I found a workaround months ago.
As reminder, i wanted to :
- start podman container at boot.
- rootless container so run by simple user and NOT root
- allow the user start/stop… the container
In the configuration.nix
# create my user
users.users."pgmadin" = {
isNormalUser = true;
uid = 1003;
};
# In order for our user to run containers automatically on boot,
# we need to enable systemd linger support.
# This will ensure that a user manager is run for the user at boot and kept around after logouts.
system.activationScripts = {
enableLingering = ''
# remove all existing lingering users
rm -r /var/lib/systemd/linger
mkdir /var/lib/systemd/linger
# enable for the subset of declared users
touch /var/lib/systemd/linger/pgadmin
'';
};
virtualisation = {
## setup podman
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enable = true;
};
## declare containers
oci-containers = {
## use podman as default container engine
backend = "podman";
};
};
## pgadmin container
systemd.user.services.pgadmin = {
enable = true;
unitConfig = { ConditionUser = "pgadmin"; };
wantedBy = [ "default.target" ];
after = [ "network.target" ];
description = "pgadmin container";
path = [ "/run/wrappers" ];
serviceConfig =
let
bash = "${pkgs.bash}/bin/bash";
podmancli = "${config.virtualisation.podman.package}/bin/podman";
podname = "pgadmin";
image = "dpage/pgadmin4:6.19";
cid = "%t/podman/%n.cid";
pid = "%t/podman/%n.pid";
startpre = [
"${pkgs.coreutils-full}/bin/rm -f ${cid} ${pid}"
"-${podmancli} stop --ignore ${podname}"
"${podmancli} rm --force --ignore ${podname}"
];
stoppost = [
"${podmancli} stop --ignore ${podname}"
"${podmancli} rm --force --ignore ${podname}"
"${pkgs.coreutils-full}/bin/rm -f ${cid} ${pid}"
];
in
{
ExecStartPre = startpre;
ExecStart = "${podmancli} run " +
"--rm " +
"--replace " +
"--name=${podname} " +
"--conmon-pidfile=${pid} " +
"--cidfile=${cid} " +
"--cgroups=no-conmon " +
"--sdnotify=conmon " +
"--log-driver=journald " +
"--name=${podname} " +
"-p 127.0.0.1:5050:80 " +
"-v pgadmin_data:/var/lib/pgadmin " +
"-e PGADMIN_DEFAULT_EMAIL='admin@localhost.fr' "+
"-e PGADMIN_DEFAULT_PASSWORD='pgadmin' "+
"-d " +
"${image}";
ExecStop = "${podmancli} stop ${podname}";
ExecStopPost = stoppost;
Type = "notify";
NotifyAccess = "all";
Restart = "no";
TimeoutStopSec = 70;
};
};
Then in the pgadmin session
# start user service
systemctl --user start pgadmin
# check status
systemctl --user status pgadmin
# it works so start at boot
systemclt --user enable pgadmin
This way only my user pgadmin can control the service and my podman container is rootless.