this post was submitted on 17 May 2025
30 points (96.9% liked)

Selfhosted

46671 readers
1026 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
30
Containers in NixOS (feddit.org)
submitted 1 month ago by ftbd@feddit.org to c/selfhosted@lemmy.world
6 comments fedilink hide all child comments
 

Hi everyone!

I'm in the process of finally doing containers right in my NixOS installation. This is my 'wishlist':

  • podman containers should be run by users with minimal permissions
  • separate user per container
  • containers managed by systemd services for easier management

My current work-in-progress setup looks like this:

For each service (called $name), I have:

  • a user and corresponding group (referred to as $uid in the following)
  • a directory /srv/$name owned by $uid, in which mounted volumes are located

My containers are declared like this:

virtualisation.oci-containers.containers = {
    $name = {
        image = ...;
        ports = [ ... ];
        volumes = [
            "/srv/${name}/config:/config"
            ...
        ];
        user = $uid:$gid;
        extraOptions = [
            "--security-opt=no-new-privileges:true"
        ];
    };
};

Now for the parts I don't fully understand yet:

  • some images allow setting environment.PUID to specify a user. Does setting this option (and not setting user=$uid in the container declaration itself) mean that the container will be run as root, and the program inside will merely use PUID when e.g. creating files? This would still allow a malicious container to run commands as root on the host, right?

  • virtualisation.oci-containers.containers creates a systemd service. Since this is not a user-service for my user $uid, I need sudo to start/stop the container. Does that mean that the systemd service is run with root permissions, but it executes the command to spawn the container as $uid? If whatever is running inside the container was malicious, is there a functional difference between the container being started 'by root as $uid' and it being started by me (after logging in as $uid)?

  • Is it feasible to make these systemd services user-services owned by $uid instead?

  • Are there further hardening steps I forgot about?

Thanks for your input!

you are viewing a single comment's thread
view the rest of the comments
[–] ReedReads@lemmy.zip 4 points 1 month ago (2 children)

What services are you running in your pods/containers? Are they local applications like libreoffice or are they network accessible in the more traditional style? What’s the advantage to running a podman container on your machine vs a Flatpak container?

Sorry for all the questions. This is an interesting setup and I’m just really curious.

[–] ftbd@feddit.org 4 points 1 month ago (1 children)

These containers are running on various servers I have at home, not on a desktop machine. I use podman as an alternative to docker, because it's fully libre and does not require running containers as root. To be honest, I've never thought about running flatpak containers for these kinds of services – do you have a setup like this that you want to share?

[–] ReedReads@lemmy.zip 1 points 1 month ago* (last edited 1 month ago) (1 children)

That makes sense. I’ve always thought of NixOS as a desktop distro, not as a server. Guess I need to expand my thinking!

I run Fedora Server with podman and docker side by side. I try to use podman whenever possible but sometimes it’s not worth the hassle so that’s when it becomes a docker container 😬

[–] ftbd@feddit.org 2 points 1 month ago

I'd say NixOS is great for servers, mostly. Only having to worry about certain things (secure boot with custom keys, FDE, partition layout, network, sshd, firejail, etc.) once, and then replicating the same setup on another machine is waaay more convenient than going "I wonder what I was thinking when setting up this machine" once in a while when looking at some machine again you haven't touched in some time. When it comes to desktop usage, the whole thing does not feel as magical - configuring system options in e.g. KDE is still a lot of clicking around in a GUI. I still use it for my desktop machine, just so I don't have to think about another distro.