From d4e212b88b26e295c1f22677e2e8361663843bdc Mon Sep 17 00:00:00 2001 From: lew Date: Sat, 4 Apr 2026 23:22:36 +0100 Subject: [PATCH 1/3] add CLAUDE.md to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 726d2d6..865b9ec 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ result .direnv +CLAUDE.md From 07faf5c11e5a2d6e82838a6b78ceb153421c9ca9 Mon Sep 17 00:00:00 2001 From: lew Date: Sat, 4 Apr 2026 23:22:55 +0100 Subject: [PATCH 2/3] move user config to common, add nix gc and store optimisation --- hosts/common/default.nix | 17 +++++++++++++++++ hosts/lab/default.nix | 9 +-------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/hosts/common/default.nix b/hosts/common/default.nix index be00ae7..2e1f741 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -1,10 +1,27 @@ { pkgs, ... }: { nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.auto-optimise-store = true; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; + users.users.lew = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + linger = true; + subUidRanges = [{ startUid = 100000; count = 65536; }]; + subGidRanges = [{ startGid = 100000; count = 65536; }]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6KI06F0tHIurNFFRJRlHMeLb7dnUEk8jtSmdsdkfPPoDY0HL1A0QJwqsppFbjHSsJoQ/WZGIj09Evmk9RRGjR5uNEtDMWfxEoeJQoJ6Bwdit+BPa3TfgyyoLM107/D5JriFoZW9k0JVNkgAIFnHp6VAjFyrg4298yKzy2dZchDO4u5HfFi+HBwn2haP7IC0JNgq6GO8K+yw4UK2635/3B/xNLhhLobbT4sThcghBtBhvb8pSXJ0wLupwuGWN9uuONs0UYEOlb8BhedXR4ShJUsQERIPFByAvMaq5vbsVIojF5s4P4dAlpsRQpXhQa7E4wzwGy5bYVP3MNmtYwxZel ssh-key-2025-12-11" + ]; + }; + environment.systemPackages = with pkgs; [ neovim git diff --git a/hosts/lab/default.nix b/hosts/lab/default.nix index 07a547b..1066cf6 100644 --- a/hosts/lab/default.nix +++ b/hosts/lab/default.nix @@ -21,14 +21,6 @@ networking.firewall.allowedTCPPorts = [ 80 443 4200 ]; - users.users.lew = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6KI06F0tHIurNFFRJRlHMeLb7dnUEk8jtSmdsdkfPPoDY0HL1A0QJwqsppFbjHSsJoQ/WZGIj09Evmk9RRGjR5uNEtDMWfxEoeJQoJ6Bwdit+BPa3TfgyyoLM107/D5JriFoZW9k0JVNkgAIFnHp6VAjFyrg4298yKzy2dZchDO4u5HfFi+HBwn2haP7IC0JNgq6GO8K+yw4UK2635/3B/xNLhhLobbT4sThcghBtBhvb8pSXJ0wLupwuGWN9uuONs0UYEOlb8BhedXR4ShJUsQERIPFByAvMaq5vbsVIojF5s4P4dAlpsRQpXhQa7E4wzwGy5bYVP3MNmtYwxZel ssh-key-2025-12-11" - ]; - }; - security.sudo.wheelNeedsPassword = false; virtualisation.containers.enable = true; @@ -41,6 +33,7 @@ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; services.caddy.enable = true; + services.caddy.email = "lew@ily.rs"; system.stateVersion = "23.11"; } From 10a946ade31a26ec2075df705ede4412b8dfdfc5 Mon Sep 17 00:00:00 2001 From: lew Date: Sat, 4 Apr 2026 23:23:13 +0100 Subject: [PATCH 3/3] pin container images and run rootless under lew --- hosts/lab/dokuwiki.nix | 4 +++- hosts/lab/foundry.nix | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/hosts/lab/dokuwiki.nix b/hosts/lab/dokuwiki.nix index d94cb4b..ac8ca15 100644 --- a/hosts/lab/dokuwiki.nix +++ b/hosts/lab/dokuwiki.nix @@ -8,7 +8,7 @@ }; virtualisation.oci-containers.containers.dokuwiki = { - image = "lscr.io/linuxserver/dokuwiki:latest"; + image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299"; environment = { PUID = "1000"; PGID = "1000"; @@ -20,4 +20,6 @@ ]; ports = [ "127.0.0.1:8070:80" ]; }; + + systemd.services.podman-dokuwiki.serviceConfig.User = "lew"; } diff --git a/hosts/lab/foundry.nix b/hosts/lab/foundry.nix index 2660860..162439c 100644 --- a/hosts/lab/foundry.nix +++ b/hosts/lab/foundry.nix @@ -8,13 +8,16 @@ }; virtualisation.oci-containers.containers.foundry = { - image = "node:22-slim"; + image = "node:22.22.2-slim"; cmd = [ "node" "main.js" "--dataPath=/data" ]; workdir = "/app"; + user = "1000:1000"; volumes = [ "/srv/foundry/app:/app:ro" "/srv/foundry/data:/data" ]; ports = [ "127.0.0.1:30000:30000" ]; }; + + systemd.services.podman-foundry.serviceConfig.User = "lew"; }