nixos/cri-o: Add RFC42 'settings' option

2021-07-16 12:29:26 +02:00 · 2021-07-16 12:29:26 +02:00 · 1cf78b53af
parent 9a846d9be4
commit 1cf78b53af
1 changed files with 38 additions and 23 deletions
--- a/nixos/modules/virtualisation/cri-o.nix
+++ b/nixos/modules/virtualisation/cri-o.nix
@ -6,6 +6,9 @@ let

  crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; });

+  format = pkgs.formats.toml { };
+
+  cfgFile = format.generate "00-default.conf" cfg.settings;
 in
 {
  imports = [
@ -80,6 +83,15 @@ in
      description = "Override the network_dir option.";
      internal = true;
    };
+
+    settings = lib.mkOption {
+      type = format.type;
+      default = { };
+      description = ''
+        Configuration for cri-o, see
+        <link xlink:href="https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md"/>.
+      '';
+    };
  };

  config = mkIf cfg.enable {
@ -87,36 +99,38 @@ in

    environment.etc."crictl.yaml".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml";

-    environment.etc."crio/crio.conf.d/00-default.conf".text = ''
-      [crio]
-      storage_driver = "${cfg.storageDriver}"
+    virtualisation.cri-o.settings.crio = {
+      storage_driver = cfg.storageDriver;

-      [crio.image]
-      ${optionalString (cfg.pauseImage != null) ''pause_image = "${cfg.pauseImage}"''}
-      ${optionalString (cfg.pauseCommand != null) ''pause_command = "${cfg.pauseCommand}"''}
+      image = {
+        pause_image = lib.mkIf (cfg.pauseImage != null) cfg.pauseImage;
+        pause_command = lib.mkIf (cfg.pauseCommand != null) cfg.pauseCommand;
+      };

-      [crio.network]
-      plugin_dirs = ["${pkgs.cni-plugins}/bin/"]
-      ${optionalString (cfg.networkDir != null) ''network_dir = "${cfg.networkDir}"''}
+      network = {
+        plugin_dirs = [ "${pkgs.cni-plugins}/bin" ];
+        network_dir = lib.mkIf (cfg.networkDir != null) cfg.networkDir;
+      };

-      [crio.runtime]
-      cgroup_manager = "systemd"
-      log_level = "${cfg.logLevel}"
-      pinns_path = "${cfg.package}/bin/pinns"
-      hooks_dir = [
-      ${lib.optionalString config.virtualisation.containers.ociSeccompBpfHook.enable
-        ''"${config.boot.kernelPackages.oci-seccomp-bpf-hook}",''}
-      ]
+      runtime = {
+        cgroup_manager = "systemd";
+        log_level = cfg.logLevel;
+        manage_ns_lifecycle = true;
+        pinns_path = "${cfg.package}/bin/pinns";
+        hooks_dir =
+          optional (config.virtualisation.containers.ociSeccompBpfHook.enable)
+            config.boot.kernelPackages.oci-seccomp-bpf-hook;

-      ${optionalString (cfg.runtime != null) ''
-      default_runtime = "${cfg.runtime}"
-      [crio.runtime.runtimes]
-      [crio.runtime.runtimes.${cfg.runtime}]
-      ''}
-    '';
+        default_runtime = lib.mkIf (cfg.runtime != null) cfg.runtime;
+        runtimes = lib.mkIf (cfg.runtime != null) {
+          "${cfg.runtime}" = { };
+        };
+      };
+    };

    environment.etc."cni/net.d/10-crio-bridge.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf";
    environment.etc."cni/net.d/99-loopback.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/99-loopback.conf";
+    environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile;

    # Enable common /etc/containers configuration
    virtualisation.containers.enable = true;
@ -139,6 +153,7 @@ in
        TimeoutStartSec = "0";
        Restart = "on-abnormal";
      };
+      restartTriggers = [ cfgFile ];
    };
  };
 }