blob: d003b6eebd872c62bd8a482bdca914cae5cfbff1 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
{ config, pkgs, lib, dotfilesRoot, ... }:
# VM-only Home-Manager profile (Ubuntu 22.04 remote-dev box). Adds
# Mason-related runtime carve-outs and the rootless podman stack on
# top of `common.nix`.
{
imports = [ ./common.nix ];
home.username = builtins.getEnv "USER";
home.homeDirectory = builtins.getEnv "HOME";
home.sessionVariables = {
# Ubuntu 20.04-derived hosts still default to cgroups v1; podman 5
# warns on every invocation. Flipping to v2 is a host-level reboot
# and only matters for --memory/--cpus, so silence the warning.
PODMAN_IGNORE_CGROUPSV1_WARNING = "1";
};
home.packages = with pkgs; [
# ── Mason-driven LSP carve-outs (removed by phase p6 once Mason is
# gone and LSPs come from common.nix directly). Kept here for
# now so the VM keeps working between phases. ───────────────────────
jre # Mason's groovy-language-server (headless Java)
basedpyright # Mason's pypi distro can't install on Ubuntu 20.04
# (manylinux_2_28 wheels, uv's python rejects)
# Rust toolchain for Mason packages whose only install source is
# `cargo install` (shellharden). The Arch host has these via pacman;
# on the VM Mason needs cargo+rustc on PATH or it bails with ENOENT.
cargo
rustc
# ── Rootless podman ─────────────────────────────────────────────────────
# The nix `podman` is wrapped to find these helpers via /nix/store
# paths, so we don't need to write a containers.conf for
# `helper_binaries_dir`.
podman
crun # OCI runtime (lighter than runc; default for rootless)
conmon # container monitor process
netavark # default network stack on podman 4+
aardvark-dns # DNS for netavark networks
slirp4netns # rootless user-mode networking
passt # pasta backend (slirp4netns successor; podman picks it up)
];
# ── Rootless podman config ──────────────────────────────────────────────────
# Kept inline (not in the chezmoi tree) because Arch's system-wide
# /etc/containers defaults already work there; these files exist only
# to give nix's user-installed podman sane rootless defaults.
xdg.configFile."containers/registries.conf".text = ''
unqualified-search-registries = ["docker.io", "quay.io", "ghcr.io"]
short-name-mode = "permissive"
'';
xdg.configFile."containers/storage.conf".text = ''
[storage]
# runroot/graphroot default to $XDG_RUNTIME_DIR/containers and
# $XDG_DATA_HOME/containers/storage respectively for rootless — leave unset.
driver = "overlay"
[storage.options.overlay]
# Kernel >=5.13 supports rootless overlay natively (VM is on 5.15),
# so mount_program is left unset → uses the kernel driver directly
# instead of fuse-overlayfs.
'';
xdg.configFile."containers/policy.json".text = builtins.toJSON {
default = [ { type = "insecureAcceptAnything"; } ];
transports.docker-daemon."" = [ { type = "insecureAcceptAnything"; } ];
};
}
|
