From 79e66fce1c2b5a7de3e9a0e75b591ca9552a62ef Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Thu, 9 Dec 2021 12:10:44 +1000
Subject: nixos/podman: sort files into directories
Makes codeowners, git history, etc. a bit simpler now that podman has expanded beyond the original single file module and test.
---
.../virtualisation/podman/network-socket.nix | 95 ++++++++++++++++++++++
1 file changed, 95 insertions(+)
create mode 100644 nixos/modules/virtualisation/podman/network-socket.nix
(limited to 'nixos/modules/virtualisation/podman/network-socket.nix')
diff --git a/nixos/modules/virtualisation/podman/network-socket.nix b/nixos/modules/virtualisation/podman/network-socket.nix
new file mode 100644
index 00000000000..94d8da9d2b6
--- /dev/null
+++ b/nixos/modules/virtualisation/podman/network-socket.nix
@@ -0,0 +1,95 @@
+{ config, lib, pkg, ... }:
+let
+ inherit (lib)
+ mkOption
+ types
+ ;
+
+ cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+ imports = [
+ ./network-socket-ghostunnel.nix
+ ];
+
+ options.virtualisation.podman.networkSocket = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Make the Podman and Docker compatibility API available over the network
+ with TLS client certificate authentication.
+
+ This allows Docker clients to connect with the equivalents of the Docker
+ CLI -H
and --tls*
family of options.
+
+ For certificate setup, see https://docs.docker.com/engine/security/protect-access/
+
+ This option is independent of .
+ '';
+ };
+
+ server = mkOption {
+ type = types.enum [];
+ description = ''
+ Choice of TLS proxy server.
+ '';
+ example = "ghostunnel";
+ };
+
+ openFirewall = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to open the port in the firewall.
+ '';
+ };
+
+ tls.cacert = mkOption {
+ type = types.path;
+ description = ''
+ Path to CA certificate to use for client authentication.
+ '';
+ };
+
+ tls.cert = mkOption {
+ type = types.path;
+ description = ''
+ Path to certificate describing the server.
+ '';
+ };
+
+ tls.key = mkOption {
+ type = types.path;
+ description = ''
+ Path to the private key corresponding to the server certificate.
+
+ Use a string for this setting. Otherwise it will be copied to the Nix
+ store first, where it is readable by any system process.
+ '';
+ };
+
+ port = mkOption {
+ type = types.port;
+ default = 2376;
+ description = ''
+ TCP port number for receiving TLS connections.
+ '';
+ };
+ listenAddress = mkOption {
+ type = types.str;
+ default = "0.0.0.0";
+ description = ''
+ Interface address for receiving TLS connections.
+ '';
+ };
+ };
+
+ config = {
+ networking.firewall.allowedTCPPorts =
+ lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
+ };
+
+ meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}
--
cgit 1.4.1