{ config, pkgs, lib, ... }: { options = { rootless_docker = lib.mkOption { type = lib.types.bool; description = "rootless docker"; default = true; }; privileged_ports = lib.mkOption { type = lib.types.bool; description = "rootless docker allowed privileged ports"; default = false; }; }; config = { home-manager.users.${config.user} = { pkgs, ... }: { home.packages = with pkgs; [ docker-compose ctop ]; }; users.extraUsers.${config.user}.extraGroups = [ "docker" ]; virtualisation.docker = { enable = true; rootless = lib.mkIf config.rootless_docker { enable = true; setSocketVariable = true; }; }; # https://im.salty.fish/index.php/archives/nixos-docker-rootless-privileged-ports.html security.wrappers = lib.mkIf config.privileged_ports { docker-rootlesskit = { owner = "root"; group = "root"; capabilities = "cap_net_bind_service+ep"; source = "${pkgs.rootlesskit}/bin/rootlesskit"; }; }; }; }