From 10a946ade31a26ec2075df705ede4412b8dfdfc5 Mon Sep 17 00:00:00 2001
From: lew <lew@ily.rs>
Date: Sat, 4 Apr 2026 23:23:13 +0100
Subject: [PATCH] pin container images and run rootless under lew

---
 hosts/lab/dokuwiki.nix | 4 +++-
 hosts/lab/foundry.nix  | 5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/hosts/lab/dokuwiki.nix b/hosts/lab/dokuwiki.nix
index d94cb4b..ac8ca15 100644
--- a/hosts/lab/dokuwiki.nix
+++ b/hosts/lab/dokuwiki.nix
@@ -8,7 +8,7 @@
   };
 
   virtualisation.oci-containers.containers.dokuwiki = {
-    image = "lscr.io/linuxserver/dokuwiki:latest";
+    image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299";
     environment = {
       PUID = "1000";
       PGID = "1000";
@@ -20,4 +20,6 @@
     ];
     ports = [ "127.0.0.1:8070:80" ];
   };
+
+  systemd.services.podman-dokuwiki.serviceConfig.User = "lew";
 }
diff --git a/hosts/lab/foundry.nix b/hosts/lab/foundry.nix
index 2660860..162439c 100644
--- a/hosts/lab/foundry.nix
+++ b/hosts/lab/foundry.nix
@@ -8,13 +8,16 @@
   };
 
   virtualisation.oci-containers.containers.foundry = {
-    image = "node:22-slim";
+    image = "node:22.22.2-slim";
     cmd = [ "node" "main.js" "--dataPath=/data" ];
     workdir = "/app";
+    user = "1000:1000";
     volumes = [
       "/srv/foundry/app:/app:ro"
       "/srv/foundry/data:/data"
     ];
     ports = [ "127.0.0.1:30000:30000" ];
   };
+
+  systemd.services.podman-foundry.serviceConfig.User = "lew";
 }