{ config, lib, pkg, ... }:
let
inherit (lib)
mkOption
types
;
cfg = config.virtualisation.podman.networkSocket;
in
{
imports = [
./network-socket-ghostunnel.nix
];
options.virtualisation.podman.networkSocket = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Make the Podman and Docker compatibility API available over the network
with TLS client certificate authentication.
This allows Docker clients to connect with the equivalents of the Docker
CLI -H
and --tls*
family of options.
For certificate setup, see https://docs.docker.com/engine/security/protect-access/
This option is independent of .
'';
};
server = mkOption {
type = types.enum [];
description = ''
Choice of TLS proxy server.
'';
example = "ghostunnel";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Whether to open the port in the firewall.
'';
};
tls.cacert = mkOption {
type = types.path;
description = ''
Path to CA certificate to use for client authentication.
'';
};
tls.cert = mkOption {
type = types.path;
description = ''
Path to certificate describing the server.
'';
};
tls.key = mkOption {
type = types.path;
description = ''
Path to the private key corresponding to the server certificate.
Use a string for this setting. Otherwise it will be copied to the Nix
store first, where it is readable by any system process.
'';
};
port = mkOption {
type = types.port;
default = 2376;
description = ''
TCP port number for receiving TLS connections.
'';
};
listenAddress = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
Interface address for receiving TLS connections.
'';
};
};
config = {
networking.firewall.allowedTCPPorts =
lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
};
meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
}