feat(docker): arion -> khepri

apps/update/default.nix

@@ -22,7 +22,7 @@ in
     npmDepsHash = "sha256-qpnQSJNl68LrsU8foJYxdBXpoFj7VKQahC9DFmleWTs=";
 
     runtimeInputs = [
-      (callPackage ../../modules/arion/updateImage.nix {})
+      (callPackage ../../modules/docker/updateImage.nix {})
       mozilla-addons-to-nix.packages.${system}.default
     ];
     nativeBuildInputs = [makeWrapper];

apps/update/src/misc.ts

@@ -30,7 +30,7 @@ export const updateFlakeInputs = () => {
 export const updateDocker = () => {
     let updates = '';
 
-    const FILE = `${FLAKE}/devices/nos/modules/arion`;
+    const FILE = `${FLAKE}/devices/nos/modules/docker`;
 
     readdirSync(FILE, { withFileTypes: true, recursive: true }).forEach((path) => {
         if (path.name === 'compose.nix') {

common/default.nix

@@ -16,7 +16,6 @@
 
     home-manager.nixosModules.home-manager
 
-    ../modules/arion
     ../modules/borgbackup
   ];
 

devices/nos/default.nix

@@ -1,4 +1,8 @@
-{config, ...}: let
+{
+  config,
+  self,
+  ...
+}: let
   inherit (config.vars) mainUser hostName;
 in {
   # ------------------------------------------------
@@ -11,12 +15,14 @@ in {
     ../../modules/sshd.nix
     ../../modules/tailscale.nix
 
-    ./modules/arion
+    ./modules/docker
     ./modules/jellyfin
     ./modules/mergerfs.nix
     ./modules/qbittorrent
     ./modules/snapraid.nix
     ./modules/subtitles
+
+    self.nixosModules.docker
   ];
 
   # State Version: DO NOT CHANGE

devices/nos/modules/docker/default.nix

@@ -1,5 +1,5 @@
 {...}: let
-  configPath = "/var/lib/arion";
+  configPath = "/var/lib/docker";
 in {
   imports = [
     ./forgejo/compose.nix
@@ -24,13 +24,11 @@ in {
     ./media/sonarr/compose.nix
   ];
 
-  arion = {
+  khepri = {
-    enable = true;
     rwDataDir = configPath;
   };
 
-  services.borgbackup.configs.arion = {
+  services.borgbackup.configs.docker = {
     paths = [configPath];
-    exclude = ["**/lineageos*"];
   };
 }

devices/nos/modules/docker/forgejo/compose.nix

@@ -1,12 +1,16 @@
-{config, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
   inherit (config.sops) secrets;
-  inherit (config.arion) rwDataDir;
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/forgejo";
 in {
-  arion.projects."forgejo" = {
+  khepri.compositions."forgejo".services = {
     "forgejo" = {
-      image = ./images/forgejo.nix;
+      image = import ./images/forgejo.nix pkgs;
 
       ports = [
         # Redirect WAN port 22 to this port
@@ -15,9 +19,9 @@ in {
       ];
 
       restart = "always";
-      depends_on = ["forgejo-db"];
+      dependsOn = ["forgejo-db"];
 
-      env_file = [secrets.forgejo.path];
+      environmentFiles = [secrets.forgejo.path];
       environment = {
         APP_NAME = "Gitea";
 
@@ -27,8 +31,8 @@ in {
 
         ROOT_URL = "https://git.nelim.org";
         SSH_DOMAIN = "git.nelim.org";
-        SSH_PORT = 22;
+        SSH_PORT = "22";
-        HTTP_PORT = 3000;
+        HTTP_PORT = "3000";
       };
 
       volumes = [
@@ -39,32 +43,31 @@ in {
     };
 
     "forgejo-db" = {
-      image = ./images/postgres.nix;
+      image = import ./images/postgres.nix pkgs;
 
       restart = "always";
 
-      env_file = [secrets.forgejo-db.path];
+      environmentFiles = [secrets.forgejo-db.path];
 
       volumes = ["${rwPath}/db:/var/lib/postgresql/data"];
     };
 
     "act_runner" = {
-      image = ./images/act_runner.nix;
+      image = import ./images/act_runner.nix pkgs;
+
       privileged = true;
 
       restart = "always";
-      depends_on = ["forgejo"];
+      dependsOn = ["forgejo"];
 
-      env_file = [secrets.forgejo-runner.path];
+      environmentFiles = [secrets.forgejo-runner.path];
       environment = {
         GITEA_INSTANCE_URL = "https://git.nelim.org";
         GITEA_RUNNER_NAME = "DinD";
       };
 
       volumes = ["${rwPath}/act:/data"];
-
+      extraHosts = [
-      dns = ["1.0.0.1"];
-      extra_hosts = [
         "git.nelim.org=10.0.0.130"
       ];
     };

devices/nos/modules/docker/freshrss/compose.nix

@@ -4,17 +4,17 @@
   ...
 }: let
   inherit (config.sops) secrets;
-  inherit (config.arion) rwDataDir;
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/freshrss";
 in {
-  arion.projects."freshrss" = {
+  khepri.compositions."freshrss".services = {
     "freshrss" = {
-      image = ./images/freshrss.nix;
+      image = import ./images/freshrss.nix pkgs;
       restart = "always";
 
       ports = ["2800:80"];
-      extra_hosts = [
+      extraHosts = [
         "drss.nelim.org=10.0.0.130"
         "bridge.nelim.org=10.0.0.130"
       ];
@@ -39,7 +39,7 @@ in {
         "${rss-bridge}/xExtension-RssBridge:/var/www/FreshRSS/extensions/xExtension-RssBridge:ro"
       ];
 
-      env_file = [secrets.freshrss.path];
+      environmentFiles = [secrets.freshrss.path];
 
       environment = {
         TZ = "America/New_York";
@@ -48,14 +48,14 @@ in {
     };
 
     "freshrss-db" = {
-      image = ./images/postgres.nix;
+      image = import ./images/postgres.nix pkgs;
       restart = "always";
 
       volumes = [
         "${rwPath}/db:/var/lib/postgresql/data"
       ];
 
-      env_file = [secrets.freshrss.path];
+      environmentFiles = [secrets.freshrss.path];
 
       environment = {
         POSTGRES_DB = "\${DB_BASE:-freshrss}";
@@ -65,13 +65,13 @@ in {
     };
 
     "docker-hub-rss" = {
-      image = ./images/docker-hub-rss.nix;
+      image = import ./images/docker-hub-rss.nix pkgs;
       restart = "always";
       ports = ["3007:3000"];
     };
 
     "rss-bridge" = {
-      image = ./images/rss-bridge.nix;
+      image = import ./images/rss-bridge.nix pkgs;
       restart = "always";
 
       volumes = [

devices/nos/modules/docker/gameyfin/compose.nix

@@ -1,12 +1,16 @@
-{config, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
   inherit (config.sops) secrets;
 in {
-  arion.projects."gameyfin"."gameyfin" = {
+  khepri.compositions."gameyfin".services."gameyfin" = {
-    image = ./images/gameyfin.nix;
+    image = import ./images/gameyfin.nix pkgs;
     restart = "always";
     user = "1000:1000";
 
-    env_file = [secrets.gameyfin.path];
+    environmentFiles = [secrets.gameyfin.path];
     environment.GAMEYFIN_USER = "mathis";
 
     volumes = [

devices/nos/modules/docker/hauk/compose.nix

@@ -1,6 +1,6 @@
-{...}: {
+{pkgs, ...}: {
-  arion.projects."hauk"."hauk" = {
+  khepri.compositions."hauk".services."hauk" = {
-    image = ./images/hauk.nix;
+    image = import ./images/hauk.nix pkgs;
     restart = "always";
     ports = ["3003:80"];
 

devices/nos/modules/docker/homepage/compose.nix

@@ -6,17 +6,17 @@
   inherit (config.sops) secrets;
   inherit (pkgs.writers) writeYAML;
 in {
-  arion.projects."homepage"."homepage" = {
+  khepri.compositions."homepage".services."homepage" = {
-    image = ./images/homepage.nix;
+    image = import ./images/homepage.nix pkgs;
     restart = "always";
 
     ports = [
       "3020:3000"
     ];
 
-    extra_hosts = ["lan.nelim.org=10.0.0.130"];
+    extraHosts = ["lan.nelim.org=10.0.0.130"];
 
-    env_file = [secrets.homepage.path];
+    environmentFiles = [secrets.homepage.path];
 
     volumes = let
       services = writeYAML "services.yaml" (import ./services.nix);

devices/nos/modules/docker/immich/compose.nix

@@ -1,15 +1,19 @@
-{config, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
   inherit (config.sops) secrets;
-  inherit (config.arion) rwDataDir;
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/immich";
 
   UPLOAD_LOCATION = "${rwPath}/data";
 in {
-  arion.projects."immich" = {
+  khepri.compositions."immich".services = {
     "immich_server" = {
-      image = ./images/server.nix;
+      image = import ./images/server.nix pkgs;
-      env_file = [
+      environmentFiles = [
         "${./env}"
         secrets.immich.path
       ];
@@ -21,16 +25,16 @@ in {
         "2283:3001"
       ];
 
-      depends_on = ["immich_redis" "immich_postgres"];
+      dependsOn = ["immich_redis" "immich_postgres"];
       restart = "always";
 
       environment.NODE_ENV = "production";
     };
 
     "immich_machine_learning" = {
-      image = ./images/machine-learning.nix;
+      image = import ./images/machine-learning.nix pkgs;
       restart = "always";
-      env_file = [
+      environmentFiles = [
         "${./env}"
         secrets.immich.path
       ];
@@ -41,19 +45,19 @@ in {
     };
 
     "immich_redis" = {
-      image = ./images/redis.nix;
+      image = import ./images/redis.nix pkgs;
       restart = "always";
       tmpfs = ["/data"];
-      env_file = [
+      environmentFiles = [
         "${./env}"
         secrets.immich.path
       ];
     };
 
     "immich_postgres" = {
-      image = ./images/postgres.nix;
+      image = import ./images/postgres.nix pkgs;
       restart = "always";
-      env_file = [
+      environmentFiles = [
         "${./env}"
         secrets.immich.path
       ];

devices/nos/modules/docker/media/bazarr/compose.nix

@@ -1,10 +1,14 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/bazarr";
 in {
-  arion.projects."bazarr"."bazarr" = {
+  khepri.compositions."bazarr".services."bazarr" = {
-    image = ./images/bazarr.nix;
+    image = import ./images/bazarr.nix pkgs;
     restart = "always";
 
     environment = {
@@ -13,7 +17,7 @@ in {
       TZ = "America/New_York";
     };
 
-    extra_hosts = ["lan.nelim.org=10.0.0.130"];
+    extraHosts = ["lan.nelim.org=10.0.0.130"];
     ports = [
       "6767:6767"
     ];
@@ -23,8 +27,6 @@ in {
       "/data:/data"
     ];
 
-    extraOptions = {
+    cpus = 2;
-      deploy.resources.limits.cpus = "2";
-    };
   };
 }

devices/nos/modules/docker/media/calibre/compose.nix

@@ -1,11 +1,15 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/calibre";
 in {
-  arion.projects."calibre" = {
+  khepri.compositions."calibre".services = {
     "calibre" = {
-      image = ./images/calibre.nix;
+      image = import ./images/calibre.nix pkgs;
       restart = "always";
 
       environment = {
@@ -21,7 +25,7 @@ in {
 
       volumes = ["${rwPath}/data-db:/config"];
 
-      extra_hosts = ["lan.nelim.org=10.0.0.130"];
+      extraHosts = ["lan.nelim.org=10.0.0.130"];
       ports = [
         "8580:8080"
         #"8081:8081"
@@ -30,7 +34,7 @@ in {
     };
 
     "calibre-web" = {
-      image = ./images/calibre-web.nix;
+      image = import ./images/calibre-web.nix pkgs;
       restart = "always";
 
       environment = {
@@ -45,7 +49,7 @@ in {
         "${rwPath}/data-db/Calibre Library:/books"
       ];
 
-      extra_hosts = ["lan.nelim.org=10.0.0.130"];
+      extraHosts = ["lan.nelim.org=10.0.0.130"];
       ports = ["8083:8083"];
     };
   };

devices/nos/modules/docker/media/joal/compose.nix

@@ -1,17 +1,21 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/joal";
 in {
-  arion.projects."joal"."joal" = {
+  khepri.compositions."joal".services."joal" = {
-    image = ./images/joal.nix;
+    image = import ./images/joal.nix pkgs;
     restart = "always";
 
     volumes = ["${rwPath}/data:/data"];
-    extra_hosts = ["lan.nelim.org=10.0.0.130"];
+    extraHosts = ["lan.nelim.org=10.0.0.130"];
     ports = ["5656:5656"];
 
-    command = [
+    cmd = [
       "--joal-conf=/data"
       "--spring.main.web-environment=true"
       "--server.port=5656"

devices/nos/modules/docker/media/prowlarr/compose.nix

@@ -1,11 +1,15 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/prowlarr";
 in {
-  arion.projects."prowlarr" = {
+  khepri.compositions."prowlarr".services = {
     "prowlarr" = {
-      image = ./images/prowlarr.nix;
+      image = import ./images/prowlarr.nix pkgs;
       restart = "always";
 
       environment = {
@@ -15,12 +19,12 @@ in {
       };
 
       volumes = ["${rwPath}/data:/config"];
-      extra_hosts = ["lan.nelim.org=10.0.0.130"];
+      extraHosts = ["lan.nelim.org=10.0.0.130"];
       ports = ["9696:9696"];
     };
 
     "flaresolverr" = {
-      image = ./images/flaresolverr.nix;
+      image = import ./images/flaresolverr.nix pkgs;
       restart = "always";
 
       environment = {
@@ -30,10 +34,10 @@ in {
         TZ = "America/New_York";
       };
 
-      extra_hosts = ["lan.nelim.org=10.0.0.130"];
+      extraHosts = ["lan.nelim.org=10.0.0.130"];
       ports = ["8191:8191"];
 
-      depends_on = ["prowlarr"];
+      dependsOn = ["prowlarr"];
     };
   };
 }

devices/nos/modules/docker/media/radarr/compose.nix

@@ -1,13 +1,17 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/radarr";
 in {
-  arion.projects."radarr"."radarr" = {
+  khepri.compositions."radarr".services."radarr" = {
-    image = ./images/radarr.nix;
+    image = import ./images/radarr.nix pkgs;
     restart = "always";
 
-    extra_hosts = ["lan.nelim.org=10.0.0.130"];
+    extraHosts = ["lan.nelim.org=10.0.0.130"];
     ports = ["7878:7878"];
 
     environment = {
@@ -21,8 +25,6 @@ in {
       "/data:/data"
     ];
 
-    extraOptions = {
+    cpus = 0.5;
-      deploy.resources.limits.cpus = "0.5";
-    };
   };
 }

devices/nos/modules/docker/media/sabnzbd/compose.nix

@@ -1,13 +1,17 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/sabnzbd";
 in {
-  arion.projects."sabnzbd"."sabnzbd" = {
+  khepri.compositions."sabnzbd".services."sabnzbd" = {
-    image = ./images/sabnzbd.nix;
+    image = import ./images/sabnzbd.nix pkgs;
     restart = "always";
 
-    extra_hosts = ["lan.nelim.org=10.0.0.130"];
+    extraHosts = ["lan.nelim.org=10.0.0.130"];
     ports = ["8382:8082"];
 
     environment = {
@@ -21,8 +25,6 @@ in {
       "/data:/data"
     ];
 
-    extraOptions = {
+    cpus = 2;
-      deploy.resources.limits.cpus = "2";
-    };
   };
 }

devices/nos/modules/docker/media/seerr/compose.nix

@@ -1,10 +1,14 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/seerr";
 in {
-  arion.projects."seerr"."seerr" = {
+  khepri.compositions."seerr".services."seerr" = {
-    image = ./images/jellyseerr.nix;
+    image = import ./images/jellyseerr.nix pkgs;
     restart = "always";
 
     environment = {
@@ -16,7 +20,7 @@ in {
       "${rwPath}/data:/app/config"
     ];
 
-    extra_hosts = ["lan.nelim.org=10.0.0.130"];
+    extraHosts = ["lan.nelim.org=10.0.0.130"];
     ports = ["5055:5055"];
   };
 }

devices/nos/modules/docker/media/sonarr/compose.nix

@@ -1,13 +1,17 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/media/sonarr";
 in {
-  arion.projects."sonarr"."sonarr" = {
+  khepri.compositions."sonarr".services."sonarr" = {
-    image = ./images/sonarr.nix;
+    image = import ./images/sonarr.nix pkgs;
     restart = "always";
 
-    extra_hosts = ["lan.nelim.org=10.0.0.130"];
+    extraHosts = ["lan.nelim.org=10.0.0.130"];
     ports = ["8989:8989"];
 
     environment = {
@@ -21,8 +25,6 @@ in {
       "/data:/data"
     ];
 
-    extraOptions = {
+    cpus = 0.5;
-      deploy.resources.limits.cpus = "0.5";
-    };
   };
 }

devices/nos/modules/docker/music/jbots/compose.nix

@@ -1,12 +1,16 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/music/jbots";
 in {
-  arion.projects."jbots" = {
+  khepri.compositions."jbots".services = {
     "musicbot_be" = {
-      container_name = "benis";
+      containerName = "be";
-      image = ./images/jmusicbot.nix;
+      image = import ./images/jmusicbot.nix pkgs;
       restart = "always";
 
       volumes = [
@@ -16,8 +20,8 @@ in {
     };
 
     "musicbot_br" = {
-      container_name = "bruh";
+      containerName = "br";
-      image = ./images/jmusicbot.nix;
+      image = import ./images/jmusicbot.nix pkgs;
       restart = "always";
 
       volumes = [

devices/nos/modules/docker/nextcloud/compose.nix

@@ -4,16 +4,17 @@
   pkgs,
   ...
 }: let
-  inherit (config.sops) secrets;
-  inherit (config.arion) rwDataDir;
   inherit (lib) concatStrings;
 
+  inherit (config.sops) secrets;
+  inherit (config.khepri) rwDataDir;
+
   mainContainerName = "app-server";
   rwPath = rwDataDir + "/nextcloud";
 in {
-  arion.projects."nextcloud" = {
+  khepri.compositions."nextcloud".services = {
     "${mainContainerName}" = {
-      image = ./images/nextcloud.nix;
+      image = import ./images/nextcloud.nix pkgs;
       restart = "always";
 
       expose = [
@@ -26,7 +27,7 @@ in {
         "/data/docs:/var/www/drive"
       ];
 
-      env_file = [secrets.nextcloud.path];
+      environmentFiles = [secrets.nextcloud.path];
 
       environment = {
         POSTGRES_DB = "nextcloud";
@@ -38,7 +39,7 @@ in {
     };
 
     "onlyoffice-document-server" = {
-      image = ./images/onlyoffice.nix;
+      image = import ./images/onlyoffice.nix pkgs;
       restart = "always";
 
       environment.JWT_ENABLED = "false";
@@ -77,7 +78,7 @@ in {
     };
 
     "nginx-server" = {
-      image = ./images/nginx.nix;
+      image = import ./images/nginx.nix pkgs;
       restart = "always";
       ports = ["8042:80"];
       volumes = [
@@ -87,9 +88,9 @@ in {
     };
 
     "nextcloud-db" = {
-      image = ./images/postgres.nix;
+      image = import ./images/postgres.nix pkgs;
       restart = "always";
-      env_file = [secrets.nextcloud.path];
+      environmentFiles = [secrets.nextcloud.path];
       volumes = [
         "${rwPath}/database:/var/lib/postgresql/data"
         "/etc/localtime:/etc/localtime:ro"
@@ -97,12 +98,12 @@ in {
     };
 
     "nextcloud-cache" = {
-      image = ./images/redis.nix;
+      image = import ./images/redis.nix pkgs;
       restart = "always";
       #mem_limit = "2048m";
       #mem_reservation = "512m";
-      env_file = [secrets.nextcloud.path];
+      environmentFiles = [secrets.nextcloud.path];
-      command = ''/bin/sh -c "redis-server --requirepass $$REDIS_HOST_PASSWORD"'';
+      cmd = [''/bin/sh -c "redis-server --requirepass $$REDIS_HOST_PASSWORD"''];
       tmpfs = [
         "/data"
       ];
@@ -119,8 +120,8 @@ in {
   };
   systemd.services.nextcloud-cron = {
     description = "Nextcloud Cron";
-    requires = ["arion-nextcloud.service"];
+    requires = ["docker-nextcloud_app-server.service"];
-    after = ["arion-nextcloud.service"];
+    after = ["docker-nextcloud_app-server.service"];
 
     serviceConfig = {
       Type = "oneshot";

devices/nos/modules/docker/resume/compose.nix

@@ -1,12 +1,16 @@
-{config, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
   inherit (config.sops) secrets;
-  inherit (config.arion) rwDataDir;
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/resume";
 in {
-  arion.projects."resume" = {
+  khepri.compositions."resume".services = {
     "postgres" = {
-      image = ./images/postgres.nix;
+      image = import ./images/postgres.nix pkgs;
       restart = "always";
 
       ports = ["5432:5432"];
@@ -15,18 +19,18 @@ in {
         "${rwPath}/db:/var/lib/postgresql/data"
       ];
 
-      env_file = [secrets.resume.path];
+      environmentFiles = [secrets.resume.path];
     };
 
     "server" = {
-      image = ./images/resume-server.nix;
+      image = import ./images/resume-server.nix pkgs;
       restart = "always";
 
       ports = ["3100:3100"];
 
-      depends_on = ["postgres"];
+      dependsOn = ["postgres"];
 
-      env_file = [secrets.resume.path];
+      environmentFiles = [secrets.resume.path];
 
       environment = {
         PUBLIC_URL = "https://resume.nelim.org";
@@ -35,12 +39,12 @@ in {
     };
 
     "client" = {
-      image = ./images/resume-client.nix;
+      image = import ./images/resume-client.nix pkgs;
       restart = "always";
 
       ports = ["3060:3000"];
 
-      depends_on = ["server"];
+      dependsOn = ["server"];
 
       environment = {
         PUBLIC_URL = "https://resume.nelim.org";

devices/nos/modules/docker/vaultwarden/compose.nix

@@ -1,11 +1,15 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/vaultwarden";
 in {
-  arion.projects."vaultwarden" = {
+  khepri.compositions."vaultwarden".services = {
     "public-vault" = {
-      image = ./images/vaultwarden.nix;
+      image = import ./images/vaultwarden.nix pkgs;
       restart = "always";
 
       ports = ["8781:80"];
@@ -14,7 +18,7 @@ in {
     };
 
     "private-vault" = {
-      image = ./images/vaultwarden.nix;
+      image = import ./images/vaultwarden.nix pkgs;
       restart = "always";
 
       ports = ["8780:80"];

devices/nos/modules/docker/wg-easy/compose.nix

@@ -1,22 +1,26 @@
-{config, ...}: let
+{
-  inherit (config.arion) rwDataDir;
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/wg-easy";
 in {
-  arion.projects."wg-easy"."wg-easy" = {
+  khepri.compositions."wg-easy".services."wg-easy" = {
-    image = ./images/wg-easy.nix;
+    image = import ./images/wg-easy.nix pkgs;
     restart = "always";
     privileged = true;
 
-    capabilities = {
+    capAdd = [
-      NET_ADMIN = true;
+      "NET_ADMIN"
-      SYS_MODULE = true;
+      "SYS_MODULE"
-    };
+    ];
 
-    sysctls = {
+    sysctls = [
-      "net.ipv4.ip_forward" = 1;
+      "net.ipv4.ip_forward=1"
-      "net.ipv4.conf.all.src_valid_mark" = 1;
+      "net.ipv4.conf.all.src_valid_mark=1"
-    };
+    ];
 
     dns = ["1.0.0.1"];
 

devices/nos/modules/jellyfin/jfa-go.nix

@@ -1,13 +1,17 @@
-{config, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
   jellyService = config.systemd.services.jellyfin.serviceConfig;
 in {
-  systemd.services."arion-jfa-go" = {
+  systemd.services."docker-jfa-go_jfa-go" = {
     after = ["jellyfin.service"];
     partOf = ["jellyfin.service"];
   };
 
-  arion.projects."jfa-go"."jfa-go" = {
+  khepri.compositions."jfa-go".services."jfa-go" = {
-    image = ./images/jfa-go.nix;
+    image = import ./images/jfa-go.nix pkgs;
     restart = "always";
 
     ports = ["8056:8056"];

devices/servivi/default.nix

@@ -1,4 +1,8 @@
-{config, ...}: let
+{
+  config,
+  self,
+  ...
+}: let
   inherit (config.vars) mainUser hostName;
 in {
   # ------------------------------------------------
@@ -15,6 +19,8 @@ in {
     ./modules/binary-cache.nix
     ./modules/minecraft.nix
     ./modules/nfs.nix
+
+    self.nixosModules.docker
   ];
 
   # State Version: DO NOT CHANGE
@@ -63,5 +69,5 @@ in {
   # ------------------------------------------------
   # `Self` Modules configuration
   # ------------------------------------------------
-  arion.enable = true;
+  # ...
 }

flake.in.nix

@@ -58,6 +58,7 @@
     nixosModules = {
       adb = import ./modules/adb.nix;
       desktop = import ./modules/desktop;
+      docker = import ./modules/docker;
       nvidia = import ./modules/nvidia.nix;
       plymouth = import ./modules/plymouth.nix;
     };

flake.lock

@@ -90,29 +90,6 @@
         "type": "github"
       }
     },
-    "arion": {
-      "inputs": {
-        "flake-parts": "flake-parts",
-        "haskell-flake": "haskell-flake",
-        "hercules-ci-effects": "hercules-ci-effects",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1720147808,
-        "narHash": "sha256-hlWEQGUbIwYb+vnd8egzlW/P++yKu3HjV/rOdOPVank=",
-        "owner": "hercules-ci",
-        "repo": "arion",
-        "rev": "236f9dd82d6ef6a2d9987c7a7df3e75f1bc8b318",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "arion",
-        "type": "github"
-      }
-    },
     "astal": {
       "inputs": {
         "nixpkgs": [
@@ -327,48 +304,6 @@
       }
     },
     "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "arion",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "arion",
-          "hercules-ci-effects",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
-        "type": "github"
-      },
-      "original": {
-        "id": "flake-parts",
-        "type": "indirect"
-      }
-    },
-    "flake-parts_3": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
@@ -386,7 +321,7 @@
         "type": "github"
       }
     },
-    "flake-parts_4": {
+    "flake-parts_2": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
@@ -404,7 +339,7 @@
         "type": "github"
       }
     },
-    "flake-parts_5": {
+    "flake-parts_3": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib_3"
       },
@@ -422,7 +357,7 @@
         "type": "github"
       }
     },
-    "flake-parts_6": {
+    "flake-parts_4": {
       "inputs": {
         "nixpkgs-lib": [
           "nixpkgs-wayland",
@@ -531,6 +466,24 @@
         "type": "github"
       }
     },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_9"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "flakegen": {
       "inputs": {
         "systems": "systems_2"
@@ -675,22 +628,6 @@
         "type": "github"
       }
     },
-    "haskell-flake": {
-      "locked": {
-        "lastModified": 1675296942,
-        "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
-        "owner": "srid",
-        "repo": "haskell-flake",
-        "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "srid",
-        "ref": "0.1.0",
-        "repo": "haskell-flake",
-        "type": "github"
-      }
-    },
     "headscale": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -712,28 +649,6 @@
         "type": "github"
       }
     },
-    "hercules-ci-effects": {
-      "inputs": {
-        "flake-parts": "flake-parts_2",
-        "nixpkgs": [
-          "arion",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1719226092,
-        "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=",
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "type": "github"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -1030,9 +945,30 @@
         "type": "github"
       }
     },
+    "khepri": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1721850043,
+        "narHash": "sha256-k81yKgWcQL5DCEGaDdqEhOF6guRRC/0pO+Ct5DvNmw0=",
+        "owner": "matt1432",
+        "repo": "khepri",
+        "rev": "94c47e89d4acb52d75cf57a2e4bf75ebecc2c3d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "matt1432",
+        "repo": "khepri",
+        "type": "github"
+      }
+    },
     "lib-aggregate": {
       "inputs": {
-        "flake-utils": "flake-utils_4",
+        "flake-utils": "flake-utils_5",
         "nixpkgs-lib": "nixpkgs-lib_4"
       },
       "locked": {
@@ -1081,7 +1017,7 @@
     },
     "lix-module": {
       "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils_3",
         "flakey-profile": "flakey-profile",
         "lix": "lix",
         "nixpkgs": [
@@ -1141,7 +1077,7 @@
     },
     "mozilla-addons-to-nix": {
       "inputs": {
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_4",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -1231,7 +1167,7 @@
     },
     "nix-eval-jobs": {
       "inputs": {
-        "flake-parts": "flake-parts_6",
+        "flake-parts": "flake-parts_4",
         "nix-github-actions": "nix-github-actions_2",
         "nixpkgs": "nixpkgs_2",
         "treefmt-nix": "treefmt-nix_2"
@@ -1252,7 +1188,7 @@
     },
     "nix-fast-build": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -1300,7 +1236,7 @@
     },
     "nix-gaming": {
       "inputs": {
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_2",
         "nixpkgs": [
           "nixpkgs"
         ],
@@ -1431,7 +1367,7 @@
     },
     "nixd": {
       "inputs": {
-        "flake-parts": "flake-parts_5",
+        "flake-parts": "flake-parts_3",
         "flake-root": "flake-root",
         "nixpkgs": [
           "nixpkgs"
@@ -1834,7 +1770,6 @@
       "inputs": {
         "Hyprspace": "Hyprspace",
         "ags": "ags",
-        "arion": "arion",
         "astal": "astal",
         "astal-tray": "astal-tray",
         "bat-theme-src": "bat-theme-src",
@@ -1857,6 +1792,7 @@
         "hyprland-plugins": "hyprland-plugins",
         "jellyfin-flake": "jellyfin-flake",
         "jovian": "jovian",
+        "khepri": "khepri",
         "libratbag-src": "libratbag-src",
         "lix-module": "lix-module",
         "minix": "minix",
@@ -2146,6 +2082,21 @@
         "type": "github"
       }
     },
+    "systems_9": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "trash-d-src": {
       "flake": false,
       "locked": {

flake.nix

@@ -13,12 +13,6 @@
       repo = "ags";
       type = "github";
     };
-    arion = {
-      inputs.nixpkgs.follows = "nixpkgs";
-      owner = "hercules-ci";
-      repo = "arion";
-      type = "github";
-    };
     astal = {
       inputs.nixpkgs.follows = "nixpkgs";
       owner = "Aylur";
@@ -146,6 +140,12 @@
       repo = "Jovian-NixOS";
       type = "github";
     };
+    khepri = {
+      inputs.nixpkgs.follows = "nixpkgs";
+      owner = "matt1432";
+      repo = "khepri";
+      type = "github";
+    };
     libratbag-src = {
       flake = false;
       owner = "libratbag";

flake/inputs.nix

@@ -91,9 +91,9 @@ let
   };
 
   nosInputs = {
-    arion = mkDep {
+    khepri = mkDep {
-      owner = "hercules-ci";
+      owner = "matt1432";
-      repo = "arion";
+      repo = "khepri";
     };
 
     jellyfin-flake = mkDep {

modules/arion/default.nix

@@ -1,103 +0,0 @@
-{
-  arion,
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  inherit
-    (lib)
-    filterAttrs
-    hasAttr
-    mapAttrs
-    mkEnableOption
-    mkForce
-    mkIf
-    mkOption
-    optionalAttrs
-    types
-    ;
-
-  inherit (config.vars) mainUser;
-
-  cfg = config.arion;
-in {
-  imports = [arion.nixosModules.arion];
-
-  options.arion = {
-    enable = mkEnableOption "My custom arion config layer module";
-
-    rwDataDir = mkOption {
-      default = "/var/lib/arion";
-      type = types.str;
-      description = ''
-        Directory to place persistent data in
-      '';
-    };
-
-    projects = mkOption {
-      default = {};
-      description = ''
-        Declarative specification of docker-compose in nix.
-      '';
-      type = types.attrs;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.extraUsers.${mainUser}.extraGroups = ["docker"];
-
-    virtualisation = {
-      docker = {
-        enable = true;
-        storageDriver = "btrfs";
-      };
-
-      arion = {
-        backend = "docker";
-
-        projects =
-          mapAttrs (n: v: {
-            # https://docs.hercules-ci.com/arion/options
-            settings = {
-              enableDefaultNetwork = v.enableDefaultNetwork or true;
-
-              networks =
-                optionalAttrs (hasAttr "networks" v)
-                v.networks;
-
-              services =
-                mapAttrs (n': v': {
-                  # https://github.com/hercules-ci/arion/issues/169#issuecomment-1301370634
-                  build.image = let
-                    importImage = file: pkgs.callPackage file pkgs;
-                  in
-                    mkForce (importImage v'.image);
-
-                  service =
-                    (filterAttrs (attrName: _:
-                      attrName != "image" && attrName != "extraOptions")
-                    v')
-                    # By default set the container_name to the attrset's name
-                    // (optionalAttrs (! hasAttr "container_name" v') {
-                      container_name = n';
-                    });
-
-                  out.service =
-                    optionalAttrs
-                    (hasAttr "extraOptions" v')
-                    v'.extraOptions;
-                })
-                v;
-            };
-          })
-          cfg.projects;
-      };
-    };
-
-    # Script for updating the images of all images of a compose.nix file
-    environment.systemPackages = with pkgs; [
-      (callPackage ./updateImage.nix {})
-    ];
-  };
-}

modules/borgbackup/default.nix

@@ -4,7 +4,7 @@
   services.borgbackup = {
     existingRepos = [
       {
-        name = "arion";
+        name = "docker";
         authorizedKeys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPijoxuSwH9IrS4poewzHHwe64UoX4QY7Qix5VhEdqKR root@servivi"
         ];

modules/docker/.template/compose.nix

@@ -1,9 +1,10 @@
 {config, ...}: let
   inherit (config.sops) secrets;
-  inherit (config.arion) rwDataDir;
+  inherit (config.khepri) rwDataDir;
 
   rwPath = rwDataDir + "/projectName";
 in {
-  arion.projects."projectName" = {
+  khepri.compositions."projectName" = {
+    services = {};
   };
 }

modules/docker/default.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  khepri,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkOption types;
+
+  inherit (config.vars) mainUser;
+in {
+  imports = [khepri.nixosModules.default];
+
+  options.khepri = {
+    rwDataDir = mkOption {
+      default = "/var/lib/docker";
+      type = types.str;
+      description = ''
+        Directory to place persistent data in.
+      '';
+    };
+  };
+
+  config = {
+    users.extraUsers.${mainUser}.extraGroups = ["docker"];
+
+    virtualisation = {
+      docker = {
+        enable = true;
+        storageDriver = "btrfs";
+      };
+      # khepri uses oci-containers under the hood and it must be set to docker to work
+      oci-containers.backend = "docker";
+    };
+
+    # Script for updating the images of all images of a compose.nix file
+    environment.systemPackages = with pkgs; [
+      (callPackage ./updateImage.nix {})
+    ];
+  };
+}