System: Rename system/modules to system/systemmodules

system/systemmodules/docker/default.nix

@@ -0,0 +1,146 @@
+{
+  config,
+  lib,
+  mylib,
+  pkgs,
+  ...
+}: let
+  inherit (config.modules) docker;
+in {
+  options.modules.docker = import ./options.nix {inherit lib mylib;};
+
+  config = lib.mkIf docker.enable {
+    environment.variables = lib.mkMerge [
+      (lib.mkIf ((!docker.podman) && docker.docker.buildkit) {
+        DOCKER_BUILDKIT = 1;
+      })
+    ];
+
+    networking.firewall.trustedInterfaces = ["docker0" "podman0"];
+
+    # Needed for default bridge network to automatically work
+    # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+    # boot.kernel.sysctl."net.ipv6.ip_forward" = 1;
+
+    virtualisation = {
+      docker = {
+        enable = !docker.podman;
+        autoPrune.enable = true;
+
+        extraPackages = with pkgs; [docker-compose];
+
+        # TODO: Rootless docker has no internet?
+        rootless = {
+          enable = docker.docker.rootless;
+          setSocketVariable = true;
+        };
+
+        daemon.settings = {
+          # ipv6 = true;
+          # fixed-cidr-v6 = "2001::/80";
+
+          dns = [
+            "8.8.8.8"
+            # "2001:4860:4860::8888"
+
+            # "127.0.0.1"
+            # "192.168.86.25"
+          ];
+
+          hosts = [
+            # Allow access to docker socket
+            "tcp://0.0.0.0:2375"
+            "unix:///var/run/docker.sock"
+          ];
+        };
+      };
+
+      podman = {
+        enable = docker.podman;
+        autoPrune.enable = true;
+        dockerCompat = true;
+        dockerSocket.enable = true;
+        defaultNetwork.settings.dns_enabled = true;
+
+        extraPackages = with pkgs; [podman-compose];
+      };
+
+      oci-containers.backend =
+        if docker.podman
+        then "podman"
+        else "docker"; # "docker" or "podman"
+      libvirtd.enable = true;
+    };
+
+    systemd.services = let
+      cli =
+        if docker.podman
+        then "${config.virtualisation.podman.package}/bin/podman"
+        else "${config.virtualisation.docker.package}/bin/docker";
+
+      mkDockerNetwork = options:
+        builtins.concatStringsSep "\n" [
+          # Make sure to return true on fail to not crash
+          ''
+            check=$(${cli} network inspect ${options.name} || true)
+            if [ -z "$check" ]; then
+          ''
+
+          (builtins.concatStringsSep " " [
+            "${cli} network create"
+
+            # Disable masquerading
+            (lib.optionalString
+              options.disable_masquerade
+              ''-o "com.docker.network.bridge.enable_ip_masquerade"="false"'')
+
+            # Enable ipv6
+            (lib.optionalString
+              options.ipv6.enable
+              "--ipv6")
+            (lib.optionalString
+              (!(builtins.isNull options.ipv6.gateway))
+              ''--gateway="${options.ipv6.gateway}"'')
+            (lib.optionalString
+              (!(builtins.isNull options.ipv6.subnet))
+              ''--subnet="${options.ipv6.subnet}"'')
+
+            "${options.name}"
+          ])
+
+          ''
+            else
+              echo "Network ${options.name} already exists!"
+            fi
+          ''
+        ];
+
+      mkPodmanNetwork = options:
+        builtins.concatStringsSep "\n" [
+          ''
+            echo "Can't create Podman networks (yet)!"
+          ''
+        ];
+
+      mkSystemdNetworkService = options: let
+        toolName =
+          if docker.podman
+          then "podman"
+          else "docker";
+      in {
+        "${toolName}-create-${options.name}-network" = {
+          description = "Creates the ${toolName} network \"${options.name}\"";
+          after = ["network.target"];
+          wantedBy = ["multi-user.target"];
+
+          serviceConfig.Type = "oneshot";
+          script =
+            if docker.podman
+            then (mkPodmanNetwork options)
+            else (mkDockerNetwork options);
+        };
+      };
+    in
+      lib.mkMerge (builtins.map mkSystemdNetworkService docker.networks);
+  };
+}

system/systemmodules/docker/options.nix

@@ -0,0 +1,61 @@
+{
+  lib,
+  mylib,
+  ...
+}: {
+  enable = lib.mkEnableOption "Enable light virtualization using containers";
+
+  podman = lib.mkEnableOption "Use podman instead of docker";
+  docker.rootless = lib.mkEnableOption "Use rootless docker (no effect if podman is used)";
+  docker.buildkit = lib.mkEnableOption "Use Docker BuildKit (no effect if podman is used)";
+
+  networks = lib.mkOption {
+    type = lib.types.listOf (lib.types.submodule ({
+      lib,
+      mylib,
+      ...
+    }: {
+      options = {
+        name = lib.mkOption {
+          type = lib.types.str;
+          description = "The name of the docker/podman network";
+          example = "behind-nginx";
+        };
+
+        disable_masquerade = lib.mkEnableOption "Disable IP masquerading for this network";
+
+        ipv6 = {
+          enable = lib.mkEnableOption "Enable IPv6 for this network";
+
+          gateway = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            description = "The IPv6 gateway for this network";
+            example = "2000::1";
+            default = null;
+          };
+
+          subnet = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            description = "The IVv6 subnet mask for this network";
+            example = "2000::/80";
+            default = null;
+          };
+        };
+      };
+    }));
+    description = "Docker/Podman networks to create";
+    example = ''
+      {
+        behind-nginx = {
+          disable_masquerade = false;
+          ipv6 = {
+            enable = true;
+            gateway = "2000::1";
+            subnet = "2000::/80";
+          };
+        }
+      }
+    '';
+    default = [];
+  };
+}