nixos/containers: new registries.settings option, deprecate others

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -24,6 +24,12 @@
 
 - `buildGoPackage` has been removed. Use `buildGoModule` instead. See the [Go section in the nixpkgs manual](https://nixos.org/manual/nixpkgs/unstable/#sec-language-go) for details.
 
+- `virtualisation.registries.block` / `insecure` / `search` were deprecated,
+  because they mapped to the deprecated V1 `registries.conf` format.
+  Please examine the new option {option}`virtualisation.registries.settings`
+  and [containers-registries.conf(5)](https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md)
+  to migrate to the new configuration format.
+
 - `timescaledb` requires manual upgrade steps.
     After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
     PostgreSQL 13 is no longer supported in TimescaleDB v2.16.

nixos/modules/virtualisation/containers.nix

@@ -1,9 +1,23 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
   cfg = config.virtualisation.containers;
 
   inherit (lib) literalExpression mkOption types;
 
+  oldRegistriesOptionsUsed = lib.any (x: x != [ ]) (
+    with cfg.registries;
+    [
+      search
+      insecure
+      block
+    ]
+  );
+
   toml = pkgs.formats.toml { };
 in
 {
@@ -13,14 +27,13 @@ in
 
   options.virtualisation.containers = {
 
-    enable =
-      mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          This option enables the common /etc/containers configuration module.
-        '';
-      };
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        This option enables the common /etc/containers configuration module.
+      '';
+    };
 
     ociSeccompBpfHook.enable = mkOption {
       type = types.bool;
@@ -57,27 +70,54 @@ in
     };
 
     registries = {
+      # TODO: remove those options in 25.11
       search = mkOption {
+        visible = false;
         type = types.listOf types.str;
-        default = [ "docker.io" "quay.io" ];
+        default = [ ];
         description = ''
           List of repositories to search.
+
+          Deprecated, examine {option}`virtualisation.registries.settings` instead.
         '';
       };
 
       insecure = mkOption {
         default = [ ];
+        visible = false;
         type = types.listOf types.str;
         description = ''
           List of insecure repositories.
+
+          Deprecated, examine {option}`virtualisation.registries.settings` instead.
         '';
       };
 
       block = mkOption {
         default = [ ];
+        visible = false;
         type = types.listOf types.str;
         description = ''
           List of blocked repositories.
+
+          Deprecated, examine {option}`virtualisation.registries.settings` instead.
+        '';
+      };
+
+      settings = mkOption {
+        type = toml.type;
+        default = {
+          registry = [
+            { location = "docker.io"; }
+            { location = "quay.io"; }
+          ];
+        };
+        description = ''
+          repositories.conf configuration.
+
+          Examine [containers-registries.conf(5)] for more information about the format.
+
+            [containers-registries.conf(5)]: https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md
         '';
       };
     };
@@ -105,16 +145,27 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    warnings = lib.optional oldRegistriesOptionsUsed "the options virtualisation.registries.search / insecure / block are deprecated. See virtualisation.registries.settings instead.";
+
+    virtualisation.containers.registries.settings = lib.mkIf oldRegistriesOptionsUsed {
+      registries = {
+        block.registries = cfg.registries.block;
+        insecure.registries = cfg.registries.insecure;
+        search.registries = cfg.registries.search;
+      };
+    };
 
     virtualisation.containers.containersConf.cniPlugins = [ pkgs.cni-plugins ];
 
     virtualisation.containers.containersConf.settings = {
       network.cni_plugin_dirs = map (p: "${lib.getBin p}/bin") cfg.containersConf.cniPlugins;
-      engine = {
-        init_path = "${pkgs.catatonit}/bin/catatonit";
-      } // lib.optionalAttrs cfg.ociSeccompBpfHook.enable {
-        hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ];
-      };
+      engine =
+        {
+          init_path = "${pkgs.catatonit}/bin/catatonit";
+        }
+        // lib.optionalAttrs cfg.ociSeccompBpfHook.enable {
+          hooks_dir = [ config.boot.kernelPackages.oci-seccomp-bpf-hook ];
+        };
     };
 
     virtualisation.containers.storage.settings.storage = {
@@ -124,19 +175,17 @@ in
     };
 
     environment.etc = {
-      "containers/containers.conf".source =
-        toml.generate "containers.conf" cfg.containersConf.settings;
+      "containers/containers.conf".source = toml.generate "containers.conf" cfg.containersConf.settings;
 
-      "containers/storage.conf".source =
-        toml.generate "storage.conf" cfg.storage.settings;
+      "containers/storage.conf".source = toml.generate "storage.conf" cfg.storage.settings;
 
-      "containers/registries.conf".source = toml.generate "registries.conf" {
-        registries = lib.mapAttrs (n: v: { registries = v; }) cfg.registries;
-      };
+      "containers/registries.conf".source = toml.generate "registries.conf" cfg.registries.settings;
 
       "containers/policy.json".source =
-        if cfg.policy != { } then pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
-        else "${pkgs.skopeo.policy}/default-policy.json";
+        if cfg.policy != { } then
+          pkgs.writeText "policy.json" (builtins.toJSON cfg.policy)
+        else
+          "${pkgs.skopeo.policy}/default-policy.json";
     };
 
   };