From 9beffb46b6f341c4750215cff61613585daaf7cc Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sat, 2 May 2026 12:50:36 -0400 Subject: [PATCH] Set up containerd use harbor.fizz.buzz. --- .../keys/package/deploy-script/package.nix | 21 ++++++++++-- nix/kubernetes/roles/containerd/default.nix | 34 +++++++++++++------ 2 files changed, 42 insertions(+), 13 deletions(-) diff --git a/nix/kubernetes/keys/package/deploy-script/package.nix b/nix/kubernetes/keys/package/deploy-script/package.nix index f3d84ce2..c18242ee 100644 --- a/nix/kubernetes/keys/package/deploy-script/package.nix +++ b/nix/kubernetes/keys/package/deploy-script/package.nix @@ -119,8 +119,6 @@ let ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube - - '' + (lib.concatMapStringsSep "\n" deploy_file [ { @@ -248,7 +246,8 @@ let ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube - + ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/docker.io + ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz '' + (lib.concatMapStringsSep "\n" deploy_file [ { @@ -291,6 +290,22 @@ let group = 10024; mode = "0600"; } + { + dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/docker.io"; + file = "${./files/containerd/docker.io/hosts.toml}"; + name = "hosts.toml"; + owner = 0; + group = 0; + mode = "0600"; + } + { + dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz"; + file = "${./files/containerd/harbor.fizz.buzz/hosts.toml}"; + name = "hosts.toml"; + owner = 0; + group = 0; + mode = "0600"; + } ]) ) ); diff --git a/nix/kubernetes/roles/containerd/default.nix b/nix/kubernetes/roles/containerd/default.nix index f7b48ec0..a45a9141 100644 --- a/nix/kubernetes/roles/containerd/default.nix +++ b/nix/kubernetes/roles/containerd/default.nix @@ -1,3 +1,4 @@ +# TODO: Set up a proxy to harbor for OCI compliance: https://github.com/moby/moby/pull/34319#issuecomment-720606627 { config, lib, @@ -29,30 +30,43 @@ in config = lib.mkIf config.me.containerd.enable { virtualisation.containerd.enable = true; - virtualisation.containerd.settings = { + virtualisation.containerd.settings = lib.mkForce { "plugins" = { - "io.containerd.grpc.v1.cri" = { + "io.containerd.cri.v1.images" = { + "registry" = { + "config_path" = "/.persist/containerd/certs.d"; + }; + "snapshotter" = "overlayfs"; + }; + "io.containerd.cri.v1.runtime" = { "cni" = { - "bin_dir" = "/opt/cni/bin"; + "bin_dirs" = [ + "/opt/cni/bin" + ]; "conf_dir" = "/etc/cni/net.d"; - # "bin_dir" = "${my-cni-plugins}/bin"; - # "conf_dir" = "${my-cni-configs}"; }; "containerd" = { "default_runtime_name" = "runc"; "runtimes" = { "runc" = { - "options" = { - "SystemdCgroup" = true; - }; "runtime_type" = "io.containerd.runc.v2"; }; }; - "snapshotter" = "overlayfs"; + }; + }; + "io.containerd.cri.v1.services" = { + "containerd" = { + "runtimes" = { + "runc" = { + "options" = { + "SystemdCgroup" = true; + }; + }; + }; }; }; }; - "version" = 2; + "version" = 3; }; systemd.services.containerd.preStart = ''