diff --git a/system/modules/docker/default.nix b/system/modules/docker/default.nix index e84d2c81..e364c807 100644 --- a/system/modules/docker/default.nix +++ b/system/modules/docker/default.nix @@ -15,6 +15,8 @@ in { }) ]; + networking.firewall.trustedInterfaces = ["docker0" "podman0"]; + virtualisation = { docker = { enable = !docker.podman; @@ -61,5 +63,74 @@ in { else "docker"; # "docker" or "podman" libvirtd.enable = true; }; + + systemd.services = let + cli = + if docker.podman + then "${config.virtualisation.podman.package}/bin/podman" + else "${config.virtualisation.docker.package}/bin/docker"; + + mkDockerNetwork = name: options: + builtins.concatStringsSep "\n" [ + # Make sure to return true on fail to not crash + '' + check=$(${cli} network inspect ${name} || true) + if [ -z "$check" ]; then + '' + + (builtins.concatStringsSep " " [ + "${cli} network create" + + # Disable masquerading + (lib.mkIf + options.disable_masquerade + ''-o "com.docker.network.bridge.enable_ip_masquerade"="false"'') + + # Enable ipv6 + (lib.mkIf + options.ipv6.enable + "--ipv6") + (lib.mkIf + (builtins.hasAttr "gateway" options.ipv6) + ''--gateway="${options.ipv6.gateway}"'') + (lib.mkIf + (builtins.hasAttrs "subnet" options.ipv6) + ''--subnet="${options.ipv6.subnet}"'') + + "${name}" + ]) + + '' + else + echo "${name} already exists!" + fi + '' + ]; + + mkPodmanNetwork = name: options: + builtins.concatStringsSep "\n" [ + '' + ehco "Can't create Podman networks (yet)!" + '' + ]; + + mkSystemdNetworkService = name: options: let + toolName = + if docker.podman + then "Podman" + else "Docker"; + in { + description = "Creates the ${toolName} network \"${name}\""; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig.Type = "oneshot"; + script = + if docker.podman + then (mkPodmanNetwork name options) + else (mkDockerNetwork name options); + }; + in + lib.mkMerge (builtins.mapAttrs mkSystemdNetworkService docker.networks); }; } diff --git a/system/modules/docker/options.nix b/system/modules/docker/options.nix index 8a2fad09..020cf310 100644 --- a/system/modules/docker/options.nix +++ b/system/modules/docker/options.nix @@ -7,4 +7,48 @@ podman = lib.mkEnableOption "Use podman instead of docker"; docker.rootless = lib.mkEnableOption "Use rootless docker (no effect if podman is used)"; + + networks = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule ({ + lib, + mylib, + ... + }: { + options = { + disable_masquerade = lib.mkEnableOption "Disable IP masquerading for this network"; + + ipv6 = { + enable = lib.mkEnableOption "Enable IPv6 for this network"; + + gateway = lib.mkOption { + type = lib.types.nullOr lib.types.str; + description = "The IPv6 gateway for this network"; + example = "2000::1"; + default = null; + }; + + subnet = lib.mkOption { + type = lib.types.nullOr lib.types.str; + description = "The IVv6 subnet mask for this network"; + example = "2000::/80"; + default = null; + }; + }; + }; + })); + description = "Docker/Podman networks to create"; + example = '' + { + behind-nginx = { + disable_masquerade = false; + ipv6 = { + enable = true; + gateway = "2000::1"; + subnet = "2000::/80"; + }; + } + } + ''; + default = {}; + }; }