diff options
author | zowoq <59103226+zowoq@users.noreply.github.com> | 2021-12-09 12:10:44 +1000 |
---|---|---|
committer | zowoq <59103226+zowoq@users.noreply.github.com> | 2021-12-09 13:03:16 +1000 |
commit | 79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef (patch) | |
tree | ce67a92c6dee4e6a303db425d9eefccba438cbd9 /nixos/modules/virtualisation/podman/network-socket.nix | |
parent | ce82da442b5f66c26f71443e7567e1765953ea9d (diff) | |
download | nixpkgs-79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef.tar nixpkgs-79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef.tar.gz nixpkgs-79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef.tar.bz2 nixpkgs-79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef.tar.lz nixpkgs-79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef.tar.xz nixpkgs-79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef.tar.zst nixpkgs-79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef.zip |
nixos/podman: sort files into directories
Makes codeowners, git history, etc. a bit simpler now that podman has expanded beyond the original single file module and test.
Diffstat (limited to 'nixos/modules/virtualisation/podman/network-socket.nix')
-rw-r--r-- | nixos/modules/virtualisation/podman/network-socket.nix | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/nixos/modules/virtualisation/podman/network-socket.nix b/nixos/modules/virtualisation/podman/network-socket.nix new file mode 100644 index 00000000000..94d8da9d2b6 --- /dev/null +++ b/nixos/modules/virtualisation/podman/network-socket.nix @@ -0,0 +1,95 @@ +{ config, lib, pkg, ... }: +let + inherit (lib) + mkOption + types + ; + + cfg = config.virtualisation.podman.networkSocket; + +in +{ + imports = [ + ./network-socket-ghostunnel.nix + ]; + + options.virtualisation.podman.networkSocket = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Make the Podman and Docker compatibility API available over the network + with TLS client certificate authentication. + + This allows Docker clients to connect with the equivalents of the Docker + CLI <code>-H</code> and <code>--tls*</code> family of options. + + For certificate setup, see https://docs.docker.com/engine/security/protect-access/ + + This option is independent of <xref linkend="opt-virtualisation.podman.dockerSocket.enable"/>. + ''; + }; + + server = mkOption { + type = types.enum []; + description = '' + Choice of TLS proxy server. + ''; + example = "ghostunnel"; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open the port in the firewall. + ''; + }; + + tls.cacert = mkOption { + type = types.path; + description = '' + Path to CA certificate to use for client authentication. + ''; + }; + + tls.cert = mkOption { + type = types.path; + description = '' + Path to certificate describing the server. + ''; + }; + + tls.key = mkOption { + type = types.path; + description = '' + Path to the private key corresponding to the server certificate. + + Use a string for this setting. Otherwise it will be copied to the Nix + store first, where it is readable by any system process. + ''; + }; + + port = mkOption { + type = types.port; + default = 2376; + description = '' + TCP port number for receiving TLS connections. + ''; + }; + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = '' + Interface address for receiving TLS connections. + ''; + }; + }; + + config = { + networking.firewall.allowedTCPPorts = + lib.optional (cfg.enable && cfg.openFirewall) cfg.port; + }; + + meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ]; +} |