pin container images and run rootless under lew

move user config to common, add nix gc and store optimisation
add CLAUDE.md to gitignore
2026-04-04 23:23:13 +01:00 · 2026-04-04 23:22:55 +01:00 · 2026-04-04 23:22:36 +01:00
5 changed files with 26 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 result
 .direnv
+CLAUDE.md
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@ -1,10 +1,27 @@
 { pkgs, ... }:
 {
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.auto-optimise-store = true;
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };

  time.timeZone = "Europe/London";
  i18n.defaultLocale = "en_GB.UTF-8";

+  users.users.lew = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    linger = true;
+    subUidRanges = [{ startUid = 100000; count = 65536; }];
+    subGidRanges = [{ startGid = 100000; count = 65536; }];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6KI06F0tHIurNFFRJRlHMeLb7dnUEk8jtSmdsdkfPPoDY0HL1A0QJwqsppFbjHSsJoQ/WZGIj09Evmk9RRGjR5uNEtDMWfxEoeJQoJ6Bwdit+BPa3TfgyyoLM107/D5JriFoZW9k0JVNkgAIFnHp6VAjFyrg4298yKzy2dZchDO4u5HfFi+HBwn2haP7IC0JNgq6GO8K+yw4UK2635/3B/xNLhhLobbT4sThcghBtBhvb8pSXJ0wLupwuGWN9uuONs0UYEOlb8BhedXR4ShJUsQERIPFByAvMaq5vbsVIojF5s4P4dAlpsRQpXhQa7E4wzwGy5bYVP3MNmtYwxZel ssh-key-2025-12-11"
+    ];
+  };
+
  environment.systemPackages = with pkgs; [
    neovim
    git
--- a/hosts/lab/default.nix
+++ b/hosts/lab/default.nix
@ -21,14 +21,6 @@

  networking.firewall.allowedTCPPorts = [ 80 443 4200 ];

-  users.users.lew = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6KI06F0tHIurNFFRJRlHMeLb7dnUEk8jtSmdsdkfPPoDY0HL1A0QJwqsppFbjHSsJoQ/WZGIj09Evmk9RRGjR5uNEtDMWfxEoeJQoJ6Bwdit+BPa3TfgyyoLM107/D5JriFoZW9k0JVNkgAIFnHp6VAjFyrg4298yKzy2dZchDO4u5HfFi+HBwn2haP7IC0JNgq6GO8K+yw4UK2635/3B/xNLhhLobbT4sThcghBtBhvb8pSXJ0wLupwuGWN9uuONs0UYEOlb8BhedXR4ShJUsQERIPFByAvMaq5vbsVIojF5s4P4dAlpsRQpXhQa7E4wzwGy5bYVP3MNmtYwxZel ssh-key-2025-12-11"
-    ];
-  };
-
  security.sudo.wheelNeedsPassword = false;

  virtualisation.containers.enable = true;
@ -41,6 +33,7 @@
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  services.caddy.enable = true;
+  services.caddy.email = "lew@ily.rs";

  system.stateVersion = "23.11";
 }
--- a/hosts/lab/dokuwiki.nix
+++ b/hosts/lab/dokuwiki.nix
@ -8,7 +8,7 @@
  };

  virtualisation.oci-containers.containers.dokuwiki = {
-    image = "lscr.io/linuxserver/dokuwiki:latest";
+    image = "lscr.io/linuxserver/dokuwiki:2025-05-14b-ls299";
    environment = {
      PUID = "1000";
      PGID = "1000";
@ -20,4 +20,6 @@
    ];
    ports = [ "127.0.0.1:8070:80" ];
  };
+
+  systemd.services.podman-dokuwiki.serviceConfig.User = "lew";
 }
--- a/hosts/lab/foundry.nix
+++ b/hosts/lab/foundry.nix
@ -8,13 +8,16 @@
  };

  virtualisation.oci-containers.containers.foundry = {
-    image = "node:22-slim";
+    image = "node:22.22.2-slim";
    cmd = [ "node" "main.js" "--dataPath=/data" ];
    workdir = "/app";
+    user = "1000:1000";
    volumes = [
      "/srv/foundry/app:/app:ro"
      "/srv/foundry/data:/data"
    ];
    ports = [ "127.0.0.1:30000:30000" ];
  };
+
+  systemd.services.podman-foundry.serviceConfig.User = "lew";
 }
Author	SHA1	Message	Date
lew	10a946ade3	pin container images and run rootless under lew	2026-04-04 23:23:13 +01:00
lew	07faf5c11e	move user config to common, add nix gc and store optimisation	2026-04-04 23:22:55 +01:00
lew	d4e212b88b	add CLAUDE.md to gitignore	2026-04-04 23:22:36 +01:00