
+        enable = true;
+        # Enable rootless so that I can run containers as other users for security.
+        rootless = {
+          enable = true;
+          # Set this to make the default DOCKER_HOST be the rootless version for normal users.
+          setSocketVariable = true;
+          daemon = {
+            settings = {
+              default-address-pools = [
+                {
+                  base = "10.88.0.0/16";
+                  size = 24;
+                }
+              ];
+            };
+          };
+        };
+        daemon = {
+          settings = {
+            default-address-pools = [
+              {
+                base = "10.88.0.0/16";
+                size = 24;
+              }
+            ];
+          };
+        };
+      };
+      podman = lib.mkIf (config.local.container-backend == "podman") {
        enable = true;

        # Create a `docker` alias for podman, to use it as a drop-in replacement
@@ -52,14 +106,11 @@
        extraPackages = [ pkgs.zfs ];
      };
    };
-  virtualisation.oci-containers.backend = "podman";

    # Useful other development tools
    environment.systemPackages = with pkgs; [
      dive # look into docker image layers
-    podman-tui # status of containers in the terminal
      docker-compose # start group of containers for dev
-    #podman-compose # start group of containers for dev
    ];

    virtualisation.oci-containers.containers =
@@ -84,7 +135,7 @@
            "/tank/secrets/jellyfin.key:/app/config/secrets/jellyfin.key"
            "/tank/secrets/radarr.key:/app/config/secrets/radarr.key"
            "/tank/secrets/sonarr.key:/app/config/secrets/sonarr.key"
-          "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+            "${config.local.container-socket}:/var/run/docker.sock:ro"
          ];
          environment = {
            HOMEPAGE_FILE_JELLYFIN_KEY = "/app/config/secrets/jellyfin.key";
@@ -128,4 +179,5 @@
          ];
        };
      };
+  };
 }
--- a/system/hosts/mcp/containers/bookstack.nix
+++ b/system/hosts/mcp/containers/bookstack.nix
@@ -1,7 +1,8 @@
 { config, ... }:
 let
  inherit (import ./lib.nix config) mkContainer mkMariaDbContainer havenisms;
-in {
+in
+{
  imports = [
    (mkMariaDbContainer {
      name = "bookstack";
@@ -14,12 +15,12 @@ in {

  sops.secrets = {
    bookstack_app_key = {
-      restartUnits = [ "podman-bookstack.service" ];
+      restartUnits = [ "${config.local.container-backend}-bookstack.service" ];
      mode = "0400";
      owner = config.users.users.bookstack.name;
    };
    bookstack_db = {
-      restartUnits = [ "podman-bookstack-mariadb.service" ];
+      restartUnits = [ "${config.local.container-backend}-bookstack-mariadb.service" ];
      mode = "0400";
      owner = config.users.users.bookstack.name;
    };
--- a/system/hosts/mcp/containers/focalboard.nix
+++ b/system/hosts/mcp/containers/focalboard.nix
@@ -1,7 +1,8 @@
 { config, ... }:
 let
  inherit (import ./lib.nix config) mkContainer mkPostgresContainer terakoda;
-in {
+in
+{
  imports = [
    (mkPostgresContainer {
      name = "focalboard";
@@ -14,21 +15,26 @@ in {

  sops.secrets = {
    "focalboard/database" = {
-      restartUnits = [ "podman-focalboard.service" "podman-focalboard-postgres.service" ];
+      restartUnits = [
+        "${config.local.container-backend}-focalboard.service"
+        "${config.local.container-backend}-focalboard-postgres.service"
+      ];
      mode = "0400";
      owner = config.users.users.focalboard.name;
    };
  };

  sops.templates."focalboard-config.json" = {
-    restartUnits = [ "podman-focalboard.service" ];
+    restartUnits = [ "${config.local.container-backend}-focalboard.service" ];
    owner = config.users.users.focalboard.name;
    content = builtins.toJSON {
      # Defaults from https://github.com/mattermost-community/focalboard/blob/main/config.json
      "serverRoot" = "https://focalboard.terakoda.com";
      "port" = 8000;
      "dbtype" = "postgres";
-      "dbconfig" = "postgres://focalboard:${config.sops.placeholder."focalboard/database"}@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10";
+      "dbconfig" = "postgres://focalboard:${
+        config.sops.placeholder."focalboard/database"
+      }@focalboard-postgres/focalboard?sslmode=disable&connect_timeout=10";
      "useSSL" = true;
      "prometheus_address" = ":9092";
      "session_expire_time" = 2592000;
--- a/system/hosts/mcp/containers/gitea.nix
+++ b/system/hosts/mcp/containers/gitea.nix
@@ -5,10 +5,10 @@ in
 {
  sops.secrets = {
    "gitea/db_password" = {
-      restartUnits = [ "podman-gitea.service" ];
+      restartUnits = [ "${config.local.container-backend}-gitea.service" ];
    };
    "gitea/registration_token" = {
-      restartUnits = [ "podman-gitea-runner.service" ];
+      restartUnits = [ "${config.local.container-backend}-gitea-runner.service" ];
    };
  };

@@ -66,7 +66,7 @@ in
    ];
    volumes = [
      # The runner will spawn new containers to run the actions
-      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+      "${config.local.container-socket}:/var/run/docker.sock:ro"
    ];
  };
 }
--- a/system/hosts/mcp/containers/havenisms.com/chat.nix
+++ b/system/hosts/mcp/containers/havenisms.com/chat.nix
@@ -8,10 +8,10 @@ in

  sops.secrets = {
    "matrix/syncv3/db-password" = {
-      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+      restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ];
    };
    "matrix/syncv3/secret" = {
-      restartUnits = [ "podman-matrix-sliding-sync.service" ];
+      restartUnits = [ "${config.local.container-backend}-matrix-sliding-sync.service" ];
    };
  };

--- a/system/hosts/mcp/containers/mariadb.nix
+++ b/system/hosts/mcp/containers/mariadb.nix
@@ -1,8 +1,8 @@
 # Common config for all mariadb containers
-{ ... }:
+{ config, ... }:
 {
  sops.secrets."mariadb_root_password" = {
-    restartUnits = [ "podman-mariadb.service" ];
+    restartUnits = [ "${config.local.container-backend}-mariadb.service" ];
    mode = "0440";
    group = "mariadb";
  };
--- a/system/hosts/mcp/containers/oauth2proxy.nix
+++ b/system/hosts/mcp/containers/oauth2proxy.nix
@@ -5,11 +5,11 @@ in
 {
  sops.secrets = {
    "oauth2-proxy/cookie-secret" = {
-      restartUnits = [ "podman-oauth2-proxy.service" ];
+      restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ];
      mode = "0400";
    };
    "oauth2-proxy/client-secret" = {
-      restartUnits = [ "podman-oauth2-proxy.service" ];
+      restartUnits = [ "${config.local.container-backend}-oauth2-proxy.service" ];
      mode = "0400";
    };
  };
--- a/system/hosts/mcp/containers/openproject.nix
+++ b/system/hosts/mcp/containers/openproject.nix
@@ -2,18 +2,19 @@
 let
  inherit (import ./lib.nix config) mkContainer havenisms;
  hostName = "projects";
-in {
+in
+{

  sops.secrets = {
    "openproject/secret-key-base" = {
-      restartUnits = [ "podman-openproject.service" ];
+      restartUnits = [ "${config.local.container-backend}-openproject.service" ];
      mode = "0400";
      owner = config.users.users.bookstack.name;
    };
  };

  sops.templates."openproject.env" = {
-    restartUnits = [ "podman-openproject.service" ];
+    restartUnits = [ "${config.local.container-backend}-openproject.service" ];
    content = ''
      OPENPROJECT_SECRET_KEY_BASE=${config.sops.placeholder."openproject/secret-key-base"}
      OPENPROJECT_HOST__NAME=${hostName}.${havenisms}
--- a/system/hosts/mcp/containers/traefik.nix
+++ b/system/hosts/mcp/containers/traefik.nix
@@ -10,11 +10,11 @@ in

  sops.secrets = {
    "traefik/oauth2-client-secret" = {
-      restartUnits = [ "podman-traefik.service" ];
+      restartUnits = [ "${config.local.container-backend}-traefik.service" ];
      mode = "0400";
    };
    "traefik/oauth2-plugin-secret" = {
-      restartUnits = [ "podman-traefik.service" ];
+      restartUnits = [ "${config.local.container-backend}-traefik.service" ];
      mode = "0400";
    };
  };
@@ -47,7 +47,7 @@ in
      "8448:8448"
    ];
    volumes = [
-      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+      "${config.local.container-socket}:/var/run/docker.sock:ro"
      # All the configs from the config directory
      "${traefikConfigDir}:/etc/traefik"
      # Oauth2 config containing secrets
Author	SHA1	Message	Date
Drew Haven	b1510c3670	[containers] Disables some containers, adds some docker config.	2025-06-24 18:32:15 -07:00
Drew Haven	f4dd4583db	[nix] Modularized the container backend so I can easily switch it with an option	2025-06-24 17:31:30 -07:00