This is merged between the existing sync system and the existing
nixos-anywhere definition for amd-legacy-hexcore. I'm going to attempt
to bring in a new pattern.
Label Studio _really_ prefers using a direct object storage model. Can't
say I blame them, it makes sense given they are running Python.
I had to bump Authentik to not use its default port so that minio could
use its own default port. That seemed safest given that Authentik is
always proxied but minio/S3 may _not_ be. I'm just not sure.
To make this work I have to map to the user 1001 inside the container.
I can't figure out how to do that intelligently after a bunch of
experimenting. Instead I'm just creating a new user "label-studio" with
uid 1001 and chowning the data directory to that user.
This is very brittle.
However, it's working, so I'm moving forward.
The podman integration was pretty janky because it relied on running a
pod and the NixOS integration with pods are essentially non-existent.
This led to issues with the port being improperly forwarded when
partially restarted.
Now instead I use a flake dedicated to running authentik. This allows me
to specify some of the config in the module directly and some in
secrets, which is really nice. I've additionally added some changes to
the listen address so that the service isn't exposed over public IP
addresses.
At this point the new Nocix server is working (I'm writing this commit
on that machine) so I can clean up the various experiments and commit to
the more generalized configuration as it stands
This is...a big change. If I run this on the old corp server it will
break a lot, LOT of stuff. So don't do that. This is also the first time
I'm attempting to use disko to fully define a server in a single step
rather than as a bootstrapping step.
All of this is redundant and defined in other modules, as it should be.
From here we can start building up what makes sync unique rather than
copy-pasting.
With these changes I have librechat running and being properly
reverse-proxied and I can login via SSO. I was not able to get a
reasonable response yet from Claude.
Most things work on this commit, except the integration between
collabora and seafile. I think it might be related to the timezone
change I made and a lack of access_token being passed in the URL.
I'm going to test that with a reboot. But first, checkpoint!
We put it in the pod because I don't know how to make it accessible to
things in the bod without binding all host addresses. There's probably a
sophisticated way to do it correctly, but I don't want to figure it out
yet.
