Podman improvements (#148)

* WIP. Paperless: Switching to auto userns * Remove paperless pod; Use userns * WIP. Grist userns * WIP. Better paperless userns * WIP. data-library userns * WIP. Immich userns * WIP. Home Automation userns * WIP. Authentik userns * WIP. Music history userns & refactoring * Update sonarr * Gluetun userns; Switch to Proton; Enable port-forwarding * Remove leftover pod * Fix maloja backups * Remove librechat * Move UID GID to containerLib
pedorich-n · Jan 11, 2025 · 171bae6 · 171bae6
1 parent f367893
commit 171bae6
Show file tree

Hide file tree

Showing 20 changed files with 351 additions and 354 deletions.
diff --git a/dev-extra-config.nix b/dev-extra-config.nix
@@ -1,19 +1,24 @@
 _: {
   perSystem = { pkgs, ... }: {
-    treefmt.config.settings.formatter = {
-      djlint = {
-        command = pkgs.djlint;
-        options = [
-          "--profile=jinja"
-          "--extension=j2"
-          "--indent=2"
-          "--preserve-leading-space"
-          "--preserve-blank-lines"
-          "--reformat"
-          "--warn"
-          "--quiet"
-        ];
-        includes = [ "*.j2" ];
+    treefmt.config = {
+      settings.formatter = {
+        djlint = {
+          command = pkgs.djlint;
+          options = [
+            "--profile=jinja"
+            "--extension=j2"
+            "--indent=2"
+            "--preserve-leading-space"
+            "--preserve-blank-lines"
+            "--reformat"
+            "--warn"
+            "--quiet"
+          ];
+          includes = [ "*.j2" ];
+        };
+      };
+      programs.shellcheck = {
+        enable = true;
       };
     };
   };

diff --git a/flake.lock b/flake.lock
diff --git a/machines/geekomA5/modules/lib/container.nix b/machines/geekomA5/modules/lib/container.nix
@@ -1,5 +1,5 @@
 { config, lib, ... }: {
-  _module.args.containerLib = {
+  _module.args.containerLib = rec {
     mkTraefikLabels =
       { name
       , domain ? "${name}.${config.custom.networking.domain}"
@@ -50,21 +50,38 @@
       };
     };
 
-    mkWithNetwork = name: cfg: cfg // {
-      containerConfig = cfg.containerConfig // {
-        networks = [ name ] ++ (cfg.containerConfig.networks or [ ]);
-      };
-
-      unitConfig = (cfg.unitConfig or { }) // {
-        Requires = [ "${name}-network.service" ] ++ (cfg.unitConfig.Requires or [ ]);
-        After = [ "${name}-network.service" ] ++ (cfg.unitConfig.After or [ ]);
-      };
-    };
-
     withAlpineHostsFix = cfg: cfg // {
       #NOTE - there's a bug with musl or C libs or something in alpine-based images with resolving .lan domains; 
       # dig & nslookup resolves the domain, but curl fails, and the call to OIDC discovery fails too. Providing hard-coded host seems to help.
       addHosts = (cfg.addHosts or [ ]) ++ [ "authentik.${config.custom.networking.domain}:192.168.10.15" ];
     };
+
+    # UID:GID to use with `--user` or `PUID`, `GUID` inside the container. Arbitrary values.
+    containerIds = rec {
+      uid = 1100;
+      gid = 1100;
+
+      PUID = builtins.toString uid;
+      PGID = builtins.toString gid;
+
+      user = "${builtins.toString uid}:${builtins.toString gid}";
+    };
+
+    # Creates a mapping like `"/home/user/test:/test:idmap=uids=@1000-0-1024;gids=@100-0-1024"`
+    mkIdmappedVolume =
+      { uidNamespace ? containerIds.uid
+      , uidHost
+      , uidCount ? 1
+      , uidRelative ? true
+      , gidNamespace ? containerIds.gid
+      , gidHost
+      , gidCount ? 1
+      , gidRelative ? true
+      }: host: container:
+      let
+        uids = ''${if uidRelative then "@" else ""}${toString uidHost}-${toString uidNamespace}-${toString uidCount}'';
+        gids = ''${if gidRelative then "@" else ""}${toString gidHost}-${toString gidNamespace}-${toString gidCount}'';
+      in
+      "${host}:${container}:idmap=uids=${uids};gids=${gids}";
   };
 }
diff --git a/machines/geekomA5/modules/system/secrets.nix b/machines/geekomA5/modules/system/secrets.nix
@@ -5,7 +5,7 @@ let
   mkMapping = path: override: override {
     file = path;
     name = lib.removeSuffix ".age" (getFilename path);
-    mode = "440";
+    mode = "444"; # FIXME: figure out how to pass secrets into containers with userns=auto
     owner = config.users.users.user.name;
     group = config.users.users.user.group;
   };

diff --git a/machines/geekomA5/modules/system/services/authentik/blueprints/sources/30-librechat.yaml.j2 b/machines/geekomA5/modules/system/services/authentik/blueprints/sources/30-librechat.yaml.j2
diff --git a/machines/geekomA5/modules/system/services/authentik/containers.nix b/machines/geekomA5/modules/system/services/authentik/containers.nix
@@ -1,8 +1,15 @@
 { config, containerLib, systemdLib, jinja2RendererLib, ... }:
 let
-  user = "${builtins.toString config.users.users.user.uid}:${builtins.toString config.users.groups.${config.users.users.user.group}.gid}";
+  storeRoot = "/mnt/store/server-management/authentik";
 
-  storeFor = localPath: remotePath: "/mnt/store/server-management/authentik/${localPath}:${remotePath}";
+  mappedVolumeForUser = localPath: remotePath:
+    containerLib.mkIdmappedVolume
+      {
+        uidHost = config.users.users.user.uid;
+        gidHost = config.users.groups.${config.users.users.user.group}.gid;
+      }
+      localPath
+      remotePath;
 
   defaultEnvs = {
     # https://docs.goauthentik.io/docs/installation/docker-compose#startup
@@ -18,45 +25,49 @@ let
 
   serverIp = "172.31.0.240";
 
-  pod = "authentik.pod";
   networks = [ "authentik-internal.network" ];
 in
 {
   virtualisation.quadlet = {
     networks = containerLib.mkDefaultNetwork "authentik";
 
-    pods.authentik = {
-      podConfig = { inherit networks; };
-    };
-
     containers = {
       authentik-postgresql = {
         useGlobalContainers = true;
+        usernsAuto.enable = true;
 
         containerConfig = {
           environments = defaultEnvs;
           environmentFiles = [ config.age.secrets.authentik.path ];
           volumes = [
-            (storeFor "postgresql" "/var/lib/postgresql/data")
+            (mappedVolumeForUser "${storeRoot}/postgresql" "/var/lib/postgresql/data")
           ];
-          inherit networks pod user;
+          inherit networks;
+          inherit (containerLib.containerIds) user;
         };
       };
 
       authentik-redis = {
         useGlobalContainers = true;
+        usernsAuto.enable = true;
 
         containerConfig = {
           exec = "--save 60 1 --loglevel warning";
           volumes = [
-            (storeFor "redis" "/data")
+            (mappedVolumeForUser "${storeRoot}/redis" "/data")
           ];
-          inherit networks pod user;
+          inherit networks;
+          inherit (containerLib.containerIds) user;
         };
       };
 
       authentik-worker = {
         useGlobalContainers = true;
+        usernsAuto = {
+          enable = true;
+          size = 65535;
+        };
+
         containerConfig = {
           exec = "worker";
           healthCmd = "ak healthcheck";
@@ -68,10 +79,11 @@ in
           environments = defaultEnvs;
           environmentFiles = [ config.age.secrets.authentik.path ];
           volumes = [
-            (storeFor "media" "/media")
+            (mappedVolumeForUser "${storeRoot}/media" "/media")
             "${blueprints}:/blueprints/custom"
           ];
-          inherit networks pod user;
+          inherit networks;
+          inherit (containerLib.containerIds) user;
         };
 
         unitConfig = systemdLib.requiresAfter
@@ -92,6 +104,11 @@ in
 
       authentik-ldap = {
         useGlobalContainers = true;
+        usernsAuto = {
+          enable = true;
+          size = 65535;
+        };
+
         containerConfig = {
           environments = defaultEnvs // {
             AUTHENTIK_HOST = "http://authentik.${config.custom.networking.domain}";
@@ -104,18 +121,24 @@ in
             "traefik.tcp.routers.authentik-ldap-outpost.entrypoints=ldap"
             "traefik.tcp.routers.authentik-ldap-outpost.service=authentik-ldap-outpost"
           ];
-          inherit networks pod user;
+          inherit networks;
+          inherit (containerLib.containerIds) user;
         };
       };
 
       authentik-server = {
         useGlobalContainers = true;
+        usernsAuto = {
+          enable = true;
+          size = 65535;
+        };
+
         containerConfig = {
           exec = "server";
           environments = defaultEnvs;
           environmentFiles = [ config.age.secrets.authentik.path ];
           volumes = [
-            (storeFor "media" "/media")
+            (mappedVolumeForUser "${storeRoot}/media" "/media")
           ];
           networks = networks ++ [
             "traefik.network:ip=${serverIp}"
@@ -140,7 +163,7 @@ in
             "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
             "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"
           ];
-          inherit pod user;
+          inherit (containerLib.containerIds) user;
         };
 
         unitConfig = systemdLib.requiresAfter