Label Studio _really_ prefers using a direct object storage model. Can't
say I blame them, it makes sense given they are running Python.
I had to bump Authentik to not use its default port so that minio could
use its own default port. That seemed safest given that Authentik is
always proxied but minio/S3 may _not_ be. I'm just not sure.
This was a huge hassle. I really wanted to see it working under a
non-root user since it writes files, but that ended up being impossible
because of several bugs in podman's rootless integration with NixOS.
I've kept pieces of the logic around and commented out in case I can fix
it in the future as it would be more secure.
I also tried to connect to Postgres over the unix domain socket, but the
problem here is that the container is built to run as root and I'd need
to do some elaborate mapping of the root user inside the container, the
non-root user outside the container, and the Postgres auth scheme.
This would be great stuff to sort out, but I'm out of time now to work
on it.
The podman integration was pretty janky because it relied on running a
pod and the NixOS integration with pods are essentially non-existent.
This led to issues with the port being improperly forwarded when
partially restarted.
Now instead I use a flake dedicated to running authentik. This allows me
to specify some of the config in the module directly and some in
secrets, which is really nice. I've additionally added some changes to
the listen address so that the service isn't exposed over public IP
addresses.
This includes a new paradigm for using a pgpass file, which is great, as
well as sorting out how to properly do a bash script shebang in a
service file.
Most things work on this commit, except the integration between
collabora and seafile. I think it might be related to the timezone
change I made and a lack of access_token being passed in the URL.
I'm going to test that with a reboot. But first, checkpoint!
We put it in the pod because I don't know how to make it accessible to
things in the bod without binding all host addresses. There's probably a
sophisticated way to do it correctly, but I don't want to figure it out
yet.
