Rootless Podman

Table of Contents

1. Rootless Podman

Note: This article assumes you are familiar with Podman.

2. Using Rootless Podman With sops-nix

sops-nix is a super useful tool that allows you to keep certain files in your config encrypted, and decrypting it when you include it in your system so that you can read it in plaintext. This allows you to include secrets in your repository without exposing their value. It also sets the permissions for those files so that they cannot be read by others. 

-r-------- 1 main users  179 Aug 17  2025 rclone-cloud
-r-------- 1 main users   60 Aug 17  2025 simplelogin
-r-------- 1 main users 3.0K Aug 17  2025 syncthing

The problem of using both is that rootless containers usually operate under a different UID unless you run those containers under fake root permission (which is basically you in this context, not root of the whole system). Here is an example: 

-rw-r--r--  1 232062 232062 2.1M Aug 16 15:15 homeserver.db
-rw-r--r--  1 232062 232062  32K Aug 17 01:13 homeserver.db-shm
-rw-r--r--  1 232062 232062 4.0M Aug 17 01:13 homeserver.db-wal
-rw-r--r--  1 232062 232062 1.9M Aug 17 03:30 homeserver.log
-rw-r--r--  1 232062 232062 539K Aug 14 08:59 homeserver.log.2025-08-13
-rw-r--r--  1 232062 232062 2.2M Aug 15 08:59 homeserver.log.2025-08-14
-rw-r--r--  1 232062 232062 2.2M Aug 16 08:59 homeserver.log.2025-08-15
-r--------  1 232062 232062 1.5K Aug 16 01:58 homeserver.yaml

A simple fix for this was to copy it over to a specific directory, and then changing its permissions within rootlesskit so that the permission number translation were applied properly. 

 1: home.activation.matrix =
 2:   lib.hm.dag.entryAfter
 3:     [
 4:       "podmanQuadletCleanup"
 5:       "sops-nix"
 6:       "writeBoundary"
 7:     ]
 8:     ''
 9:       DIR=${config.home.homeDirectory}/.podman/matrix
10:       if [ ! -d "$DIR" ]; then
11:         ${pkgs.rootlesskit}/bin/rootlesskit mkdir -p $DIR/uploads
12:         ${pkgs.rootlesskit}/bin/rootlesskit mkdir -p $DIR/media
13:       fi
14:       ${pkgs.rootlesskit}/bin/rootlesskit rm -f ${config.home.homeDirectory}/.podman/matrix/homeserver.yaml
15:       ${pkgs.rootlesskit}/bin/rootlesskit cp ${config.home.homeDirectory}/.config/sops-nix/secrets/matrix/homeserver.yaml ${config.home.homeDirectory}/.podman/matrix/homeserver.yaml
16:       ${pkgs.rootlesskit}/bin/rootlesskit rm -f ${config.home.homeDirectory}/.podman/matrix/skew.ch.signing.key
17:       ${pkgs.rootlesskit}/bin/rootlesskit cp ${config.home.homeDirectory}/.config/sops-nix/secrets/matrix/skew.ch.signing.key ${config.home.homeDirectory}/.podman/matrix/skew.ch.signing.key
18:       ${pkgs.rootlesskit}/bin/rootlesskit rm -f ${config.home.homeDirectory}/.podman/matrix/skew.ch.log.config
19:       ${pkgs.rootlesskit}/bin/rootlesskit cp ${config.home.homeDirectory}/.config/sops-nix/secrets/matrix/skew.ch.log.config ${config.home.homeDirectory}/.podman/matrix/skew.ch.log.config
20:       ${pkgs.rootlesskit}/bin/rootlesskit chown 991:991 -R ${config.home.homeDirectory}/.podman/matrix
21:     '';

Note that line 4 has multiple entries that specifies when this script should be run. As the name suggests, entryAfter means what tasks should be completed before this script is executed.

Created: 2025-10-29 Wed 13:02

Validate