nixos-systems/modules/system/label-studio.nix

{ lib, config, nixpkgs, pkgs, ... }:
with lib;
{
	options.myModules.label-studio.enable = mkEnableOption "custom label-studio configuration";

	config = mkIf config.myModules.label-studio.enable {
		services.postgresql = {
			ensureDatabases = [ "label-studio" ];
			ensureUsers = [{
				ensureClauses.login = true;
				ensureDBOwnership = true;
				name = "label-studio";
			}];
		};
		sops.secrets.label-studio-env = {
			format = "dotenv";
			group = "label-studio";
			mode = "0440";
			owner = "label-studio";
			restartUnits = ["podman-label-studio.service"];
			sopsFile = ../../secrets/label-studio.env;
		};
		systemd.tmpfiles.rules = [
			"d /mnt/bigdisk/label-studio 0755 label-studio label-studio"
		];
		virtualisation.oci-containers.containers.label-studio = {
			environmentFiles = [
				"/var/run/secrets/label-studio-env"
			];
			extraOptions = [
				"--userns=keep-id:uid=1001,gid=0"
			];
			image = "docker.io/heartexlabs/label-studio:1.21.0";
			ports = [ "127.0.0.1:10070:8080" ];
			volumes = [
				"/mnt/bigdisk/label-studio:/label-studio/data"
				"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"
			];
		};
		users.groups.label-studio = {};
		users.users.label-studio = {
			uid = 1001;
			group = "label-studio";
			isSystemUser = true;
		};
	};
}
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`{ lib, config, nixpkgs, pkgs, ... }:`
			`with lib;`
			`{`
			`options.myModules.label-studio.enable = mkEnableOption "custom label-studio configuration";`

			`config = mkIf config.myModules.label-studio.enable {`
			`services.postgresql = {`
			`ensureDatabases = [ "label-studio" ];`
			`ensureUsers = [{`
			`ensureClauses.login = true;`
			`ensureDBOwnership = true;`
			`name = "label-studio";`
			`}];`
			`};`
Connect label-studio to postgres 2025-10-01 18:20:13 +00:00			`sops.secrets.label-studio-env = {`
			`format = "dotenv";`
			`group = "label-studio";`
			`mode = "0440";`
			`owner = "label-studio";`
			`restartUnits = ["podman-label-studio.service"];`
			`sopsFile = ../../secrets/label-studio.env;`
			`};`
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`systemd.tmpfiles.rules = [`
			`"d /mnt/bigdisk/label-studio 0755 label-studio label-studio"`
			`];`
			`virtualisation.oci-containers.containers.label-studio = {`
Connect label-studio to postgres 2025-10-01 18:20:13 +00:00			`environmentFiles = [`
			`"/var/run/secrets/label-studio-env"`
			`];`
Add label-studio initial module To make this work I have to map to the user 1001 inside the container. I can't figure out how to do that intelligently after a bunch of experimenting. Instead I'm just creating a new user "label-studio" with uid 1001 and chowning the data directory to that user. This is very brittle. However, it's working, so I'm moving forward. 2025-10-01 18:06:35 +00:00			`extraOptions = [`
			`"--userns=keep-id:uid=1001,gid=0"`
			`];`
			`image = "docker.io/heartexlabs/label-studio:1.21.0";`
			`ports = [ "127.0.0.1:10070:8080" ];`
			`volumes = [`
			`"/mnt/bigdisk/label-studio:/label-studio/data"`
			`"/run/postgresql/.s.PGSQL.5432:/run/postgresql/.s.PGSQL.5432"`
			`];`
			`};`
			`users.groups.label-studio = {};`
			`users.users.label-studio = {`
			`uid = 1001;`
			`group = "label-studio";`
			`isSystemUser = true;`
			`};`
			`};`
			`}`