add support for runtime and security_opt

README.md

@@ -106,6 +106,20 @@ Note: if the Compose service has a `container_name` set, then the systemd servic
 sudo systemctl restart podman-myproject-myservice.service
 ```
 
+#### Update a Container
+
+1. Pull the latest image:
+
+```
+podman pull image
+```
+
+2. Restart the service:
+
+```
+sudo systemctl restart podman-myproject-myservice.service
+```
+
 #### `docker compose down`
 
 By default, this will only remove networks.
@@ -190,6 +204,8 @@ If a feature is missing, please feel free to [create an issue](https://github.co
 | [`extra_hosts`](https://docs.docker.com/compose/compose-file/05-services/#extra_hosts) | ✅ |
 | [`sysctls`](https://docs.docker.com/compose/compose-file/05-services/#sysctls) | ✅ |
 | [`shm_size`](https://docs.docker.com/compose/compose-file/05-services/#shm_size) | ✅ |
+| [`runtime`](https://docs.docker.com/compose/compose-file/05-services/#runtime) | ✅ |
+| [`security_opt`](https://docs.docker.com/compose/compose-file/05-services/#security_opt) | ✅ |
 
 #### [`networks`](https://docs.docker.com/compose/compose-file/06-networks/)
 

compose.go

@@ -358,6 +358,12 @@ func (g *Generator) buildNixContainer(service types.ServiceConfig) (*NixContaine
 	for _, device := range service.Devices {
 		c.ExtraOptions = append(c.ExtraOptions, "--device="+device)
 	}
+	if service.Runtime != "" {
+		c.ExtraOptions = append(c.ExtraOptions, "--runtime="+service.Runtime)
+	}
+	for _, opt := range service.SecurityOpt {
+		c.ExtraOptions = append(c.ExtraOptions, "--security-opt="+opt)
+	}
 
 	// https://docs.docker.com/compose/compose-file/05-services/#extra_hosts
 	// https://docs.docker.com/engine/reference/commandline/run/#add-host

testdata/TestDocker_EnvFilesOnly_out.nix

@@ -237,6 +237,8 @@
       "--log-opt=max-file=3"
       "--log-opt=max-size=10m"
       "--network=container:sabnzbd"
+      "--runtime=nvidia"
+      "--security-opt=label=disable"
     ];
   };
   systemd.services."docker-traefik" = {

testdata/TestDocker_RemoveVolumes_out.nix

@@ -263,6 +263,8 @@
       "--log-opt=max-file=3"
       "--log-opt=max-size=10m"
       "--network=container:sabnzbd"
+      "--runtime=nvidia"
+      "--security-opt=label=disable"
     ];
   };
   systemd.services."docker-traefik" = {

testdata/TestDocker_SystemdMount_out.nix

@@ -271,6 +271,8 @@
       "--log-opt=max-file=3"
       "--log-opt=max-size=10m"
       "--network=container:sabnzbd"
+      "--runtime=nvidia"
+      "--security-opt=label=disable"
     ];
   };
   systemd.services."docker-traefik" = {

testdata/TestDocker_WithProject_out.nix

@@ -263,6 +263,8 @@
       "--log-opt=max-file=3"
       "--log-opt=max-size=10m"
       "--network=container:sabnzbd"
+      "--runtime=nvidia"
+      "--security-opt=label=disable"
     ];
   };
   systemd.services."docker-traefik" = {

testdata/TestDocker_out.nix

@@ -258,6 +258,8 @@
       "--log-opt=max-file=3"
       "--log-opt=max-size=10m"
       "--network=container:sabnzbd"
+      "--runtime=nvidia"
+      "--security-opt=label=disable"
     ];
   };
   systemd.services."docker-traefik" = {

testdata/TestPodman_WithProject_out.nix

@@ -251,6 +251,8 @@
       "--log-opt=max-file=3"
       "--log-opt=max-size=10m"
       "--network=container:sabnzbd"
+      "--runtime=nvidia"
+      "--security-opt=label=disable"
     ];
   };
   systemd.services."podman-traefik" = {

testdata/TestPodman_out.nix

@@ -246,6 +246,8 @@
       "--log-opt=max-file=3"
       "--log-opt=max-size=10m"
       "--network=container:sabnzbd"
+      "--runtime=nvidia"
+      "--security-opt=label=disable"
     ];
   };
   systemd.services."podman-traefik" = {

testdata/docker-compose.yml

@@ -171,6 +171,9 @@ services:
       - "compose2nix.systemd.service.Restart=none"
       - "compose2nix.systemd.unit.AllowIsolate=true"
     network_mode: "container:sabnzbd"
+    runtime: nvidia
+    security_opt:
+      - label=disable
     logging:
       driver: "json-file"
       options: