Nuke docker.io

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-03-11 21:04:37 +00:00
parent bdaac67bf2
commit 10e0980f8f
23 changed files with 521 additions and 68 deletions
--- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
@@ -11,7 +11,7 @@
  ...
 }:
 let
-  selfLib = inputs.self.lib.${system};
+  selfPkgs = inputs.self.packages.${system};
  hmConfig = config.home-manager.users.${user};
  inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
 in
@@ -55,8 +55,7 @@ in
      containers = {
        "authelia-init" = {
          containerConfig = {
-            autoUpdate = "registry";
-            image = "docker.io/mikefarah/yq:latest";
+            image = "docker-archive:${selfPkgs.docker-yq}";
            networks = [ networks.authelia.ref ];
            volumes = [
              "${home}/.local/share/authelia/config:/workdir/config"
@@ -69,8 +68,6 @@ in
              "/workdir/users.yaml"
              "-i"
            ];
-            user = "0";
-            group = "0";
          };

          serviceConfig = {
@@ -91,7 +88,7 @@ in
                authentication_backend = {
                  refresh_interval = "always";
                  file = {
-                    path = "/config/users.yaml";
+                    path = "/etc/authelia/users.yaml";
                    watch = true;
                  };
                };
@@ -127,8 +124,7 @@ in
              };
            in
            {
-              autoUpdate = "registry";
-              image = "ghcr.io/authelia/authelia";
+              image = "docker-archive:${selfPkgs.docker-authelia}";
              environments = {
                AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
                AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
@@ -137,8 +133,8 @@ in
                AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD";
              };
              volumes = [
-                "${home}/.local/share/authelia/config:/config"
-                "${config}:/config/conf.d/configuration.yaml:ro"
+                "${home}/.local/share/authelia/config:/etc/authelia"
+                "${config}:/etc/authelia/conf.d/configuration.yaml:ro"
                "${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro"
                "${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro"
                "${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro"
@@ -149,7 +145,7 @@ in
                networks.authelia.ref
                networks.traefik.ref
              ];
-              exec = [ "--config /config/conf.d/" ];
+              exec = [ "--config /etc/authelia/conf.d/" ];
              labels = [
                "traefik.enable=true"
                "traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)"
@@ -171,39 +167,32 @@ in

        "authelia-postgresql" = {
          containerConfig = {
-            autoUpdate = "registry";
-            image = "docker.io/library/postgres:latest";
+            image = "docker-archive:${selfPkgs.docker-postgresql}";
            networks = [ networks.authelia.ref ];
-            volumes = [
-              "${selfLib.runtime.log.docker.postgres}:/entrypoint.sh:ro"
-              "${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data"
-            ];
+            volumes = [ "${home}/.local/share/authelia/postgresql:/var/lib/postgresql/data" ];
            environments = {
              POSTGRES_DB = "authelia";
              POSTGRES_USER = "authelia";
            };
            environmentFiles = [ hmConfig.sops.templates."authelia-postgresql.env".path ];
-            entrypoint = "/entrypoint.sh";
-            exec = [ "postgres" ];
          };

          unitConfig.After = [ "sops-nix.service" ];
        };

        "authelia-redis".containerConfig = {
-          autoUpdate = "registry";
-          image = "docker.io/library/redis:latest";
+          image = "docker-archive:${selfPkgs.docker-redis}";
          networks = [ networks.authelia.ref ];
-          volumes = [ "${volumes."authelia-redis".ref}:/data" ];
+          volumes = [ "${volumes."authelia-redis".ref}:/var/lib/redis" ];
          exec = [ "--save 60 1" ];
        };
      };
    };

    systemd.user.tmpfiles.rules = [
-      "d ${home}/.local/share/authelia/config :0755 :${user} :${user}"
-      "f ${home}/.local/share/authelia/config/users.yaml :0644 :${user} :${user}"
-      "d ${home}/.local/share/authelia/postgresql :0755 :${user} :${user}"
+      "d ${home}/.local/share/authelia/config 0755 ${user} ${user}"
+      "f ${home}/.local/share/authelia/config/users.yaml 0600 ${user} ${user}"
+      "d ${home}/.local/share/authelia/postgresql 0700 ${user} ${user}"
    ];
  };
 }
--- a/hosts/jupiter/users/storm/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix
@@ -14,6 +14,11 @@ in
    (import ./whoami { inherit user home; })
  ];

+  boot.kernel.sysctl = {
+    "net.ipv4.ip_unprivileged_port_start" = 0;
+    "vm.overcommit_memory" = 1;
+  };
+
  home-manager.users.${user} = {
    virtualisation.quadlet = {
      autoUpdate.enable = true;
--- a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix
@@ -2,8 +2,15 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ config, pkgs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  system,
+  ...
+}:
 let
+  selfPkgs = inputs.self.packages.${system};
  hmConfig = config.home-manager.users.${user};
  inherit (hmConfig.virtualisation.quadlet) volumes networks;
 in
@@ -75,6 +82,7 @@ in
          content = ''
            #!/bin/sh

+            mkdir -p /tmp
            PIPE=$(mktemp -u)
            mkfifo "$PIPE"
            trap 'rm -f "$PIPE"' EXIT
@@ -108,8 +116,7 @@ in

      containers.ntfy = {
        containerConfig = {
-          autoUpdate = "registry";
-          image = "docker.io/binwiederhier/ntfy:latest";
+          image = "docker-archive:${selfPkgs.docker-ntfy}";
          networks = [
            networks.ntfy.ref
            networks.traefik.ref
--- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
@@ -2,14 +2,18 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ config, pkgs, ... }:
+{
+  config,
+  inputs,
+  system,
+  ...
+}:
 let
+  selfPkgs = inputs.self.packages.${system};
  hmConfig = config.home-manager.users.${user};
  inherit (hmConfig.virtualisation.quadlet) networks volumes containers;
 in
 {
-  boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0;
-
  networking.firewall.allowedTCPPorts = [
    80
    443
@@ -30,8 +34,7 @@ in

      containers.traefik = {
        containerConfig = {
-          autoUpdate = "registry";
-          image = "docker.io/library/traefik:latest";
+          image = "docker-archive:${selfPkgs.docker-traefik}";
          networks = [ networks.traefik.ref ];
          volumes = [
            "/run/user/${
--- a/hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/whoami/default.nix
@@ -2,8 +2,14 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ config, pkgs, ... }:
+{
+  config,
+  inputs,
+  system,
+  ...
+}:
 let
+  selfPkgs = inputs.self.packages.${system};
  hmConfig = config.home-manager.users.${user};
  inherit (hmConfig.virtualisation.quadlet) networks;
 in
@@ -12,8 +18,7 @@ in
    networks.whoami.networkConfig.internal = true;

    containers.whoami.containerConfig = {
-      autoUpdate = "registry";
-      image = "docker.io/traefik/whoami:latest";
+      image = "docker-archive:${selfPkgs.docker-whoami}";
      networks = [
        networks.whoami.ref
        networks.traefik.ref