Label Studio _really_ prefers using a direct object storage model. Can't
say I blame them, it makes sense given they are running Python.
I had to bump Authentik to not use its default port so that minio could
use its own default port. That seemed safest given that Authentik is
always proxied but minio/S3 may _not_ be. I'm just not sure.
It was rather rediculously hard to get the CSRF settings correct. I
don't think I can register new users on anything but the commandline at
this point via:
podman exec -it podman-label-studio /bin/bash
label-studio start --username <username> --password <password>
Where <username> should actually be an email.
To make this work I have to map to the user 1001 inside the container.
I can't figure out how to do that intelligently after a bunch of
experimenting. Instead I'm just creating a new user "label-studio" with
uid 1001 and chowning the data directory to that user.
This is very brittle.
However, it's working, so I'm moving forward.
The previous version only cleaned up previous backups because it was
missing a path or a set of dynamic files which is a feature for doing
cleanup. Instead I backported the unstable version so I could use
stdin-from-commend. Tested now and the upload completed.
I'm hoping this won't mess with the timer logic. For now, it drives me
nuts I'm waiting for timeout or completion of the export process, which
is slow.
This currently has the architecture hard-coded. That's bad, but nix is
hard, and there's probably a much better way to integrate this into the
system when I can be bothered to do it.
This was a huge hassle. I really wanted to see it working under a
non-root user since it writes files, but that ended up being impossible
because of several bugs in podman's rootless integration with NixOS.
I've kept pieces of the logic around and commented out in case I can fix
it in the future as it would be more secure.
I also tried to connect to Postgres over the unix domain socket, but the
problem here is that the container is built to run as root and I'd need
to do some elaborate mapping of the root user inside the container, the
non-root user outside the container, and the Postgres auth scheme.
This would be great stuff to sort out, but I'm out of time now to work
on it.
I move the secrets file to be more consistent with the naming.
I removed parts of the postgres config that is no longer needed now that
the database is running locally.
The podman integration was pretty janky because it relied on running a
pod and the NixOS integration with pods are essentially non-existent.
This led to issues with the port being improperly forwarded when
partially restarted.
Now instead I use a flake dedicated to running authentik. This allows me
to specify some of the config in the module directly and some in
secrets, which is really nice. I've additionally added some changes to
the listen address so that the service isn't exposed over public IP
addresses.
At this point the new Nocix server is working (I'm writing this commit
on that machine) so I can clean up the various experiments and commit to
the more generalized configuration as it stands
This is...a big change. If I run this on the old corp server it will
break a lot, LOT of stuff. So don't do that. This is also the first time
I'm attempting to use disko to fully define a server in a single step
rather than as a bootstrapping step.
This involves renaming the disks because when I rebooted the VM the disk
names changed. I also made the root disk just 50G and put the rest in
/var, as well as formatting and mounting the big rust disk.
This is based on a discussion here:
https://github.com/nix-community/disko/issues/889
Had to do it since the last one didn't even build and was based on a
cobbling of LLM (Claude) assistance, reading example files, and reading
the disko module definition file.
