Allow configuring of kata containers

simonswine · simonswine · commit 92b8b8e4a280 · 2025-11-30T22:10:08.000Z
diff --git a/modules/containerd-kubelet.nix b/modules/containerd-kubelet.nix
@@ -7,9 +7,22 @@ in
 {
   options.virtualisation.containerd-kubelet = {
     enable = mkEnableOption "containerd as kubelet container runtime";
+
+    kata = {
+      enable = mkEnableOption "enable kata container runtime";
+
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.kata-runtime;
+        defaultText = lib.literalExpression "pkgs.kata-runtime";
+        description = "Configured kata-runtime  package.";
+      };
+    };
   };
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.cri-tools ];
+    environment.systemPackages = [
+      pkgs.cri-tools
+    ] ++ lib.optional cfg.kata.enable cfg.kata.package;
     environment.etc."crictl.yaml".text = ''
       runtime-endpoint: unix:///run/containerd/containerd.sock
     '';
@@ -34,6 +47,10 @@ in
                     SystemdCgroup = true;
                   };
                 };
+              } // lib.optionalAttrs cfg.kata.enable {
+                kata = {
+                  runtime_type = "io.containerd.kata.v2";
+                };
               };
             };
             cni.bin_dir = "/opt/cni/bin";
@@ -55,7 +72,10 @@ in
     ## TODO: environment.etc."cni/net.d/99-loopback.conf".source = copyFile "${pkgs.containerd-unwrapped.src}/contrib/cni/99-loopback.conf";
 
     systemd.services.containerd = {
-      path = [ pkgs.zfs pkgs.iptables-nftables-compat ];
+      path = [
+        pkgs.zfs
+        pkgs.iptables-nftables-compat
+      ] ++ lib.optional cfg.kata.enable cfg.kata.package;
       serviceConfig = {
         # This limit was reduce from infinty to 1024:524288 as part of nixos 24.11. Raising that limit slightly.
         LimitNOFILE = "32768:524288";
