{ config, pkgs, ... }: { # https://nixos.wiki/wiki/Docker#Installation # TODO: rootless Docker. https://nixos.wiki/wiki/Docker#Rootless_docker # TODO: run as systemd services. https://nixos.wiki/wiki/Docker#docker_containers_as_systemd_services virtualisation = { docker = { enable = true; # As we use btrfs, we enable the according storageDriver option. storageDriver = "btrfs"; # Run `docker system prune -f` every week. autoPrune.enable = true; autoPrune.dates = "weekly"; # https://docs.docker.com/engine/reference/commandline/system_prune/#options autoPrune.flags = [ "--all" "--volumes" # https://docs.docker.com/engine/reference/commandline/system_prune/#filter # https://pkg.go.dev/maze.io/x/duration#ParseDuration "--filter until=7d" ]; }; }; # Monitor unhealthy Docker containers. systemd.timers."docker-health" = { wantedBy = [ "timers.target" ]; partOf = [ "docker-health.service" ]; timerConfig = { OnBootSec = "0m"; OnUnitInactiveSec = "3m"; AccuracySec = "15s"; RandomizedDelaySec = "15s"; }; }; systemd.services."docker-health" = { serviceConfig = { Type = "oneshot"; PrivateTmp = true; # `docker` requires root access. User = "root"; Nice = 19; IOSchedulingClass = "idle"; }; path = with pkgs; [ docker ]; # If there are no unhealthy Docker containers, the output of `docker ps -f health=unhealthy` is just one line: # CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES # We filter this line with `grep -v`. # As a result, grep returns exit code 1 if there are no unhealthy containers (as not a single line is printed). # Thus, we prefix the whole command with `!`. # Lastly, we redirect stdout to stderr with `1>&2` so that unhealthy containers are written to stderr. script = '' set -eu -o pipefail ! sudo docker ps -f health=unhealthy | grep -v 'CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES' 1>&2 ''; }; }