switch to podman

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -49,7 +49,7 @@ in
       name = config.networking.fqdn;
       url = "https://git.fediversity.eu";
       tokenFile = config.age.secrets.forgejo-runner-token.path;
-      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## This runner supports podman (with a default Ubuntu image) and native
       ## modes. In native mode, it contains a few default packages.
       labels = [
         "nix:docker://gitea-runner-nix"
@@ -97,9 +97,7 @@ in
     groups.nixuser = { };
   };
   virtualisation = {
-    ## For the Docker mode of the runner.
-    ## Podman seemed to error on: `requested access to the resource is denied`.
-    docker.enable = true;
+    podman.enable = true;
     containers.containersConf.settings = {
       # podman (at least) seems to not work with systemd-resolved
       containers.dns_servers = [
@@ -112,10 +110,10 @@ in
     {
       gitea-runner-nix-image = {
         wantedBy = [ "multi-user.target" ];
-        after = [ "docker.service" ];
-        requires = [ "docker.service" ];
+        after = [ "podman.service" ];
+        requires = [ "podman.service" ];
         path = [
-          pkgs.docker
+          config.virtualisation.podman.package
           pkgs.gnutar
           pkgs.shadow
           pkgs.getent
@@ -154,7 +152,7 @@ in
 
           # list the content as it will be imported into the container
           tar -cv . | tar -tvf -
-          tar -cv . | docker import - gitea-runner-nix
+          tar -cv . | podman import - gitea-runner-nix
         '';
         serviceConfig = {
           RuntimeDirectory = "gitea-runner-nix-image";
@@ -215,7 +213,7 @@ in
             "~setdomainname"
             "~sethostname"
           ];
-          SupplementaryGroups = [ "docker" ];
+          SupplementaryGroups = [ "podman" ];
           RestrictAddressFamilies = [
             "AF_INET"
             "AF_INET6"