mirror of
https://codeberg.org/privacy1st/nix-git
synced 2025-01-10 05:01:20 +01:00
107 lines
4.1 KiB
Nix
107 lines
4.1 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
# https://nixos.wiki/wiki/Docker#Installation
|
|
|
|
# TODO: rootless Docker equivalent with root privileges? https://nixos.wiki/wiki/Docker#Rootless_docker
|
|
# TODO: run as systemd services. https://nixos.wiki/wiki/Docker#docker_containers_as_systemd_services
|
|
|
|
virtualisation = {
|
|
docker = {
|
|
enable = true;
|
|
|
|
# As we use btrfs, we enable the according storageDriver option.
|
|
storageDriver = "btrfs";
|
|
|
|
# IPv6 support.
|
|
# https://search.nixos.org/options?channel=23.05&show=virtualisation.docker.daemon.settings
|
|
# https://docs.docker.com/config/daemon/ipv6/#use-ipv6-for-the-default-bridge-network
|
|
# TODO: See notes in Jinja-Compose/proxy.yml.jinja2 why this is not yet ready to use.
|
|
# daemon.settings = {
|
|
# # Enable IPv6 networking on the default network.
|
|
# ipv6 = true;
|
|
# # Assign a subnet to the default bridge network, enabling dynamic IPv6 address allocation.
|
|
# fixed-cidr-v6 = "2001:db8:1::/64";
|
|
# # Enable additional IPv6 packet filter rules, providing network isolation and port mapping.
|
|
# # This parameter requires experimental to be set to `true`.
|
|
# ip6tables = true;
|
|
# experimental = true;
|
|
# };
|
|
|
|
# Run `docker system prune -f ${autoPrune.flags}` every week.
|
|
# This creates `docker-prune.service` and `docker-prune.timer`.
|
|
autoPrune.enable = true;
|
|
autoPrune.dates = "weekly";
|
|
# https://docs.docker.com/engine/reference/commandline/system_prune/#options
|
|
autoPrune.flags = [
|
|
"--all"
|
|
# https://docs.docker.com/engine/reference/commandline/system_prune/#filter
|
|
# https://pkg.go.dev/maze.io/x/duration#ParseDuration
|
|
# `7d` could not be parsed, thus we use `168h`
|
|
"--filter until=168h"
|
|
# `--volumes` can't be used together with `--filter`.
|
|
# Thus we added our own service below.
|
|
#--volumes
|
|
];
|
|
};
|
|
};
|
|
|
|
# Prune docker volumes.
|
|
# This is a slightly modified copy of https://github.com/NixOS/nixpkgs/blob/5a237aecb57296f67276ac9ab296a41c23981f56/nixos/modules/virtualisation/docker.nix#L211C5-L226
|
|
systemd.services."docker-prune-volumes" = {
|
|
description = "Prune docker volumes";
|
|
restartIfChanged = false;
|
|
unitConfig.X-StopOnRemoval = false;
|
|
serviceConfig.Type = "oneshot";
|
|
script = ''
|
|
${pkgs.docker}/bin/docker system prune -f --all --volumes
|
|
'';
|
|
|
|
# Run weekly after `docker-prune.service` has finished.
|
|
# Reason: Only one `docker system prune` command can be run at a time.
|
|
|
|
startAt = "weekly";
|
|
# Start the specified units when this unit is started,
|
|
# and stop this unit when the specified units are stopped or fail.
|
|
requires = [ "docker.service" ];
|
|
# If the specified units are started at the same time as this unit,
|
|
# delay this unit until they have started.
|
|
after = [ "docker.service" "docker-prune.service" ];
|
|
};
|
|
|
|
# Monitor unhealthy Docker containers.
|
|
systemd.timers."docker-health" = {
|
|
wantedBy = [ "timers.target" ];
|
|
partOf = [ "docker-health.service" ];
|
|
timerConfig = {
|
|
OnBootSec = "0m";
|
|
OnUnitInactiveSec = "3m";
|
|
|
|
AccuracySec = "15s";
|
|
RandomizedDelaySec = "15s";
|
|
};
|
|
};
|
|
systemd.services."docker-health" = {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
PrivateTmp = true;
|
|
# `docker` requires root access.
|
|
User = "root";
|
|
Nice = 19;
|
|
IOSchedulingClass = "idle";
|
|
};
|
|
path = with pkgs; [
|
|
docker
|
|
];
|
|
# If there are no unhealthy Docker containers, the output of `docker ps -f health=unhealthy` is just one line:
|
|
# CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
|
# We filter this line with `grep -v`.
|
|
# As a result, grep returns exit code 1 if there are no unhealthy containers (as not a single line is printed).
|
|
# Thus, we prefix the whole command with `!`.
|
|
# Lastly, we redirect stdout to stderr with `1>&2` so that unhealthy containers are written to stderr.
|
|
script = ''
|
|
set -eu -o pipefail
|
|
! docker ps -f health=unhealthy | grep -v 'CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES' 1>&2
|
|
'';
|
|
};
|
|
}
|