nixos/modules/virtualisation/podman-network-socket.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

{ config, lib, pkg, ... }:
let
  inherit (lib)
    mkOption
    types
    ;

  cfg = config.virtualisation.podman.networkSocket;

in
{
  options.virtualisation.podman.networkSocket = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Make the Podman and Docker compatibility API available over the network
        with TLS client certificate authentication.

        This allows Docker clients to connect with the equivalents of the Docker
        CLI <code>-H</code> and <code>--tls*</code> family of options.

        For certificate setup, see https://docs.docker.com/engine/security/protect-access/

        This option is independent of <xref linkend="opt-virtualisation.podman.dockerSocket.enable"/>.
      '';
    };

    server = mkOption {
      type = types.enum [];
      description = ''
        Choice of TLS proxy server.
      '';
      example = "ghostunnel";
    };

    openFirewall = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to open the port in the firewall.
      '';
    };

    tls.cacert = mkOption {
      type = types.path;
      description = ''
        Path to CA certificate to use for client authentication.
      '';
    };

    tls.cert = mkOption {
      type = types.path;
      description = ''
        Path to certificate describing the server.
      '';
    };

    tls.key = mkOption {
      type = types.path;
      description = ''
        Path to the private key corresponding to the server certificate.

        Use a string for this setting. Otherwise it will be copied to the Nix
        store first, where it is readable by any system process.
      '';
    };

    port = mkOption {
      type = types.port;
      default = 2376;
      description = ''
        TCP port number for receiving TLS connections.
      '';
    };
    listenAddress = mkOption {
      type = types.str;
      default = "0.0.0.0";
      description = ''
        Interface address for receiving TLS connections.
      '';
    };
  };

  config = {
    networking.firewall.allowedTCPPorts =
      lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
  };

  meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
}