diff --git a/nixos/modules/virtualisation/podman-network-socket.nix b/nixos/modules/virtualisation/podman-network-socket.nix
new file mode 100644
index 000000000000..1429164630b3
--- /dev/null
+++ b/nixos/modules/virtualisation/podman-network-socket.nix
@@ -0,0 +1,91 @@
+{ config, lib, pkg, ... }:
+let
+ inherit (lib)
+ mkOption
+ types
+ ;
+
+ cfg = config.virtualisation.podman.networkSocket;
+
+in
+{
+ options.virtualisation.podman.networkSocket = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Make the Podman and Docker compatibility API available over the network
+ with TLS client certificate authentication.
+
+ This allows Docker clients to connect with the equivalents of the Docker
+ CLI -H
and --tls*
family of options.
+
+ For certificate setup, see https://docs.docker.com/engine/security/protect-access/
+
+ This option is independent of .
+ '';
+ };
+
+ server = mkOption {
+ type = types.enum [];
+ description = ''
+ Choice of TLS proxy server.
+ '';
+ example = "ghostunnel";
+ };
+
+ openFirewall = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to open the port in the firewall.
+ '';
+ };
+
+ tls.cacert = mkOption {
+ type = types.path;
+ description = ''
+ Path to CA certificate to use for client authentication.
+ '';
+ };
+
+ tls.cert = mkOption {
+ type = types.path;
+ description = ''
+ Path to certificate describing the server.
+ '';
+ };
+
+ tls.key = mkOption {
+ type = types.path;
+ description = ''
+ Path to the private key corresponding to the server certificate.
+
+ Use a string for this setting. Otherwise it will be copied to the Nix
+ store first, where it is readable by any system process.
+ '';
+ };
+
+ port = mkOption {
+ type = types.port;
+ default = 2376;
+ description = ''
+ TCP port number for receiving TLS connections.
+ '';
+ };
+ listenAddress = mkOption {
+ type = types.str;
+ default = "0.0.0.0";
+ description = ''
+ Interface address for receiving TLS connections.
+ '';
+ };
+ };
+
+ config = {
+ networking.firewall.allowedTCPPorts =
+ lib.optional (cfg.enable && cfg.openFirewall) cfg.port;
+ };
+
+ meta.maintainers = lib.teams.podman.members ++ [ lib.maintainers.roberth ];
+}
diff --git a/nixos/modules/virtualisation/podman.nix b/nixos/modules/virtualisation/podman.nix
index edf4bbe079a3..01ff84bc6293 100644
--- a/nixos/modules/virtualisation/podman.nix
+++ b/nixos/modules/virtualisation/podman.nix
@@ -25,6 +25,7 @@ let
in
{
imports = [
+ ./podman-network-socket.nix
(lib.mkRenamedOptionModule [ "virtualisation" "podman" "libpod" ] [ "virtualisation" "containers" "containersConf" ])
];