Merge pull request #17 from 99linesofcode/declaratively-install-docker-plugins

feat(docker): install and remote docker plugins declaratively

Author: 99linesofcode

hosts/luna/default.nix

@@ -61,8 +61,8 @@ in
     k3s.enable = true;
     nvidia.enable = true;
     power-management.enable = true;
+    rclone.enable = true;
     sound.enable = true;
-
     openssh.enable = true;
     qmk.enable = true;
     steam.enable = true;

hosts/mars/default.nix

@@ -38,7 +38,7 @@ in
       rootless.enable = false;
     };
     k3s.enable = true;
-
     openssh.enable = true;
+    rclone.enable = true;
   };
 }

hosts/shared/secrets/rclone.conf

@@ -0,0 +1,23 @@
+{
+	"data": "ENC[AES256_GCM,data:je5a4n4qKJWcAVNJ6OkfX2DABeUXPzOrhbhErib17crMOS4xk3FFRef5+laz6Jbggj8nmhOEE+lnnp5JoDQejlzxIgtdmYFu9i347NK3cWnbNDUAA8Tw8tYlYyN6tttYpLkx5bPEIHo3NNE0WoDj61cn61IUuo568qFX5GwV/0wX4VAHXWZDGIG4uk4iGjWvv/kxOYEcIE4pnHJzZ7jpLqWxC35qwmkZgBkoavpSEQ+6Pe8ZWeiKIPzWd63ZoNFvSFv1b2Wa1ikKYIrfc/NzB2Mi8XeZD/pK3Y1NsxWdxo+kBIhx3Y8DrtW1pQdZW5P25vbDykCQKQOA+8V6rg9EYDFxl/JlztxPCj/Un5D65ymhjJSyau6/4TN/Z+lGf5eT8GRjaIdqhYrk2ap0WhBRt03s7fDe2SkCw3pqazhCRrkTvrc1Mo0An3fH2Eduf6rR9bIw6IKBXMk+w1pMeBIXGyJLKZ4Uwqb7Mj1++rGC11PvZiHrT4bijZ6UCY0G4CegzidIlX/EPZat7kMW93cYKjIl6A6EOWdlyP9mRr/j7b72YDndd8BZrJNJUQF5uqEqDN/i8LhUUB7Ekv/B8RKq0e4pGWglC5MQumjo3yYJB4zJ1Nsgh7GH2W4o1FhziDhlHjLT6pMx6MvnbNYLn3MZ6NhCeqsDiZ9EKg20bUYoJo2Q4l/x3WSHDQXgM92jkE5RpVaxZ4IuLCmLVVdwlVHsuwAgZRHaF6+0WpC5xHSiXCjzqY9KVhmliO/ZHmM3UKVoNto62W67YtUVofypOzBsIJCPWPH+xVpas6zAt//xq01A+WcKaS3YTB8d1tANC00aDIgiOFdZUUueiizFlOjt3hbxqgvKAZlqadqocePjtlqc0Mw95bAikmjeoC74HYdIVYWGTOmtXUsSxbRP/BhRIuKNeZTVHSDeYTP8ze9KHhaa3IDKIhaObee+k5GOfmF5HOScHqEWBSGZH6QA6+Wfkz06Sgz54MYs3X5gYiw+uSjJhCKNrdeGBvlh2pGi/m9LAYeZAtJW1kmrCG7PHEDRiJFKX7P5CLIaHzUpmpUBYDWHS0/LG94ZdGP617H6C4Kx4oamQa52xKNh8f51WeZXm9D8JCD15POJ6IFynyDoEGtO+AMXH+jsBs6x5vdRDjbxvr6mFNkPbhIpifdeNQiKa0YHUbkIzJFO17b+aDbKABtkQ8jp1qoNBtNlJt4jjUq85sGGnHkPEOv5CYi5x1Ig+ipI/bq8Kl/W5KyAZZIFYrNQ1PFZsposns0o6X/zR2DayROJ+ckatE93EbK44HllzyvuEJ7KqpoKvv8=,iv:SMqZAY/ntaTn2O1j/CGBhxrxw2BOzASeybaVq3EnEIA=,tag:TL0w7C5BgNhce76Zs9cwqg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1hy523tlslqas8qgs0lxgxanp9gx06fjekn608w4qf66mxkjzmucqh0g6vg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MGM2dnMwNGlSQ1JhYys2\nSGUwRis4YzVDZVdlWllVajhrV3puR2x6VnhzCitXU2N0cWJISEdqeFlRUVltdEw2\nT2s1eUpBT1A2VXowYWhhMXJoV2RKUVUKLS0tIHlJWm5QUktpU0dFWlJpZnNsY3FR\na3B2ZVBYeXZtenhHVFNhb2ZWTFprNEEKTiMVhH4bRAp7+qy4MhZTZirW8Iusi7/w\nMirjR7WtHYI1fHtg09ZBRqxAbclxFah1f3Lpe5PzvZ09Aa3pMyuzEA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10a049meemjvgdgukx6zu5lwu82mqul83l7fyd66tzy9sm8637s7q07ujez",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNUV4VE03dHNZeEh3SU5t\nbjJDdUxSMHN4OWpIbitHZk9wQ1k1b3dBOGprCkdNbThOM0xPS04wNENtVEY2MmZM\nY0NsM2FKK2ZyZm5xMTI4Q3FsZ0Vkd0UKLS0tIC8vY3I5VmoxbmM2a0xrVFI5am9G\naHJVVnJqTytLTFpoQ3h0WXN2ZFVIaGsKV14Jcw9BNzqqPDWLetPBFKMdJgKKzuAG\nY6m2UYcYZwNUW+PEldrJw9EKz+LmsVRccB+k7SrenlMpazdKhjS2Ag==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1epkfxmjk0tlne8rmxqq77u06q3lnf5xfjcrwq42nuasswefndyfscw84cy",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4c0hkN0VTSGdkdjJyaUZ6\nSUE4K0YwNnpOaDg0MnUzVFNWK01jY1FQUWtVCnBvTEZYVW5Oc3lZWW5FREI1QXgy\nZ3d4Ny9IdWN0cU5HOEZNWEJEWml2SncKLS0tIGd3THh0TXZHbU03T2YrNUdGbjdN\nNlB2L0R1dFNOdzZyY2FxaVVPMlJjNkkKgCSaMuigobeNLC19vzGT/loYkHIHPCke\nFzAIKJpyi3LVCYFxKAxH3H6yHnrZE0Tl00lO+h3yo8pyJUqEhVSNEA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-12T10:44:19Z",
+		"mac": "ENC[AES256_GCM,data:4HjJJw4j3RZua+l3hahhtZOXUNlur6aSaRHMIlbinDEzWrpQiBE0luWOPy0P2BFFmViUD6EGU69RVkZlB/8abbzNoXuSfB7DVL2vjCC194Jamdq0SvkheSOlmyeOUDYTmTK+XBSfj9aviW0deMuQtTTgdRFgqUcjWlohDE4xYaU=,iv:kN7dMlPgN8EQXe1MG3QYKbrZY5Pv8NA7uWVgVqSV79Q=,tag:qxKH9yPhvQLV/2mqsfjDUg==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}

modules/docker.nix

@@ -12,6 +12,21 @@ with lib;
 {
   options.host.docker = with types; {
     enable = mkEnableOption "docker";
+    plugins = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [
+        "rclone/docker-volume-rclone:amd64"
+      ];
+      example = [
+        "rclone/docker-volume-rclone:latest"
+        "vieux/sshfs:latest"
+      ];
+      description = ''
+        A list of Docker plugins to install automatically after Docker starts.
+        Each item should be a valid plugin name or plugin reference usable with
+        `docker plugin install`.
+      '';
+    };
     rootless.enable = mkEnableOption "rootless mode";
   };
 
@@ -45,6 +60,40 @@ with lib;
       };
     };
 
+    systemd.services = {
+      install-docker-plugins = {
+        description = "Install Docker plugins";
+        documentation = [ "man:rclone(1)" ];
+        wants = [ "network-online.target" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = false;
+          ExecStart =
+            pkgs.writeShellScript "install-docker-plugins" # bash
+              ''
+                #!/usr/bin/env sh
+
+                docker="${pkgs.docker}/bin/docker"
+
+                installedPlugins="$($docker plugin list --format '{{ .Name }}')"
+                requiredPlugins="${builtins.concatStringsSep "\n" cfg.plugins}"
+
+                printf '%s\n' "$installedPlugins" | grep -F -x -v "$requiredPlugins" | while IFS= read -r plugin; do
+                  "$docker" plugin disable "$plugin"
+                  "$docker" plugin rm "$plugin"
+                  printf '%s\n' "Uninstalled $plugin"
+                done >/dev/null
+
+                printf '%s\n' "$requiredPlugins" | grep -F -x -v "$installedPlugins" | while IFS= read -r plugin; do
+                  "$docker" plugin install --grant-all-permissions "$plugin"
+                  printf '%s\n' "Installed $plugin"
+                done >/dev/null
+              '';
+        };
+      };
+    };
+
     security.wrappers = mkIf config.host.docker.rootless.enable {
       docker-rootlesskit = {
         owner = "root";
@@ -53,5 +102,6 @@ with lib;
         source = "${pkgs.rootlesskit}/bin/rootlesskit";
       };
     };
+
   };
 }

modules/rclone.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.host.rclone;
+  dockerHasRclonePlugin = builtins.any (
+    p: builtins.match ".*rclone.*" p != null
+  ) config.host.docker.plugins;
+in
+with lib;
+{
+  options = {
+    host.rclone.enable = mkEnableOption "rclone";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      fuse
+      rclone
+    ];
+
+    # TODO: encrypt to disk using rclone config encryption?
+    sops.secrets = mkIf (config.host.docker.enable && dockerHasRclonePlugin) {
+      "docker-rclone/rclone.conf" = {
+        format = "binary";
+        sopsFile = ../hosts/shared/secrets/rclone.conf;
+        path = "/var/lib/docker-plugins/rclone/config/rclone.conf";
+      };
+    };
+
+    systemd.tmpfiles.rules =
+      mkIf (config.host.docker.enable && config.host.docker.rootless.enable && dockerHasRclonePlugin)
+        [
+          "d /var/lib/docker-plugins/rclone/config 0755 root root -"
+          "d /var/lib/docker-plugins/rclone/cache  0755 root root -"
+        ];
+  };
+}