Docker-compose on nixos

infiniter · February 4, 2022, 11:54am

Hello,
I am new to nixos and so far I use it as a home daily driver. But I was thinking about taking nixos to work, but my issue is that we use docker-compose on every project I work on.

I read about arion and also how to create docker containers separately. I just dont see a way how to simply run all the “company written docker-compose” files under nix. I simply need that docker-compose binary.

So basically my question is, even if I understand that docker-compose can be replaced by “nix way of doing things” but what if I still wanna use docker-compose on nixos machine? Is it possible? Or do I have to rewrite all of those in nix syntax?

ius · February 4, 2022, 12:28pm

There’s no need to use declarative containers, docker (and compose) should work like on any other distro:

# Pick one
virtualisation.docker.enable = true;
virtualisation.podman.enable = true;

environment.systemPackages = with pkgs; [
  docker-compose  
  ...
];

users.users.<myuser>.extraGroups = [ "docker" ];

infiniter · February 4, 2022, 12:35pm

wow …i m not sure what happened, I would swear that package wasnt found on my package search results yesterday. Thanks for quick response! Nixos is little overwhelming, 3rd day on it

TLATER · February 4, 2022, 6:58pm

Worth pointing out that adding that group to your user is equivalent to giving it permanent root permissions.

Commonly done, for sure, and some applications that depend on docker give you no choice, but bad practice nonetheless - it’s worth using sudo to invoke docker instead when possible.

Clete2 · February 3, 2024, 1:54pm

If you’ve connected via SSH key authentication, which is preferred, and you’ve given the user wheel, you’ve probably also set passwordless sudo up (because your user doesn’t even have a password). I think in that setting giving docker access is no worse.

I presume the most secure setup would be to use SSH key authentication to get into the system, then have a password-prompted sudo be required for escalation.

TLATER · February 3, 2024, 2:06pm

You can alternatively use security.pam.enableSSHAgentAuth to get proper authentication for sudo via SSH.

Clete2 · February 3, 2024, 2:17pm

Oh I like that a lot. Thank you!

Clete2 · February 3, 2024, 2:32pm

@TLATER can you assist with setting that up?

Here is my config:

  services.openssh.settings.PermitRootLogin = lib.mkForce "no";
  services.openssh.enable = true;
  security.pam.enableSSHAgentAuth = true;
  security.pam.services.sudo.sshAgentAuth = true;
  security.sudo.enable = true;

  users.users.clete2 = {
    isNormalUser = true;
    description = "Clete Blackwell II";
    extraGroups = [ "wheel" "docker" ];
    packages = with pkgs; [];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = ["ssh-ed25519 mypublickey myhostname id_ed25519"];
  };

  users.users.root = {
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = ["ssh-ed25519 mypublickey myhostname id_ed25519"]; # I thought this may help? I originally did not have this
  };

sudo is still prompting for a password

TLATER · February 3, 2024, 3:43pm

You likely still need to add ForwardAgent to your client config, e.g. in ~/.ssh/config:

Host <hostname>
  ForwardAgent yes
  User clete2

No need to add your user’s public key to root’s authorized keys.

I wouldn’t recommend doing that for untrusted hosts, as it will allow the remote to sign with your ssh key (though not copy it, so only while you’re logged in). You probably want host-specific keys, realistically.