nixos-systems/modules/system/label-studio.nix

{ lib, config, nixpkgs, pkgs, ... }:
with lib;
{
	options.myModules.label-studio.enable = mkEnableOption "custom label-studio configuration";

	config = mkIf config.myModules.label-studio.enable {
		services.caddy.virtualHosts."label-studio.gleipnir.technology".extraConfig = ''
			reverse_proxy http://localhost:10070
		'';
		services.postgresql = {
			ensureDatabases = [ "label-studio" ];
			ensureUsers = [{
				ensureClauses.login = true;
				ensureDBOwnership = true;
				name = "label-studio";
			}];
		};
		services.restic.backups."label-studio-db" = {
			# We can use this due to overridding restic with unstable
			command = [
				"${lib.getExe pkgs.sudo}"
				"-u postgres"
				"${pkgs.postgresql}/bin/pg_dump label-studio"
			];
			environmentFile = "/var/run/secrets/restic-env";
			extraBackupArgs = [
				"--tag database"
			];
			passwordFile = "/var/run/secrets/restic-password";
			pruneOpts = [
				"--keep-daily 14"
				"--keep-weekly 4"
				"--keep-monthly 2"
				"--group-by tags"
			];
			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/label-studio";
		};
		services.restic.backups."label-studio-files" = {
			environmentFile = "/var/run/secrets/restic-env";
			extraBackupArgs = [
				"--tag files"
			];
			initialize = true;
			passwordFile = "/var/run/secrets/restic-password";
			paths = [
				"/mnt/bigdisk/label-studio"
			];
			repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/label-studio";
		};
		sops.secrets.label-studio-env = {
			format = "dotenv";
			group = "label-studio";
			mode = "0440";
			owner = "label-studio";
			restartUnits = ["podman-label-studio.service"];
			sopsFile = ../../secrets/label-studio.env;
		};
		systemd.tmpfiles.rules = [
			"d /mnt/bigdisk/label-studio 0755 label-studio label-studio"
		];
		virtualisation.oci-containers.containers.label-studio = {
			environmentFiles = [
				"/var/run/secrets/label-studio-env"
			];
			extraOptions = [
				"--userns=keep-id:uid=1001,gid=0"
			];
			image = "docker.io/heartexlabs/label-studio:1.22.0";
			ports = [ "127.0.0.1:10070:8080" ];
			volumes = [
				"/mnt/bigdisk/label-studio:/label-studio/data"
				"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
			];
		};
		users.groups.label-studio = {};
		users.users.label-studio = {
			uid = 1001;
			group = "label-studio";
			isSystemUser = true;
		};
	};
}
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`{ lib, config, nixpkgs, pkgs, ... }:`
			`with lib;`
			`{`
			`options.myModules.label-studio.enable = mkEnableOption "custom label-studio configuration";`

			`config = mkIf config.myModules.label-studio.enable {`
Set up reverse proxy, configure hostname It was rather rediculously hard to get the CSRF settings correct. I don't think I can register new users on anything but the commandline at this point via: podman exec -it podman-label-studio /bin/bash label-studio start --username <username> --password <password> Where <username> should actually be an email. 2025-10-01 18:40:39 +00:00			`services.caddy.virtualHosts."label-studio.gleipnir.technology".extraConfig = ''`
			`reverse_proxy http://localhost:10070`
			`'';`
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`services.postgresql = {`
			`ensureDatabases = [ "label-studio" ];`
			`ensureUsers = [{`
			`ensureClauses.login = true;`
			`ensureDBOwnership = true;`
			`name = "label-studio";`
			`}];`
			`};`
Add restic backup for all corp services 2026-01-12 00:48:54 +00:00			`services.restic.backups."label-studio-db" = {`
			`# We can use this due to overridding restic with unstable`
			`command = [`
			`"${lib.getExe pkgs.sudo}"`
			`"-u postgres"`
			`"${pkgs.postgresql}/bin/pg_dump label-studio"`
			`];`
			`environmentFile = "/var/run/secrets/restic-env";`
			`extraBackupArgs = [`
			`"--tag database"`
			`];`
			`passwordFile = "/var/run/secrets/restic-password";`
			`pruneOpts = [`
			`"--keep-daily 14"`
			`"--keep-weekly 4"`
			`"--keep-monthly 2"`
			`"--group-by tags"`
			`];`
			`repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/label-studio";`
			`};`
			`services.restic.backups."label-studio-files" = {`
			`environmentFile = "/var/run/secrets/restic-env";`
			`extraBackupArgs = [`
			`"--tag files"`
			`];`
			`initialize = true;`
			`passwordFile = "/var/run/secrets/restic-password";`
			`paths = [`
			`"/mnt/bigdisk/label-studio"`
			`];`
			`repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-corp/label-studio";`
			`};`
Connect label-studio to postgres 2025-10-01 18:20:13 +00:00			`sops.secrets.label-studio-env = {`
			`format = "dotenv";`
			`group = "label-studio";`
			`mode = "0440";`
			`owner = "label-studio";`
			`restartUnits = ["podman-label-studio.service"];`
			`sopsFile = ../../secrets/label-studio.env;`
			`};`
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`systemd.tmpfiles.rules = [`
			`"d /mnt/bigdisk/label-studio 0755 label-studio label-studio"`
			`];`
			`virtualisation.oci-containers.containers.label-studio = {`
Connect label-studio to postgres 2025-10-01 18:20:13 +00:00			`environmentFiles = [`
			`"/var/run/secrets/label-studio-env"`
			`];`
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`extraOptions = [`
			`"--userns=keep-id:uid=1001,gid=0"`
			`];`
Move to standard label-studio image It's got my fix incorporated, I think, so I don't have to build my custom image. 2026-01-13 16:55:34 +00:00			`image = "docker.io/heartexlabs/label-studio:1.22.0";`
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`ports = [ "127.0.0.1:10070:8080" ];`
			`volumes = [`
			`"/mnt/bigdisk/label-studio:/label-studio/data"`
			`"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"`
			`];`
			`};`
			`users.groups.label-studio = {};`
			`users.users.label-studio = {`
			`uid = 1001;`
			`group = "label-studio";`
			`isSystemUser = true;`
			`};`
			`};`
			`}`