this post was submitted on 12 Dec 2024
46 points (81.9% liked)

Selfhosted

40696 readers
414 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hello! πŸ˜€
I want to share my thoughts on docker and maybe discuss about it!
Since some months I started my homelab and as any good "homelabing guy" I absolutely loved using docker. Simple to deploy and everything. Sadly these days my mind is changing... I recently switch to lxc containers to make easier backup and the xperience is pretty great, the only downside is that not every software is available natively outside of docker πŸ™ƒ
But I switch to have more control too as docker can be difficult to set up some stuff that the devs don't really planned to.
So here's my thoughts and slowly I'm going to leave docker for more old-school way of hosting services. Don't get me wrong docker is awesome in some use cases, the main are that is really portable and simple to deploy no hundreds dependencies, etc. And by this I think I really found how docker could be useful, not for every single homelabing setup, and it's not my case.

Maybe I'm doing something wrong but I let you talk about it in the comments, thx.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 1 week ago (1 children)

I use podman using home-manager configs, I could run the services natively but currently I have a user for each service that runs the podman containers. This way each service is securely isolated from each other and the rest of the system. Maybe if/when NixOS supports good selinux rules I'll switch back to running it native.

[–] [email protected] 2 points 1 week ago (1 children)

This sounds great! I'd love to see your config. I'm not using home manager, but have 1 non root user for all podman containers. 1 user per service seems like a great setup.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago)

Yeah it works great and is very secure but every time I create a new service it's a lot of copy paste boilerplate, maybe I'll put most of that into a nix function at some point but until then here's an example n8n config, as loaded from the main nixos file.

I wrote this last night for testing purposes and just added comments, the config works but n8n uses sqlite and probably needs some other stuff that I hadn't had a chance to use yet so keep that in mind.
Podman support in home-manager is also really new and doesn't support pods (multiple containers, one loopback) and some other stuff yet, most of it can be compensated with the extraarguments but before this existed I used pure file definitions to write quadlet/systemd configs which was even more boilerplate but also mostly copypasta.

Gaze into the boilerplate

{ config, pkgs, lib, ... }:

{
    users.users.n8n = {
        # calculate sub{u,g}id using uid
        subUidRanges = [{
            startUid = 100000+65536*( config.users.users.n8n.uid - 999);
            count = 65536;
        }];
        subGidRanges = [{
            startGid = 100000+65536*( config.users.users.n8n.uid - 999);
            count = 65536;
        }];
        isNormalUser = true;
        linger = true; # start user services on system start, fist time start after `nixos-switch` still has to be done manually for some reason though
        openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; # allows the ssh keys that can login as root to login as this user too
    };
    home-manager.users.n8n = { pkgs, ... }:
    let
        dir = config.users.users.n8n.home;
        data-dir = "${dir}/${config.users.users.n8n.name}-data"; # defines the path "/home/n8n/n8n-data" using evaluated home paths, could probably remove a lot of redundant n8n definitions....
    in
    {
        home.stateVersion = "24.11";
        systemd.user.tmpfiles.rules =
        let
            folders = [
                "${data-dir}"
                #"${data-dir}/data-volume-name-one" 
            ];
            formated_folders = map (folder: "d ${folder} - - - -") folders; # a function that takes a path string and formats it for systemd tmpfiles such that they get created as folders
        in formated_folders;

        services.podman = {
            enable = true;
            containers = {
                n8n-app = { # define a container, service name is "podman-n8n-app.service" in case you need to make multiple containers depend and run after each other
                    image = "docker.n8n.io/n8nio/n8n";
                    ports = [
                        "${config.local.users.users.n8n.listenIp}:${toString config.local.users.users.n8n.listenPort}:5678" # I'm using a self defined option to keep track of all ports and uids in a seperate file, these values just map to "127.0.0.1:30023:5678", a caddy does a reverse proxy there with the same option as the port.
                    ];
                    volumes = [
                        "${data-dir}:/home/node/.n8n" # the folder we created above
                    ];
                    userNS = "keep-id:uid=1000,gid=1000"; # n8n stores files as non-root inside the container so they end up as some high uid outside and the user which runs these containers can't read it because of that. This maps the user 1000 inside the container to the uid of the user that's running podman. Takes a lot of time to generate the podman image for a first run though so make sure systemd doesn't time out
                    environment = {
                        # MYHORSE = "amazing";
                    };
                    # there's also an environmentfile option for secret management, which works with sops if you set the owner of the secret/secret template
                    extraPodmanArgs = [
                        "--pull=newer" # always pull newer images when starting, I could make this declaritive but I haven't found a good way to automagically update the container hashes in my nix config at the push of a button.
                    ];
                 # few more options exist that I didn't need here
                };
            };
        };
    };
}