diff options
| -rw-r--r-- | dot_config/containers/policy.json | 16 | ||||
| -rw-r--r-- | dot_config/containers/registries.conf | 2 | ||||
| -rw-r--r-- | nix/common.nix | 19 | ||||
| -rw-r--r-- | nix/vm.nix | 64 |
4 files changed, 61 insertions, 40 deletions
diff --git a/dot_config/containers/policy.json b/dot_config/containers/policy.json new file mode 100644 index 0000000..d8c638a --- /dev/null +++ b/dot_config/containers/policy.json @@ -0,0 +1,16 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": { + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/dot_config/containers/registries.conf b/dot_config/containers/registries.conf new file mode 100644 index 0000000..62ad8be --- /dev/null +++ b/dot_config/containers/registries.conf @@ -0,0 +1,2 @@ +unqualified-search-registries = ["docker.io", "quay.io", "ghcr.io"] +short-name-mode = "permissive" diff --git a/nix/common.nix b/nix/common.nix index 5707d2b..66b9038 100644 --- a/nix/common.nix +++ b/nix/common.nix @@ -138,9 +138,26 @@ exit 1 '') - # CI runner (drives podman from pacman; act itself is just a Go binary) + # CI runner (drives podman; act itself is just a Go binary) act + # ── Rootless podman ───────────────────────────────────────────────────── + # Moved off pacman so the host and VM run the same nix-pinned stack. + # The nix `podman` is wrapped to find these helpers via /nix/store + # paths, so we don't need a containers.conf for `helper_binaries_dir`. + # Per-user containers config (registries/storage/policy) lives under + # chezmoi at `private_dot_config/containers/` and is symlinked on the + # VM by `vm.nix`'s xdg.configFile block. + podman + crun # OCI runtime (lighter than runc; default for rootless) + conmon # container monitor process + netavark # default network stack on podman 4+ + aardvark-dns # DNS for netavark networks + slirp4netns # rootless user-mode networking + passt # pasta backend (slirp4netns successor; podman picks it up) + podman-compose + podman-docker # `docker` shell shim → podman + # Editor/AI agent runtimes — NOT for project builds (see policy above) nodejs_24 # copilot-language-server requires Node 24 (see ai.lua) uv # for project tooling that asks for `uv`/`uvx`; brings no python @@ -19,22 +19,13 @@ in # Ubuntu 20.04-derived hosts still default to cgroups v1; podman 5 # warns on every invocation. Flipping to v2 is a host-level reboot # and only matters for --memory/--cpus, so silence the warning. + # (Arch host is on cgroups v2, so this isn't set in common.nix.) PODMAN_IGNORE_CGROUPSV1_WARNING = "1"; }; - home.packages = with pkgs; [ - # ── Rootless podman ───────────────────────────────────────────────────── - # The nix `podman` is wrapped to find these helpers via /nix/store - # paths, so we don't need to write a containers.conf for - # `helper_binaries_dir`. - podman - crun # OCI runtime (lighter than runc; default for rootless) - conmon # container monitor process - netavark # default network stack on podman 4+ - aardvark-dns # DNS for netavark networks - slirp4netns # rootless user-mode networking - passt # pasta backend (slirp4netns successor; podman picks it up) - ]; + # No extra packages — the rootless podman stack now lives in + # `common.nix` so the host and VM share the same nix-pinned versions. + home.packages = [ ]; # ── Shared config symlinks ────────────────────────────────────────────────── # Live symlinks back into the cloned working tree so `git pull` is enough @@ -92,8 +83,29 @@ in # Code review (binary from common.nix) "tuicr/config.toml".source = link "dot_config/tuicr/config.toml"; + + # Rootless podman config — registries.conf + policy.json are + # chezmoi-owned (shared with the host); storage.conf stays inline + # below because the VM needs the overlay driver (ext4 host) while + # the Arch host uses btrfs. + "containers/registries.conf".source = link "dot_config/containers/registries.conf"; + "containers/policy.json".source = link "dot_config/containers/policy.json"; }; + # VM-only: overlay driver. (Host's btrfs storage.conf is chezmoi-owned + # at dot_config/containers/storage.conf.) + xdg.configFile."containers/storage.conf".text = '' + [storage] + # runroot/graphroot default to $XDG_RUNTIME_DIR/containers and + # $XDG_DATA_HOME/containers/storage respectively for rootless — leave unset. + driver = "overlay" + + [storage.options.overlay] + # Kernel >=5.13 supports rootless overlay natively (VM is on 5.15), + # so mount_program is left unset → uses the kernel driver directly + # instead of fuse-overlayfs. + ''; + # Claude-code looks under ~/.claude (NOT XDG). Skills live there. # Symlink the whole tuicr skill directory so SKILL.md and the wrapper # script (chezmoi `executable_` prefix preserved → see the dispatch @@ -124,30 +136,4 @@ in export ZDOTDIR="$HOME/.config/zsh" [[ -r "$ZDOTDIR/.zshenv" ]] && source "$ZDOTDIR/.zshenv" ''; - - # ── Rootless podman config ────────────────────────────────────────────────── - # Kept inline (not in the chezmoi tree) because Arch's system-wide - # /etc/containers defaults already work there; these files exist only - # to give nix's user-installed podman sane rootless defaults. - xdg.configFile."containers/registries.conf".text = '' - unqualified-search-registries = ["docker.io", "quay.io", "ghcr.io"] - short-name-mode = "permissive" - ''; - - xdg.configFile."containers/storage.conf".text = '' - [storage] - # runroot/graphroot default to $XDG_RUNTIME_DIR/containers and - # $XDG_DATA_HOME/containers/storage respectively for rootless — leave unset. - driver = "overlay" - - [storage.options.overlay] - # Kernel >=5.13 supports rootless overlay natively (VM is on 5.15), - # so mount_program is left unset → uses the kernel driver directly - # instead of fuse-overlayfs. - ''; - - xdg.configFile."containers/policy.json".text = builtins.toJSON { - default = [ { type = "insecureAcceptAnything"; } ]; - transports.docker-daemon."" = [ { type = "insecureAcceptAnything"; } ]; - }; } |