Rebase to flake parts #9

modules/hosts/nix-server/_services/organizr.nix

@@ -0,0 +1,53 @@
+# Organizr — homelab dashboard (Docker). UI: http://<host>:8888
+# Official image: https://github.com/organizr/docker-organizr
+#
+# Wizard errors like "API … /default/ not writable" are almost always host permissions on
+# `/var/lib/organizr`: the first container run may leave root-owned files under `/config`.
+{ lib, pkgs, ... }:
+{
+  users.groups.organizr = { gid = 950; };
+  users.users.organizr = {
+    isSystemUser = true;
+    uid = 950;
+    group = "organizr";
+  };
+
+  systemd.tmpfiles.settings."nix-server-organizr-config" = {
+    "/var/lib/organizr"."d" = {
+      mode = "0755";
+      user = "organizr";
+      group = "organizr";
+    };
+  };
+
+  # Recursively reset ownership (handles root-owned files from an earlier container run).
+  systemd.tmpfiles.settings."nix-server-organizr-config-perms" = {
+    "/var/lib/organizr"."Z" = {
+      mode = "0755";
+      user = "organizr";
+      group = "organizr";
+    };
+  };
+
+  systemd.services.docker-organizr.preStart = lib.mkBefore ''
+    ${pkgs.coreutils}/bin/mkdir -p /var/lib/organizr
+    ${pkgs.coreutils}/bin/chown -R organizr:organizr /var/lib/organizr
+  '';
+
+  virtualisation.oci-containers.containers.organizr = {
+    image = "ghcr.io/organizr/organizr:latest";
+    ports = [ "8888:80" ];
+    volumes = [
+      "/var/lib/organizr:/config"
+    ];
+    environment = {
+      PUID = "950";
+      PGID = "950";
+      TZ = "America/Moncton";
+      # v2-master / master are stable v2; optional override:
+      # branch = "v2-master";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8888 ];
+}