lew/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use dedicated podman user for rootless containers

Browse source 
Adds a system user 'podman' (uid 900) with subuid/subgid ranges
and linger for running OCI containers. Removes podman-specific
settings from lew user. DokuWiki switches to sdnotify=healthy
since the image has a built-in healthcheck.
This commit is contained in:
Lewis Wynne 2026-04-04 23:53:32 +01:00
parent 71f32ba49c
commit 102b195d27
4 changed files with 15 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

3
hosts/common/default.nix
View file

@ -14,9 +14,6 @@
users.users.lew = { users.users.lew = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
linger = true;
subUidRanges = [{ startUid = 100000; count = 65536; }];
subGidRanges = [{ startGid = 100000; count = 65536; }];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6KI06F0tHIurNFFRJRlHMeLb7dnUEk8jtSmdsdkfPPoDY0HL1A0QJwqsppFbjHSsJoQ/WZGIj09Evmk9RRGjR5uNEtDMWfxEoeJQoJ6Bwdit+BPa3TfgyyoLM107/D5JriFoZW9k0JVNkgAIFnHp6VAjFyrg4298yKzy2dZchDO4u5HfFi+HBwn2haP7IC0JNgq6GO8K+yw4UK2635/3B/xNLhhLobbT4sThcghBtBhvb8pSXJ0wLupwuGWN9uuONs0UYEOlb8BhedXR4ShJUsQERIPFByAvMaq5vbsVIojF5s4P4dAlpsRQpXhQa7E4wzwGy5bYVP3MNmtYwxZel ssh-key-2025-12-11" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6KI06F0tHIurNFFRJRlHMeLb7dnUEk8jtSmdsdkfPPoDY0HL1A0QJwqsppFbjHSsJoQ/WZGIj09Evmk9RRGjR5uNEtDMWfxEoeJQoJ6Bwdit+BPa3TfgyyoLM107/D5JriFoZW9k0JVNkgAIFnHp6VAjFyrg4298yKzy2dZchDO4u5HfFi+HBwn2haP7IC0JNgq6GO8K+yw4UK2635/3B/xNLhhLobbT4sThcghBtBhvb8pSXJ0wLupwuGWN9uuONs0UYEOlb8BhedXR4ShJUsQERIPFByAvMaq5vbsVIojF5s4P4dAlpsRQpXhQa7E4wzwGy5bYVP3MNmtYwxZel ssh-key-2025-12-11"
]; ];

12
hosts/lab/default.nix
View file

@ -23,6 +23,18 @@
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
users.users.podman = {
isSystemUser = true;
group = "podman";
home = "/var/lib/podman";
createHome = true;
uid = 900;
linger = true;
subUidRanges = [{ startUid = 100000; count = 65536; }];
subGidRanges = [{ startGid = 100000; count = 65536; }];
};
users.groups.podman = {};
virtualisation.containers.enable = true; virtualisation.containers.enable = true;
virtualisation.podman = { virtualisation.podman = {
enable = true; enable = true;

6
hosts/lab/dokuwiki.nix
View file

@ -9,7 +9,8 @@
virtualisation.oci-containers.containers.dokuwiki = { virtualisation.oci-containers.containers.dokuwiki = {
image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299"; image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299";
podman.user = "lew"; podman.user = "podman";
podman.sdnotify = "healthy";
environment = { environment = {
PUID = "1000"; PUID = "1000";
PGID = "1000"; PGID = "1000";
@ -21,7 +22,4 @@
]; ];
ports = [ "127.0.0.1:8070:80" ]; ports = [ "127.0.0.1:8070:80" ];
}; };
# Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
systemd.services.podman-dokuwiki.serviceConfig.Delegate = true;
} }

3
hosts/lab/foundry.nix
View file

@ -11,8 +11,7 @@
image = "node:22.22.2-slim"; image = "node:22.22.2-slim";
cmd = [ "node" "main.js" "--dataPath=/data" ]; cmd = [ "node" "main.js" "--dataPath=/data" ];
workdir = "/app"; workdir = "/app";
user = "1000:1000"; podman.user = "podman";
podman.user = "lew";
volumes = [ volumes = [
"/srv/foundry/app:/app:ro" "/srv/foundry/app:/app:ro"
"/srv/foundry/data:/data" "/srv/foundry/data:/data"