aboutsummaryrefslogtreecommitdiff
path: root/programs/docker.nix
blob: 62bdc775ba66f5fe144d6155fc9cee241a1bd8d3 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

{ config, lib, pkgs, ... }:

let
  cfg = config.programs.docker;
  jsonFormat = pkgs.formats.json { };
  settingsType = lib.types.submodule {
    freeformType = jsonFormat.type;
  };
in
{
  options.programs.docker = {
    enable = lib.mkEnableOption "Container runtime client";

    package = lib.mkOption {
      type = lib.types.package;
      default = pkgs.docker-client;
      defaultText = lib.literalExpression "pkgs.docker-client";
      description = "Package providing {command}`docker`.";
    };

    settings = lib.mkOption {
      type = settingsType;
      default = { };
      description = ''
        This is written to {file}`$XDG_CONFIG_HOME/.docker/config.json`.

        For security reasons, never store cleartext passwords here. Instead use
        `credHelpersWrap` option to retrieve credentials from your favorite
        password manager at runtime.
      '';
      example = lib.literalExpression ''
        {
          currentContext = "colima";
        };
      '';
    };

    # why not use the pass credstore directly? you do you, I don't want docker
    # messing with my bigbrain password-store layout
    credHelpersWrap = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = { };
      description = ''
        A mapping of registry URLs to commands to use as credential helpers.
      '';
      example = lib.literalExpression ''
        { "docker.io": "$${pkgs.pass}/bin/pass show docker.io"; };
      '';
    };
  };

  config =
    let
      genWrapperId = name: builtins.hashString "sha1" name;
      genWrapperName = name:
        "docker-credential-" + (genWrapperId name);

      wrappers = lib.mapAttrsToList
        (registry: wrapper:
          pkgs.writeShellScriptBin (genWrapperName registry) wrapper
        )
        cfg.credHelpersWrap;

      finalSettings = lib.recursiveUpdate cfg.settings {
        credHelpers = lib.mapAttrs
          (registry: _: genWrapperId registry)
          cfg.credHelpersWrap;
      };

    in
    lib.mkIf cfg.enable
      {
        home.packages = [ cfg.package ] ++ wrappers;
        home.file.".docker/config.json".source =
          jsonFormat.generate "config.json" finalSettings;
      };
}