diff --git a/hosts/koi/containers/bots/channel-logger-bot.nix b/hosts/koi/containers/bots/channel-logger-bot.nix index 6c5d823..be97ef9 100644 --- a/hosts/koi/containers/bots/channel-logger-bot.nix +++ b/hosts/koi/containers/bots/channel-logger-bot.nix @@ -14,14 +14,14 @@ in { virtualisation.oci-containers.containers.channel-logger-bot = { image = "ghcr.io/teidesu/channel-logger-bot:latest"; - volumes = [ - "/srv/channel-logger-bot:/app/bot-data" - ]; environmentFiles = [ config.desu.secrets.channel-logger-bot-env.path ]; environment.MTCUTE_LOG_LEVEL = "5"; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/channel-logger-bot,target=/app/bot-data" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/bots/pcre-sub-bot.nix b/hosts/koi/containers/bots/pcre-sub-bot.nix index ecb1572..46b37fa 100644 --- a/hosts/koi/containers/bots/pcre-sub-bot.nix +++ b/hosts/koi/containers/bots/pcre-sub-bot.nix @@ -14,13 +14,13 @@ in { virtualisation.oci-containers.containers.pcre-sub-bot = { image = "ghcr.io/teidesu/pcre-sub-bot:latest"; - volumes = [ - "/srv/pcre-sub-bot:/app/bot-data" - ]; environmentFiles = [ config.desu.secrets.pcresub-bot-env.path ]; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/pcre-sub-bot,target=/app/bot-data" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/conduwuit/bridges/telegram/default.nix b/hosts/koi/containers/conduwuit/bridges/telegram/default.nix index b5fb774..a65f09f 100644 --- a/hosts/koi/containers/conduwuit/bridges/telegram/default.nix +++ b/hosts/koi/containers/conduwuit/bridges/telegram/default.nix @@ -27,7 +27,6 @@ in { "${bridgeConfig}:/config-template.yaml:ro" "${pkgs.pkgsStatic.jq}/bin/jq:/bin/jq" "${entrypoint}:/entrypoint.sh" - "/srv/mautrix-telegram:/data" ]; environment = { MAUTRIX_DIRECT_STARTUP = "1"; @@ -37,6 +36,9 @@ in { config.desu.secrets.mautrix-tg-env.path ]; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/mautrix-telegram,target=/data" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/conduwuit/default.nix b/hosts/koi/containers/conduwuit/default.nix index bcb5861..87de5be 100644 --- a/hosts/koi/containers/conduwuit/default.nix +++ b/hosts/koi/containers/conduwuit/default.nix @@ -19,7 +19,6 @@ in { image = "ghcr.io/girlbossceo/conduwuit:main-032b199129f8648a77bde285f755a78e9ec349a7"; volumes = [ "${./config.toml}:/conduwuit.toml" - "/srv/conduwuit:/data" ]; environment = { CONDUWUIT_CONFIG = "/conduwuit.toml"; @@ -28,6 +27,9 @@ in { config.desu.secrets.conduwuit-env.path ]; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/conduwuit,target=/data" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/kanidm/default.nix b/hosts/koi/containers/kanidm/default.nix index 3c56f5f..947a041 100644 --- a/hosts/koi/containers/kanidm/default.nix +++ b/hosts/koi/containers/kanidm/default.nix @@ -18,15 +18,19 @@ in { virtualisation.oci-containers.containers.kanidm = { image = "kanidm/server:1.4.2"; volumes = [ - "/srv/kanidm/data:/data/db" + # "/srv/kanidm/data:/data/db" "${./server.toml}:/data/server.toml" "${./style.css}:/hpkg/style.css" "${./fish.png}:/hpkg/img/fish.png" - "${config.desu.secrets.kanidm-tls-key.path}:/data/key.pem" - "${config.desu.secrets.kanidm-tls-cert.path}:/data/chain.pem" ]; user = "${builtins.toString UID}"; + + extraOptions = [ + "--mount=type=bind,source=/srv/kanidm/data,target=/data/db" + "--mount=type=bind,source=${config.desu.secrets.kanidm-tls-key.path},target=/data/key.pem,readonly" + "--mount=type=bind,source=${config.desu.secrets.kanidm-tls-cert.path},target=/data/chain.pem,readonly" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/memos/default.nix b/hosts/koi/containers/memos/default.nix index 61d7650..4160e13 100644 --- a/hosts/koi/containers/memos/default.nix +++ b/hosts/koi/containers/memos/default.nix @@ -17,9 +17,6 @@ in { systemd.services.docker-memos.after = [ "postgresql.service" ]; virtualisation.oci-containers.containers.memos = { image = "neosmemo/memos:0.22.5"; - volumes = [ - "/srv/memos/data:/var/opt/memos" - ]; environment = { MEMOS_DRIVER = "postgres"; @@ -27,6 +24,10 @@ in { }; user = "${builtins.toString UID}"; + + extraOptions = [ + "--mount=type=bind,source=/srv/memos/data,target=/var/opt/memos" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/navidrome/default.nix b/hosts/koi/containers/navidrome/default.nix index 9b5ab25..f33e1e7 100644 --- a/hosts/koi/containers/navidrome/default.nix +++ b/hosts/koi/containers/navidrome/default.nix @@ -23,8 +23,6 @@ in { image = "deluan/navidrome:0.53.3"; volumes = [ "${./navidrome.toml}:/navidrome.toml" - "/mnt/s3-desu-priv-encrypted/music:/music/s3:ro" - "/srv/navidrome:/data" ]; environment = { ND_CONFIGFILE = "/navidrome.toml"; @@ -35,6 +33,8 @@ in { user = "${builtins.toString UID}:${builtins.toString UID}"; extraOptions = [ "--group-add=${builtins.toString config.users.groups.geesefs.gid}" + "--mount=type=bind,source=/mnt/s3-desu-priv-encrypted/music,target=/music/s3,readonly" + "--mount=type=bind,source=/srv/navidrome,target=/data" ]; }; systemd.services.docker-navidrome.requires = [ "gocryptfs.service" ]; diff --git a/hosts/koi/containers/pds/default.nix b/hosts/koi/containers/pds/default.nix index e1cc6dc..9b6f384 100644 --- a/hosts/koi/containers/pds/default.nix +++ b/hosts/koi/containers/pds/default.nix @@ -17,7 +17,6 @@ in { cmd = [ "node" "--enable-source-maps" "/app/entrypoint.js" ]; volumes = [ "${./entrypoint.js}:/app/entrypoint.js" - "/srv/bluesky-pds/data:/pds" ]; environment = { PDS_HOSTNAME = "pds.stupid.fish"; @@ -41,6 +40,9 @@ in { config.desu.secrets.bluesky-pds-secrets.path ]; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/bluesky-pds/data,target=/pds" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/sftpgo/default.nix b/hosts/koi/containers/sftpgo/default.nix index 65031d8..9fa378a 100644 --- a/hosts/koi/containers/sftpgo/default.nix +++ b/hosts/koi/containers/sftpgo/default.nix @@ -18,15 +18,13 @@ in { virtualisation.oci-containers.containers.sftpgo = { image = "drakkan/sftpgo:v2.6.2"; - volumes = [ - "/srv/sftpgo/data:/srv/sftpgo" - "/srv/sftpgo/config:/var/lib/sftpgo" - "/mnt/puffer:/mnt/puffer" - "/mnt/s3-desu-priv-encrypted:/mnt/s3-desu-priv-encrypted" - ]; user = "${builtins.toString UID}:${builtins.toString UID}"; extraOptions = [ "--group-add=${builtins.toString config.users.groups.geesefs.gid}" + "--mount=type=bind,source=/srv/sftpgo/data,target=/srv/sftpgo" + "--mount=type=bind,source=/srv/sftpgo/config,target=/var/lib/sftpgo" + "--mount=type=bind,source=/mnt/puffer,target=/mnt/puffer" + "--mount=type=bind,source=/mnt/s3-desu-priv-encrypted,target=/mnt/s3-desu-priv-encrypted" ]; environment = { SFTPGO_SFTPD__BINDINGS__0__PORT = "22"; diff --git a/hosts/koi/containers/siyuan/default.nix b/hosts/koi/containers/siyuan/default.nix index e0d92be..b08efa2 100644 --- a/hosts/koi/containers/siyuan/default.nix +++ b/hosts/koi/containers/siyuan/default.nix @@ -16,15 +16,15 @@ in { ]; virtualisation.oci-containers.containers.siyuan-teidesu = { image = "local/siyuan"; - volumes = [ - "/srv/siyuan-teidesu:/data" - ]; cmd = [ "--workspace=/data" ]; environment = { # we manage auth via openid-proxy SIYUAN_ACCESS_AUTH_CODE_BYPASS = "true"; }; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/siyuan-teidesu,target=/data" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/soulseek/default.nix b/hosts/koi/containers/soulseek/default.nix index 4c5eb8a..0bc86a0 100644 --- a/hosts/koi/containers/soulseek/default.nix +++ b/hosts/koi/containers/soulseek/default.nix @@ -12,12 +12,6 @@ in { systemd.services.docker-slskd.requires = [ "gocryptfs.service" ]; virtualisation.oci-containers.containers.slskd = { image = "slskd/slskd:0.21.4.65534-9a68c184"; - volumes = [ - "/srv/slskd:/app" - "/mnt/s3-desu-priv-encrypted/music:/mnt/music" - "/mnt/puffer/Downloads:/mnt/downloads" - ]; - ports = [ "50300:50300" ]; @@ -34,6 +28,9 @@ in { user = "${builtins.toString UID}:${builtins.toString UID}"; extraOptions = [ "--group-add=${builtins.toString config.users.groups.geesefs.gid}" + "--mount=type=bind,source=/srv/slskd,target=/app" + "--mount=type=bind,source=/mnt/s3-desu-priv-encrypted/music,target=/mnt/music" + "--mount=type=bind,source=/mnt/puffer/Downloads,target=/mnt/downloads" ]; }; diff --git a/hosts/koi/containers/teisu.nix b/hosts/koi/containers/teisu.nix index 4b6f6e1..342d7be 100644 --- a/hosts/koi/containers/teisu.nix +++ b/hosts/koi/containers/teisu.nix @@ -12,13 +12,13 @@ in { virtualisation.oci-containers.containers.teisu = { image = "ghcr.io/teidesu/tei.su:latest"; - volumes = [ - "/srv/teisu:/app/.runtime" - ]; environmentFiles = [ config.desu.secrets.teisu-env.path ]; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/teisu,target=/app/.runtime" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/vaultwarden.nix b/hosts/koi/containers/vaultwarden.nix index 0ec21ef..d3f82dc 100644 --- a/hosts/koi/containers/vaultwarden.nix +++ b/hosts/koi/containers/vaultwarden.nix @@ -7,9 +7,6 @@ in { virtualisation.oci-containers.containers.vaultwarden = { image = "vaultwarden/server:1.32.5-alpine"; - volumes = [ - "/srv/vaultwarden:/data" - ]; environment = { SIGNUPS_ALLOWED = "false"; DOMAIN = "https://bw.tei.su"; @@ -22,6 +19,9 @@ in { config.desu.secrets.vaultwarden-env.path ]; user = builtins.toString UID; + extraOptions = [ + "--mount=type=bind,source=/srv/vaultwarden,target=/data" + ]; }; users.users.vaultwarden = { diff --git a/hosts/koi/containers/verdaccio/default.nix b/hosts/koi/containers/verdaccio/default.nix index 6b2c532..571617f 100644 --- a/hosts/koi/containers/verdaccio/default.nix +++ b/hosts/koi/containers/verdaccio/default.nix @@ -15,13 +15,16 @@ in { volumes = [ "${./config.yaml}:/verdaccio/conf/config.yaml" "${config.desu.secrets.verdaccio-htpasswd.path}:/verdaccio/htpasswd" - "/srv/verdaccio/storage:/verdaccio/storage" - "/srv/verdaccio/plugins:/verdaccio/plugins" ]; environment = { VERDACCIO_PUBLIC_URL = "https://npm.tei.su"; }; user = builtins.toString UID; + + extraOptions = [ + "--mount=type=bind,source=/srv/verdaccio/storage,target=/verdaccio/storage" + "--mount=type=bind,source=/srv/verdaccio/plugins,target=/verdaccio/plugins" + ]; }; systemd.tmpfiles.rules = [ diff --git a/hosts/koi/containers/wakapi/default.nix b/hosts/koi/containers/wakapi/default.nix index fa5527e..9bdfc6d 100644 --- a/hosts/koi/containers/wakapi/default.nix +++ b/hosts/koi/containers/wakapi/default.nix @@ -19,9 +19,6 @@ in { systemd.services.docker-wakapi.after = [ "postgresql.service" ]; virtualisation.oci-containers.containers.wakapi = { image = "ghcr.io/muety/wakapi:2.12.2"; - volumes = [ - "/srv/wakapi:/data" - ]; environment = { WAKAPI_DB_TYPE = "postgres"; @@ -50,6 +47,10 @@ in { ]; user = "${builtins.toString UID}"; + + extraOptions = [ + "--mount=type=bind,source=/srv/wakapi,target=/data" + ]; }; systemd.tmpfiles.rules = [ diff --git a/services/geesefs.nix b/services/geesefs.nix index b6709cd..11af20a 100644 --- a/services/geesefs.nix +++ b/services/geesefs.nix @@ -48,7 +48,7 @@ Type = "forking"; GuessMainPID = true; ExecStart = "${cfg.package}/bin/geesefs ${builtins.concatStringsSep " " (map lib.escapeShellArg allArgs)}"; - ExecStop = "fusermount -u ${lib.escapeShellArg cfg.mountPoint}"; + ExecStop = "fusermount -uz ${lib.escapeShellArg cfg.mountPoint}"; Restart = "on-failure"; }; };