diff --git a/services/collabora-office.nix b/services/collabora-office.nix index b2d5117..0147704 100644 --- a/services/collabora-office.nix +++ b/services/collabora-office.nix @@ -1,6 +1,9 @@ -_: +{ config, ... }: -{ +let + inherit (config.users.users.collabora-office) uid; + inherit (config.users.groups.collabora-office) gid; +in { virtualisation.oci-containers.containers.collabora-office = { image = "docker.io/collabora/code"; ports = [ "9980:9980" ]; @@ -15,6 +18,10 @@ _: extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; }; extraOptions = [ + "--uidmap=0:65534:1" + "--gidmap=0:65534:1" + "--uidmap=100:${toString uid}:1" + "--gidmap=101:${toString gid}:1" "--network=host" "--cap-add=MKNOD" "--label=io.containers.autoupdate=registry" @@ -32,4 +39,12 @@ _: ''; }; }; + + users.users.collabora-office = { + isSystemUser = true; + group = "collabora-office"; + uid = 982; + }; + + users.groups.collabora-office = { gid = 982; }; } diff --git a/services/focalboard.nix b/services/focalboard.nix index d161178..ec6393a 100644 --- a/services/focalboard.nix +++ b/services/focalboard.nix @@ -12,6 +12,9 @@ let dbName = "focalboard"; dbPasswordFile = config.age.secrets.focalboard-db-password.path; + inherit (config.users.users.focalboard) uid; + inherit (config.users.groups.focalboard) gid; + pgSuperUser = config.services.postgresql.superUser; in { age.secrets.focalboard-env.file = ../secrets/focalboard/.env.age; @@ -58,8 +61,14 @@ in { }; # only secrets need to be included, e.g. FOCALBOARD_DBCONFIG environmentFiles = [ config.age.secrets.focalboard-env.path ]; - extraOptions = - [ "--network=host" "--label=io.containers.autoupdate=registry" ]; + extraOptions = [ + "--uidmap=0:65534:1" + "--gidmap=0:65534:1" + "--uidmap=65534:${toString uid}:1" + "--gidmap=65534:${toString gid}:1" + "--network=host" + "--label=io.containers.autoupdate=registry" + ]; }; systemd.services."${ociBackend}-focalboard" = { @@ -75,4 +84,12 @@ in { proxyWebsockets = true; }; }; + + users.users.focalboard = { + isSystemUser = true; + group = "focalboard"; + uid = 981; + }; + + users.groups.focalboard = { gid = 978; }; } diff --git a/services/immich.nix b/services/immich.nix index 28e3722..e4d03ef 100644 --- a/services/immich.nix +++ b/services/immich.nix @@ -11,10 +11,16 @@ let containersHost = "localhost"; domain = "photos.felschr.com"; + inherit (config.users.users.immich) uid; + inherit (config.users.groups.immich) gid; + pgSuperUser = config.services.postgresql.superUser; immichBase = { + user = "${toString uid}:${toString gid}"; environment = { + PUID = toString uid; + PGID = toString gid; NODE_ENV = "production"; DB_HOSTNAME = containersHost; DB_PORT = toString config.services.postgresql.port; @@ -29,6 +35,10 @@ let config.age.secrets.immich-typesense-env.path ]; extraOptions = [ + "--uidmap=0:65534:1" + "--gidmap=0:65534:1" + "--uidmap=${toString uid}:${toString uid}:1" + "--gidmap=${toString gid}:${toString gid}:1" "--network=host" "--add-host=immich-server:127.0.0.1" "--add-host=immich-microservices:127.0.0.1" @@ -114,13 +124,17 @@ in { cmd = [ "./entrypoint.sh" ]; }; - typesense = { + immich-typesense = { image = "docker.io/typesense/typesense:0.24.0"; environment.TYPESENSE_DATA_DIR = "/data"; environmentFiles = [ config.age.secrets.immich-typesense-env.path ]; volumes = [ "${typesenseDataDir}:/data" ]; - extraOptions = - [ "--network=host" "--label=io.containers.autoupdate=registry" ]; + extraOptions = [ + "--uidmap=0:${toString uid}:1" + "--gidmap=0:${toString gid}:1" + "--network=host" + "--label=io.containers.autoupdate=registry" + ]; }; }; @@ -158,4 +172,12 @@ in { ''; }; }; + + users.users.immich = { + isSystemUser = true; + group = "immich"; + uid = 980; + }; + + users.groups.immich = { gid = 977; }; }