feat(development): replaced Docker with rootless Podman; misc adjustm…

…ents
dr460nf1r3 · May 8, 2024 · af7f61d · af7f61d
1 parent ad0dfb3
commit af7f61d
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 62 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/nixos/modules/apps.nix b/nixos/modules/apps.nix
@@ -79,19 +79,24 @@ in {
       ansible
       beekeeper-studio
       distrobox
+      dive
+      docker-compose
+      fishPlugins.wakatime-fish
       gh
       gitkraken
-      jetbrains.webstorm
       heroku
       hugo
+      jetbrains.webstorm
       manix
       mongodb-compass
       nix-prefetch-git
       nixd
       nixos-generators
       nixpkgs-lint
       nixpkgs-review
-      nodejs
+      nodejs_22 # 24 not available
+      podman-compose
+      podman-tui
       speedcrunch
       termius
       ventoy-full

diff --git a/nixos/modules/development.nix b/nixos/modules/development.nix
@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  pkgs,
   ...
 }:
 with lib; let
@@ -40,9 +39,6 @@ in {
     # Conflicts with virtualisation.containers if enabled
     boot.enableContainers = false;
 
-    # Wakatime plugin
-    environment.systemPackages = with pkgs; [fishPlugins.wakatime-fish];
-
     # Allow building sdcard images for Raspi
     nixpkgs.config.allowUnsupportedSystem = true;
 
@@ -51,16 +47,15 @@ in {
 
     # Libvirt & Podman with docker alias
     virtualisation = {
-      docker = {
-        autoPrune = {
-          enable = true;
-          flags = ["--all"];
-        };
+      containers.enable = true;
+      lxd.enable = false;
+      podman = {
+        autoPrune.enable = true;
+        defaultNetwork.settings.dns_enabled = true;
+        dockerCompat = true;
+        dockerSocket.enable = true;
         enable = true;
-        enableOnBoot = false;
-        storageDriver = "overlay2";
       };
-      lxd.enable = false;
       virtualbox.host = {
         addNetworkInterface = false;
         enable = true;

diff --git a/nixos/modules/impermanence.nix b/nixos/modules/impermanence.nix
@@ -191,6 +191,7 @@
         ".local/share/TelegramDesktop"
         ".local/share/Vorta"
         ".local/share/baloo"
+        ".local/share/containers"
         ".local/share/direnv"
         ".local/share/dolphin"
         ".local/share/fish"
@@ -226,6 +227,7 @@
         # Cache stuff, not actual user data
         ".cache/bookmarksrunner"
         ".cache/chromium"
+        ".cache/containers"
         ".cache/firedragon"
         ".cache/konsole"
         ".cache/lutris"
@@ -237,6 +239,7 @@
         ".local/share/Trash"
         ".local/state/syncthing"
         ".local/state/wireplumber"
+        # Special permissions needed for those
         {
           directory = ".gnupg";
           mode = "0700";

diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix
@@ -1,6 +1,7 @@
 {
-  keys,
   config,
+  keys,
+  lib,
   ...
 }: let
   # Use fixed UIDs/GIDs
@@ -32,6 +33,7 @@
     nscd = uidGid 990;
     plocate = uidGid 989;
     polkituser = uidGid 988;
+    podman = uidGid 968;
     promtail = uidGid 987;
     rtkit = uidGid 986;
     sshd = uidGid 985;
@@ -87,6 +89,18 @@ in {
         home = "/home/nico";
         isNormalUser = true;
         openssh.authorizedKeys.keyFiles = [keys.nico];
+        subGidRanges = lib.mkIf config.virtualisation.podman.enable [
+          {
+            count = 65536;
+            startGid = 615536;
+          }
+        ];
+        subUidRanges = [
+          {
+            count = 65536;
+            startUid = 615536;
+          }
+        ];
       };
       # Lock root password
       root.hashedPasswordFile = config.sops.secrets."passwords/root".path;