fix: use podman.user for rootless instead of mkForce on serviceConfig

The oci-containers module has native rootless support via podman.user which handles cgroup delegation, runtime dirs, and cidfile paths. Delegate=true workaround for NixOS/nixpkgs#410857.
2026-04-04 23:36:01 +01:00 · 2026-04-04 23:36:01 +01:00 · 71f32ba49c
commit 71f32ba49c
parent b5be0575ee
2 changed files with 8 additions and 4 deletions
--- a/hosts/lab/dokuwiki.nix
+++ b/hosts/lab/dokuwiki.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ ... }:
 {
  services.caddy.virtualHosts."wiki.ily.rs" = {
    extraConfig = ''
@ -9,6 +9,7 @@
  virtualisation.oci-containers.containers.dokuwiki = {
    image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299";
    podman.user = "lew";
    environment = {
      PUID = "1000";
      PGID = "1000";
@ -21,5 +22,6 @@
    ports = [ "127.0.0.1:8070:80" ];
  };
-  systemd.services.podman-dokuwiki.serviceConfig.User = lib.mkForce "lew";
+  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
  systemd.services.podman-dokuwiki.serviceConfig.Delegate = true;
 }
--- a/hosts/lab/foundry.nix
+++ b/hosts/lab/foundry.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ ... }:
 {
  services.caddy.virtualHosts."foundry.ily.rs" = {
    extraConfig = ''
@ -12,6 +12,7 @@
    cmd = [ "node" "main.js" "--dataPath=/data" ];
    workdir = "/app";
    user = "1000:1000";
    podman.user = "lew";
    volumes = [
      "/srv/foundry/app:/app:ro"
      "/srv/foundry/data:/data"
@ -19,5 +20,6 @@
    ports = [ "127.0.0.1:30000:30000" ];
  };
-  systemd.services.podman-foundry.serviceConfig.User = lib.mkForce "lew";
+  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
  systemd.services.podman-foundry.serviceConfig.Delegate = true;
 }