Add update-containers script to manage Docker image updates

- Remove static host mappings from networking config
- Add reverse proxy settings for multiple subdomains
- Introduce DNSMASQ configuration with custom DNS records and firewall rules
- Update firewall UDP port settings and system stateVersion

flake.lock

@@ -180,11 +180,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1743550720,
+        "lastModified": 1748821116,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
         "type": "github"
       },
       "original": {
@@ -402,11 +402,11 @@
     },
     "hardware": {
       "locked": {
-        "lastModified": 1748634340,
+        "lastModified": 1749195551,
-        "narHash": "sha256-pZH4bqbOd8S+si6UcfjHovWDiWKiIGRNRMpmRWaDIms=",
+        "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "daa628a725ab4948e0e2b795e8fb6f4c3e289a7a",
+        "rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
         "type": "github"
       },
       "original": {
@@ -443,11 +443,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748830238,
+        "lastModified": 1749483884,
-        "narHash": "sha256-EB+LzYHK0D5aqxZiYoPeoZoOzSAs8eqBDxm3R+6wMKU=",
+        "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c7fdb7e90bff1a51b79c1eed458fb39e6649a82a",
+        "rev": "74d196c9943a67908d1883f61154e594d03863e5",
         "type": "github"
       },
       "original": {
@@ -529,11 +529,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748743761,
+        "lastModified": 1749348095,
-        "narHash": "sha256-wodNEYzhBzsdfp5ggAsuJaTCLo3S9cwH7Svni1lgvwo=",
+        "narHash": "sha256-4KaUocEPNoU6gpFE6WPLMvMK5tmvJyc0qf84Mp8Chlw=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "0f75191a5c244a38192c7587da7c3f04d35c5938",
+        "rev": "4221d80488883c40003f0704af78699a583f0c9f",
         "type": "github"
       },
       "original": {
@@ -583,11 +583,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1743296961,
+        "lastModified": 1748740939,
-        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "rev": "656a64127e9d791a334452c6b6606d17539476e2",
         "type": "github"
       },
       "original": {
@@ -598,11 +598,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1748421225,
+        "lastModified": 1749173751,
-        "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=",
+        "narHash": "sha256-ENY3y3v6S9ZmLDDLI3LUT8MXmfXg/fSt2eA4GCnMVCE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b",
+        "rev": "ed29f002b6d6e5e7e32590deb065c34a31dc3e91",
         "type": "github"
       },
       "original": {
@@ -614,11 +614,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1748693115,
+        "lastModified": 1749285348,
-        "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
+        "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
+        "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
         "type": "github"
       },
       "original": {
@@ -630,11 +630,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1748693115,
+        "lastModified": 1749285348,
-        "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
+        "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
+        "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
         "type": "github"
       },
       "original": {
@@ -884,11 +884,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1748887638,
+        "lastModified": 1749481862,
-        "narHash": "sha256-AExfT8rMb6Ya37Gm3dimm+e4eeLGzya55JS6VWb3nfQ=",
+        "narHash": "sha256-CXZL1Kt4rP1SAQhT4wCM207pcjkTeZMza9iIVFKV71c=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "3ca2c4478a1e984d2007c57467c6986bcdcb2629",
+        "rev": "d73d8f6a4834716496bf8930a492b115cc3d7d17",
         "type": "github"
       },
       "original": {
@@ -1152,11 +1152,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748849057,
+        "lastModified": 1748932406,
-        "narHash": "sha256-ih5wxfFGg+0FDTFcoNftV4WaKQwtSEgrCo6widpbazk=",
+        "narHash": "sha256-KcZKPfLL7Bcjps60+JJEsiJLkOkes3wdR+bJxR27I3s=",
         "ref": "refs/heads/main",
-        "rev": "05b214e6cd8721b14db8cd93272fc81965212b6d",
+        "rev": "71ffb0166eaa71df9149fe9a293cf75d238bbe30",
-        "revCount": 13,
+        "revCount": 14,
         "type": "git",
         "url": "https://git.ryot.foo/toph/yay.nix.git"
       },
@@ -1172,11 +1172,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748837535,
+        "lastModified": 1748971473,
-        "narHash": "sha256-fn9n5rHrnV83v5y7DCS3uRWIdOab2hkAhfFTrjSg/gg=",
+        "narHash": "sha256-0Xh6sZI86Ops6u7wyDQlVvV+MvRRXIDb1r3sMnLNk9M=",
         "owner": "youwen5",
         "repo": "zen-browser-flake",
-        "rev": "9a3d6741f1324f47c27fb6aede05fbcbdefeadc9",
+        "rev": "5cc269976ca876674d8ccc7f40debb61e05583ab",
         "type": "github"
       },
       "original": {

hosts/global/common/docker.nix

@@ -1,4 +1,26 @@
 { pkgs, ... }:
+let
+  update-containers = pkgs.writeShellScriptBin "update-containers" ''
+    SUDO=""
+    if [[ $(id -u) -ne 0 ]]; then
+      SUDO="sudo"
+    fi
+
+    # Get all unique images from running and stopped containers
+    images=$($SUDO ${pkgs.docker}/bin/docker ps -a --format="{{.Image}}" | sort -u)
+
+    echo "Found images to update:"
+    echo "$images"
+
+    for image in $images
+    do
+      echo "Pulling $image..."
+      $SUDO ${pkgs.docker}/bin/docker pull $image
+    done
+
+    echo "Container image updates complete!"
+  '';
+in
 {
   virtualisation = {
     docker = {
@@ -10,5 +32,6 @@
 
   environment.systemPackages = with pkgs; [
     lazydocker # Simple TUI
+    update-containers
   ];
 }

hosts/global/common/system/pool.nix

@@ -45,6 +45,10 @@ in
         "noatime"
         "nofail"
         "sec=sys"
+        "noac" # Disable attribute caching
+        "lookupcache=none" # Disable lookup caching
+        "intr" # Allow interruption
+        "hard" # Hard mount (retry on failure)
       ];
     };
   };
@@ -55,7 +59,7 @@ in
 
   services.nfs.idmapd.settings = {
     General = {
-      Domain = "local"; # Must match on server and client
+      Domain = "ryot.local"; # Must match on server and client
       Verbosity = 0;
     };
   };

hosts/global/core/networking.nix

@@ -12,16 +12,5 @@
     useDHCP = lib.mkDefault true;
     useHostResolvConf = false;
     usePredictableInterfaceNames = true;
-
-    hosts = {
-      "104.40.3.1" = [ "opn" ];
-      "104.40.3.3" = [ "pve" ];
-      "104.40.3.24" = [ "cloud" ];
-      "104.40.3.34" = [ "proxy" ];
-      "104.40.3.44" = [ "komodo" ];
-      "104.40.3.54" = [ "nix" ];
-      "104.40.4.1" = [ "opn" ];
-      "104.40.4.7" = [ "rune" ];
-    };
   };
 }

hosts/nixos/cloud/config/nfs.nix

@@ -5,7 +5,7 @@
 
     exports = ''
       # Pool export - seen as root '/' by the client
-      /pool *(rw,insecure,no_subtree_check,no_root_squash,fsid=0,anonuid=1000,anongid=1004)
+      /pool *(rw,insecure,no_subtree_check,no_root_squash,fsid=0,anonuid=1000,anongid=1004,async,no_wdelay)
     '';
 
     extraNfsdConfig = "vers=4,4.1,4.2";
@@ -15,7 +15,7 @@
   # services.rpcbind.enable = true;
   services.nfs.idmapd.settings = {
     General = {
-      Domain = "local";
+      Domain = "ryot.local";
       Verbosity = 0;
     };
   };

hosts/nixos/cloud/hardware.nix

@@ -28,6 +28,7 @@ in
         "allow_other"
         "minfreespace=50G"
         "fsname=mergerfs"
+        "func.getattr=newest"
         "category.create=mfs"
         "nfsopenhack=all"
         "nonempty"

hosts/nixos/komo/config/authentik/default.nix

@@ -6,7 +6,7 @@
   ...
 }:
 let
-  # Only available in the Komodo LXC
+  # Only available in the Komo LXC
   DockerStorage = "/mnt/DockerStorage/komodo/stacks/authentik";
   env = config.secretsSpec.docker.authentik;
 in
@@ -94,7 +94,7 @@ in
     ];
   };
   virtualisation.oci-containers.containers."authentik-server" = {
-    image = "ghcr.io/goauthentik/server:2024.12.2";
+    image = "ghcr.io/goauthentik/server:2025.6.1";
     environment = env;
     volumes = [
       "${DockerStorage}/custom-templates:/templates:rw"
@@ -136,7 +136,7 @@ in
     ];
   };
   virtualisation.oci-containers.containers."authentik-worker" = {
-    image = "ghcr.io/goauthentik/server:2024.12.2";
+    image = "ghcr.io/goauthentik/server:2025.6.1";
     environment = env;
     volumes = [
       "${DockerStorage}/certs:/certs:rw"

hosts/nixos/komo/config/caddy.nix

@@ -64,13 +64,6 @@
         '';
       };
 
-      "mail.ryot.foo" = {
-        useACMEHost = "ryot.foo";
-        extraConfig = ''
-          reverse_proxy localhost:9002
-        '';
-      };
-
       "map.ryot.foo" = {
         useACMEHost = "ryot.foo";
         extraConfig = ''
@@ -91,13 +84,6 @@
           reverse_proxy localhost:3000 
         '';
       };
-
-      "upsnap.ryot.foo" = {
-        useACMEHost = "ryot.foo";
-        extraConfig = ''
-          reverse_proxy localhost:8090
-        '';
-      };
     };
   };
 }

hosts/nixos/komo/default.nix

@@ -1,6 +1,6 @@
 ###############################################################
 #
-#  Komodo - LXC Container
+#  Komo - LXC Container
 #  NixOS container, Ryzen 5 5600G (12 Cores), 30GB/2GB RAM/SWAP
 #
 #  Docker Environment, Managed by with Komodo
@@ -16,11 +16,11 @@
 let
   username = "toph";
   user = config.secretsSpec.users.${username};
-  firewall = config.secretsSpec.firewall.komodo;
+  firewall = config.secretsSpec.firewall.komo;
 in
 {
   imports = lib.flatten [
-    ## Komodo Only ##
+    ## Komo Only ##
     ./config
 
     ## Hardware ##
@@ -38,7 +38,7 @@ in
 
   ## Host Specifications ##
   hostSpec = {
-    hostName = "komodo";
+    hostName = "komo";
     username = username;
     hashedPassword = user.hashedPassword;
     email = user.email;

hosts/nixos/proxy/config/caddy.nix

@@ -8,6 +8,58 @@
           reverse_proxy localhost:14333
         '';
       };
+
+      ## openWRT ##
+
+      "wrt.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy http://104.40.3.1 {
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Port {server_port}
+          }
+        '';
+      };
+
+      ## PROXMOX NODES ##
+
+      "ochre.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy https://104.40.3.2:8006 {
+            transport http {
+              tls_insecure_skip_verify
+              # optional: tls_server_name 104.40.3.2
+            }
+            # ensure Proxmox sees the right Host
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Port {server_port}
+          }
+        '';
+      };
+
+      "pve.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy https://104.40.3.3:8006 {
+            transport http {
+              tls_insecure_skip_verify
+              # optional: tls_server_name 104.40.3.3
+            }
+            header_up Host {host}
+            header_up X-Real-IP {remote}
+            header_up X-Forwarded-For {remote}
+            header_up X-Forwarded-Proto {scheme}
+            header_up X-Forwarded-Port {server_port}
+          }
+        '';
+      };
     };
   };
 }

hosts/nixos/proxy/config/dnsmasq.nix

@@ -0,0 +1,65 @@
+{
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # Listen on eth0 for external clients and lo for local host
+      interface = [
+        "eth0"
+        "lo"
+      ];
+
+      no-hosts = true;
+      no-resolv = true;
+
+      server = [
+        "104.40.3.1" # Query openWRT first for non-ryot.foo domains
+        "1.1.1.1" # Fallback public DNS
+        "1.0.0.1" # Fallback public DNS
+        "8.8.8.8" # Fallback public DNS
+      ];
+
+      address = [
+
+        ## CLOUD ##
+        "/drive.ryot.foo/104.40.3.24"
+
+        ## PROXY ##
+        "/cloudflared.ryot.foo/104.40.3.34"
+        "/ochre.ryot.foo/104.40.3.34"
+        "/pve.ryot.foo/104.40.3.34"
+        "/wrt.ryot.foo/104.40.3.34"
+
+        ## KOMO ##
+        "/auth.ryot.foo/104.40.3.44"
+        "/frp.ryot.foo/104.40.3.44"
+        "/git.ryot.foo/104.40.3.44"
+        "/grafana.ryot.foo/104.40.3.44"
+        "/home.ryot.foo/104.40.3.44"
+        "/influx.ryot.foo/104.40.3.44"
+        "/komodo.ryot.foo/104.40.3.44"
+        "/mail.ryot.foo/104.40.3.44"
+        "/map.ryot.foo/104.40.3.44"
+        "/outline.ryot.foo/104.40.3.44"
+        "/plane.ryot.foo/104.40.3.44"
+
+        ## SOCK ##
+        "/upsnap.ryot.foo/104.40.3.54"
+        "/sock.ryot.foo/104.40.3.54"
+
+      ];
+
+      cache-size = 1000;
+
+      # Log queries for debugging (optional)'
+      # log-queries = true;
+    };
+  };
+
+  networking = {
+    # Open DNS port in firewall
+    firewall = {
+      allowedTCPPorts = [ 53 ];
+      allowedUDPPorts = [ 53 ];
+    };
+  };
+}

hosts/nixos/proxy/default.nix

@@ -52,6 +52,7 @@ in
   networking = {
     enableIPv6 = false;
     firewall.allowedTCPPorts = firewall.allowedTCPPorts;
+    firewall.allowedUDPPorts = firewall.allowedUDPPorts;
   };
 
   ## System-wide packages ##
@@ -67,5 +68,5 @@ in
   };
 
   # https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
 }

hosts/nixos/sock/config/caddy.nix

@@ -0,0 +1,20 @@
+{
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "upsnap.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy localhost:8090
+        '';
+      };
+
+      "sock.ryot.foo" = {
+        useACMEHost = "ryot.foo";
+        extraConfig = ''
+          reverse_proxy localhost:9120
+        '';
+      };
+    };
+  };
+}

hosts/nixos/sock/config/komodo.nix

@@ -7,7 +7,7 @@
 }:
 let
   # Only available in the Sock LXC
-  DockerStorage = "/OchreStorage/komodo";
+  OchreStorage = "/OchreStorage/komodo";
   env = config.secretsSpec.docker.komodo-sock;
 in
 {
@@ -16,7 +16,7 @@ in
     image = "ghcr.io/moghtech/komodo-core:latest";
     environment = env;
     volumes = [
-      "${DockerStorage}/cache:/repo-cache:rw"
+      "${OchreStorage}/cache:/repo-cache:rw"
     ];
     ports = [
       "9120:9120/tcp"
@@ -62,8 +62,8 @@ in
     image = "mongo";
     environment = env;
     volumes = [
-      "${DockerStorage}/mongo/config:/data/configdb:rw"
+      "${OchreStorage}/mongo/config:/data/configdb:rw"
-      "${DockerStorage}/mongo/data:/data/db:rw"
+      "${OchreStorage}/mongo/data:/data/db:rw"
     ];
     cmd = [
       "--quiet"
@@ -111,9 +111,9 @@ in
     volumes = [
       "/proc:/proc:rw"
       "/var/run/docker.sock:/var/run/docker.sock:rw"
-      "${DockerStorage}/repos:/etc/komodo/repos:rw"
+      "${OchreStorage}/repos:/etc/komodo/repos:rw"
-      "${DockerStorage}/ssl:/etc/komodo/ssl:rw"
+      "${OchreStorage}/ssl:/etc/komodo/ssl:rw"
-      "${DockerStorage}/stacks:${DockerStorage}/stacks:rw"
+      "${OchreStorage}/stacks:${OchreStorage}/stacks:rw"
     ];
     ports = [
       "8120:8120/tcp"

hosts/nixos/sock/hardware.nix

@@ -1,6 +1,7 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }:
 let
@@ -15,7 +16,35 @@ in
   ];
 
   # Ochre has no access to PVE DockerStorage, so sock will have its own storage
-  systemd.user.tmpfiles.rules = [
+  systemd.tmpfiles.rules = [
-    "d /OchreStorage 2775 ${username} ryot -"
+    # Create directory with setgid bit and proper ownership
+    "d /OchreStorage 2775 1000 1004 -"
   ];
+
+  # Use systemd service to ensure proper permissions with ACLs
+  systemd.services.ochre-storage-permissions = {
+    description = "Set proper permissions for OchreStorage";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "local-fs.target" ];
+    path = with pkgs; [
+      acl
+      coreutils
+    ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      # Ensure directory exists and has correct ownership/permissions
+      mkdir -p /OchreStorage
+      chown 1000:1004 /OchreStorage
+      chmod 2775 /OchreStorage
+
+      # Set default ACLs to ensure all new files/folders inherit 1000:1004
+      setfacl -d -m u:1000:rwx /OchreStorage
+      setfacl -d -m g:1004:rwx /OchreStorage
+    '';
+  };
+
+  environment.systemPackages = with pkgs; [ acl ];
 }

pkgs/microsoft-edit/package.nix

@@ -1,9 +1,11 @@
 {
   lib,
+  stdenv,
   rustPlatform,
   fetchFromGitHub,
   versionCheckHook,
   nix-update-script,
+  icu,
 }:
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "microsoft-edit";
@@ -26,6 +28,22 @@ rustPlatform.buildRustPackage (finalAttrs: {
     ./write-filled-fix.patch
   ];
 
+  buildInputs = [
+    icu
+  ];
+
+  postFixup =
+    let
+      rpathAppend = lib.makeLibraryPath [ icu ];
+    in
+    lib.optionalString stdenv.hostPlatform.isElf ''
+      patchelf $out/bin/edit \
+        --add-rpath ${rpathAppend}
+    ''
+    + lib.optionalString stdenv.hostPlatform.isDarwin ''
+      ${stdenv.cc.targetPrefix}install_name_tool -add_rpath ${rpathAppend} $out/bin/edit
+    '';
+
   # Disabled for now, microsoft/edit#194
   doInstallCheck = false;
   nativeInstallCheckInputs = [ versionCheckHook ];
@@ -47,5 +65,6 @@ rustPlatform.buildRustPackage (finalAttrs: {
     changelog = "https://github.com/microsoft/edit/releases/tag/v${finalAttrs.version}";
     license = lib.licenses.mit;
     maintainers = with lib.maintainers; [ RossSmyth ]; # https://github.com/NixOS/nixpkgs/pull/409075
+    platforms = lib.platforms.all;
   };
 })