Modules/Docker: Add networks option

2025-07-10 00:40:13 +02:00
parent bcbcec1e21
commit f0a18f452d
2 changed files with 115 additions and 0 deletions
--- a/system/modules/docker/default.nix
+++ b/system/modules/docker/default.nix
@ -15,6 +15,8 @@ in {
      })
    ];
    networking.firewall.trustedInterfaces = ["docker0" "podman0"];
    virtualisation = {
      docker = {
        enable = !docker.podman;
@ -61,5 +63,74 @@ in {
        else "docker"; # "docker" or "podman"
      libvirtd.enable = true;
    };
    systemd.services = let
      cli =
        if docker.podman
        then "${config.virtualisation.podman.package}/bin/podman"
        else "${config.virtualisation.docker.package}/bin/docker";
      mkDockerNetwork = name: options:
        builtins.concatStringsSep "\n" [
          # Make sure to return true on fail to not crash
          ''
            check=$(${cli} network inspect ${name} || true)
            if [ -z "$check" ]; then
          ''
          (builtins.concatStringsSep " " [
            "${cli} network create"
            # Disable masquerading
            (lib.mkIf
              options.disable_masquerade
              ''-o "com.docker.network.bridge.enable_ip_masquerade"="false"'')
            # Enable ipv6
            (lib.mkIf
              options.ipv6.enable
              "--ipv6")
            (lib.mkIf
              (builtins.hasAttr "gateway" options.ipv6)
              ''--gateway="${options.ipv6.gateway}"'')
            (lib.mkIf
              (builtins.hasAttrs "subnet" options.ipv6)
              ''--subnet="${options.ipv6.subnet}"'')
            "${name}"
          ])
          ''
            else
              echo "${name} already exists!"
            fi
          ''
        ];
      mkPodmanNetwork = name: options:
        builtins.concatStringsSep "\n" [
          ''
            ehco "Can't create Podman networks (yet)!"
          ''
        ];
      mkSystemdNetworkService = name: options: let
        toolName =
          if docker.podman
          then "Podman"
          else "Docker";
      in {
        description = "Creates the ${toolName} network \"${name}\"";
        after = ["network.target"];
        wantedBy = ["multi-user.target"];
        serviceConfig.Type = "oneshot";
        script =
          if docker.podman
          then (mkPodmanNetwork name options)
          else (mkDockerNetwork name options);
      };
    in
      lib.mkMerge (builtins.mapAttrs mkSystemdNetworkService docker.networks);
  };
 }
--- a/system/modules/docker/options.nix
+++ b/system/modules/docker/options.nix
@ -7,4 +7,48 @@
  podman = lib.mkEnableOption "Use podman instead of docker";
  docker.rootless = lib.mkEnableOption "Use rootless docker (no effect if podman is used)";
  networks = lib.mkOption {
    type = lib.types.attrsOf (lib.types.submodule ({
      lib,
      mylib,
      ...
    }: {
      options = {
        disable_masquerade = lib.mkEnableOption "Disable IP masquerading for this network";
        ipv6 = {
          enable = lib.mkEnableOption "Enable IPv6 for this network";
          gateway = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            description = "The IPv6 gateway for this network";
            example = "2000::1";
            default = null;
          };
          subnet = lib.mkOption {
            type = lib.types.nullOr lib.types.str;
            description = "The IVv6 subnet mask for this network";
            example = "2000::/80";
            default = null;
          };
        };
      };
    }));
    description = "Docker/Podman networks to create";
    example = ''
      {
        behind-nginx = {
          disable_masquerade = false;
          ipv6 = {
            enable = true;
            gateway = "2000::1";
            subnet = "2000::/80";
          };
        }
      }
    '';
    default = {};
  };
 }