feat: map oci-containers to specific users

services/collabora-office.nix

@@ -1,6 +1,9 @@
-_:
+{ config, ... }:
 
-{
+let
+  inherit (config.users.users.collabora-office) uid;
+  inherit (config.users.groups.collabora-office) gid;
+in {
   virtualisation.oci-containers.containers.collabora-office = {
     image = "docker.io/collabora/code";
     ports = [ "9980:9980" ];
@@ -15,6 +18,10 @@ _:
       extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
     };
     extraOptions = [
+      "--uidmap=0:65534:1"
+      "--gidmap=0:65534:1"
+      "--uidmap=100:${toString uid}:1"
+      "--gidmap=101:${toString gid}:1"
       "--network=host"
       "--cap-add=MKNOD"
       "--label=io.containers.autoupdate=registry"
@@ -32,4 +39,12 @@ _:
       '';
     };
   };
+
+  users.users.collabora-office = {
+    isSystemUser = true;
+    group = "collabora-office";
+    uid = 982;
+  };
+
+  users.groups.collabora-office = { gid = 982; };
 }

services/focalboard.nix

@@ -12,6 +12,9 @@ let
   dbName = "focalboard";
   dbPasswordFile = config.age.secrets.focalboard-db-password.path;
 
+  inherit (config.users.users.focalboard) uid;
+  inherit (config.users.groups.focalboard) gid;
+
   pgSuperUser = config.services.postgresql.superUser;
 in {
   age.secrets.focalboard-env.file = ../secrets/focalboard/.env.age;
@@ -58,8 +61,14 @@ in {
     };
     # only secrets need to be included, e.g. FOCALBOARD_DBCONFIG
     environmentFiles = [ config.age.secrets.focalboard-env.path ];
-    extraOptions =
+    extraOptions = [
-      [ "--network=host" "--label=io.containers.autoupdate=registry" ];
+      "--uidmap=0:65534:1"
+      "--gidmap=0:65534:1"
+      "--uidmap=65534:${toString uid}:1"
+      "--gidmap=65534:${toString gid}:1"
+      "--network=host"
+      "--label=io.containers.autoupdate=registry"
+    ];
   };
 
   systemd.services."${ociBackend}-focalboard" = {
@@ -75,4 +84,12 @@ in {
       proxyWebsockets = true;
     };
   };
+
+  users.users.focalboard = {
+    isSystemUser = true;
+    group = "focalboard";
+    uid = 981;
+  };
+
+  users.groups.focalboard = { gid = 978; };
 }

services/immich.nix

@@ -11,10 +11,16 @@ let
   containersHost = "localhost";
   domain = "photos.felschr.com";
 
+  inherit (config.users.users.immich) uid;
+  inherit (config.users.groups.immich) gid;
+
   pgSuperUser = config.services.postgresql.superUser;
 
   immichBase = {
+    user = "${toString uid}:${toString gid}";
     environment = {
+      PUID = toString uid;
+      PGID = toString gid;
       NODE_ENV = "production";
       DB_HOSTNAME = containersHost;
       DB_PORT = toString config.services.postgresql.port;
@@ -29,6 +35,10 @@ let
       config.age.secrets.immich-typesense-env.path
     ];
     extraOptions = [
+      "--uidmap=0:65534:1"
+      "--gidmap=0:65534:1"
+      "--uidmap=${toString uid}:${toString uid}:1"
+      "--gidmap=${toString gid}:${toString gid}:1"
       "--network=host"
       "--add-host=immich-server:127.0.0.1"
       "--add-host=immich-microservices:127.0.0.1"
@@ -114,13 +124,17 @@ in {
       cmd = [ "./entrypoint.sh" ];
     };
 
-    typesense = {
+    immich-typesense = {
       image = "docker.io/typesense/typesense:0.24.0";
       environment.TYPESENSE_DATA_DIR = "/data";
       environmentFiles = [ config.age.secrets.immich-typesense-env.path ];
       volumes = [ "${typesenseDataDir}:/data" ];
-      extraOptions =
+      extraOptions = [
-        [ "--network=host" "--label=io.containers.autoupdate=registry" ];
+        "--uidmap=0:${toString uid}:1"
+        "--gidmap=0:${toString gid}:1"
+        "--network=host"
+        "--label=io.containers.autoupdate=registry"
+      ];
     };
   };
 
@@ -158,4 +172,12 @@ in {
       '';
     };
   };
+
+  users.users.immich = {
+    isSystemUser = true;
+    group = "immich";
+    uid = 980;
+  };
+
+  users.groups.immich = { gid = 977; };
 }