From b9d077f5d8a8870304cd78f3e10c311c3564cdd3 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Fri, 5 Jun 2026 11:05:57 +0100
Subject: feat(nix): unify rootless podman across host and VM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Move the podman stack (podman, crun, conmon, netavark, aardvark-dns,
slirp4netns, passt, podman-compose, podman-docker) from a vm-only block
into common.nix so the Arch host and the Ubuntu remote-dev VM run the
same nix-pinned versions. This drops podman-compose + podman-docker
from pacman as well — they were the only podman-stack pieces still
sourced from there on the host.

Relocate registries.conf + policy.json into the chezmoi tree at
dot_config/containers/ so both flavors share them; vm.nix now picks
them up via the existing link helper. storage.conf stays inline in
vm.nix because the VM needs the overlay driver while the Arch host
uses the btrfs driver (root fs is btrfs there).
---
 nix/common.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'nix/common.nix')

diff --git a/nix/common.nix b/nix/common.nix
index 5707d2b..66b9038 100644
--- a/nix/common.nix
+++ b/nix/common.nix
@@ -138,9 +138,26 @@
       exit 1
     '')
 
-    # CI runner (drives podman from pacman; act itself is just a Go binary)
+    # CI runner (drives podman; act itself is just a Go binary)
     act
 
+    # ── Rootless podman ─────────────────────────────────────────────────────
+    # Moved off pacman so the host and VM run the same nix-pinned stack.
+    # The nix `podman` is wrapped to find these helpers via /nix/store
+    # paths, so we don't need a containers.conf for `helper_binaries_dir`.
+    # Per-user containers config (registries/storage/policy) lives under
+    # chezmoi at `private_dot_config/containers/` and is symlinked on the
+    # VM by `vm.nix`'s xdg.configFile block.
+    podman
+    crun         # OCI runtime (lighter than runc; default for rootless)
+    conmon       # container monitor process
+    netavark     # default network stack on podman 4+
+    aardvark-dns # DNS for netavark networks
+    slirp4netns  # rootless user-mode networking
+    passt        # pasta backend (slirp4netns successor; podman picks it up)
+    podman-compose
+    podman-docker # `docker` shell shim → podman
+
     # Editor/AI agent runtimes — NOT for project builds (see policy above)
     nodejs_24 # copilot-language-server requires Node 24 (see ai.lua)
     uv        # for project tooling that asks for `uv`/`uvx`; brings no python
-- 
cgit v1.3.1