diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-19 15:16:05 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-19 15:16:05 +0100 |
| commit | d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3 (patch) | |
| tree | 5852a6ae9d2a7d563c95e2377d28896a53b48186 /remote-dev/home.nix | |
| parent | 3c3393fd755583a4b7cb3b287df384b06bf0e4d6 (diff) | |
| download | dotfiles-d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3.tar.gz dotfiles-d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3.tar.bz2 dotfiles-d25a79ea717d29ceb8ecc1c97c0bc4ec8cbaf4d3.zip | |
feat(remote-dev): rootless podman setup
Adds podman + helpers (crun, conmon, netavark, aardvark-dns,
slirp4netns, passt) to the home-manager profile, plus rootless-sane
registries.conf, storage.conf (overlay driver, kernel-native — VM
kernel 5.15 supports rootless overlay since 5.13, no fuse-overlayfs
needed), and policy.json.
Documents host-side prerequisites in remote-dev/README.md: install
uidmap, ensure subuid/subgid entries for the user, and enable cgroups
v2 (systemd.unified_cgroup_hierarchy=1) so rootless resource limits
work on Ubuntu 20.04.
Diffstat (limited to 'remote-dev/home.nix')
| -rw-r--r-- | remote-dev/home.nix | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/remote-dev/home.nix b/remote-dev/home.nix index 0db172b..6ba6620 100644 --- a/remote-dev/home.nix +++ b/remote-dev/home.nix @@ -116,6 +116,17 @@ in zsh-syntax-highlighting zsh-autosuggestions zsh-history-substring-search + + # Rootless podman (see README "Podman" section for host prerequisites). + # The nix `podman` is wrapped to find these helpers via /nix/store paths, + # so we don't need to write a containers.conf for `helper_binaries_dir`. + podman + crun # OCI runtime (lighter than runc; default for rootless) + conmon # container monitor process + netavark # default network stack on podman 4+ + aardvark-dns # DNS for netavark networks + slirp4netns # rootless user-mode networking + passt # pasta backend (slirp4netns successor; podman picks it up) ]; # ── direnv + nix-direnv ───────────────────────────────────────────────────── @@ -140,6 +151,32 @@ in "git/ignore".source = link "dot_config/git/ignore"; }; + # ── Rootless podman config ────────────────────────────────────────────────── + # Kept inline (not in the chezmoi tree) because Arch's system-wide + # /etc/containers defaults already work there; these files exist only + # to give nix's user-installed podman sane rootless defaults. + xdg.configFile."containers/registries.conf".text = '' + unqualified-search-registries = ["docker.io", "quay.io", "ghcr.io"] + short-name-mode = "permissive" + ''; + + xdg.configFile."containers/storage.conf".text = '' + [storage] + # runroot/graphroot default to $XDG_RUNTIME_DIR/containers and + # $XDG_DATA_HOME/containers/storage respectively for rootless — leave unset. + driver = "overlay" + + [storage.options.overlay] + # Kernel >=5.13 supports rootless overlay natively (VM is on 5.15), + # so mount_program is left unset → uses the kernel driver directly + # instead of fuse-overlayfs. + ''; + + xdg.configFile."containers/policy.json".text = builtins.toJSON { + default = [ { type = "insecureAcceptAnything"; } ]; + transports.docker-daemon."" = [ { type = "insecureAcceptAnything"; } ]; + }; + # ~/.ssh/config from the dotfiles tree (read-only); keys + known_hosts # stay machine-local on the VM. We can't symlink via home.file because # mkOutOfStoreSymlink exposes the working-tree perms (0664 under Ubuntu's |