2025-08-12 11:53:58 -07:00
|
|
|
{ config, pkgs, lib, ... }: {
|
2025-06-20 11:59:24 -07:00
|
|
|
|
2025-08-12 11:53:58 -07:00
|
|
|
options = {
|
|
|
|
|
rootless_docker = lib.mkOption {
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
description = "rootless docker";
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
privileged_ports = lib.mkOption {
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
description = "rootless docker allowed privileged ports";
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
2025-06-20 11:59:24 -07:00
|
|
|
config = {
|
|
|
|
|
|
|
|
|
|
home-manager.users.${config.user} = { pkgs, ... }: {
|
|
|
|
|
home.packages = with pkgs; [
|
|
|
|
|
docker-compose
|
|
|
|
|
ctop
|
|
|
|
|
];
|
|
|
|
|
};
|
2025-08-12 11:53:58 -07:00
|
|
|
|
2025-06-20 11:59:24 -07:00
|
|
|
users.extraUsers.${config.user}.extraGroups = [ "docker" ];
|
|
|
|
|
virtualisation.docker = {
|
|
|
|
|
enable = true;
|
2025-08-12 11:53:58 -07:00
|
|
|
rootless = lib.mkIf config.rootless_docker {
|
2025-06-20 11:59:24 -07:00
|
|
|
enable = true;
|
|
|
|
|
setSocketVariable = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
2025-08-12 11:53:58 -07:00
|
|
|
|
|
|
|
|
# https://im.salty.fish/index.php/archives/nixos-docker-rootless-privileged-ports.html
|
|
|
|
|
security.wrappers = lib.mkIf config.privileged_ports {
|
|
|
|
|
docker-rootlesskit = {
|
|
|
|
|
owner = "root";
|
|
|
|
|
group = "root";
|
|
|
|
|
capabilities = "cap_net_bind_service+ep";
|
|
|
|
|
source = "${pkgs.rootlesskit}/bin/rootlesskit";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2025-06-20 11:59:24 -07:00
|
|
|
};
|
|
|
|
|
}
|
