[pocket-id] Creates Pocket ID service.

system/hosts/mcp/containers.nix

@@ -8,6 +8,7 @@
     ./containers/jobhunt.nix
     ./containers/nextcloud.nix
     ./containers/prometheus.nix
+    ./containers/pocket-id.nix
     ./containers/public-homepage.nix
     ./containers/searxng.nix
     ./containers/shared-postgres.nix

system/hosts/mcp/containers/pocket-id.nix

@@ -0,0 +1,42 @@
+{ config, ... }:
+let 
+  inherit (import ./lib.nix config) mkContainer blazestar;
+  userIds = import ./user-ids.nix;
+in
+{
+  users.groups.pocket-id = {
+    gid = userIds.pocket-id.gid;
+  };
+
+  users.users.pocket-id = {
+    uid = userIds.pocket-id.uid;
+    isSystemUser = true;
+    description = "System User for Pocket ID";
+    group = "pocket-id";
+  };
+
+  virtualisation.oci-containers.containers.pocket-id = mkContainer {
+    image = "ghcr.io/pocket-id/pocket-id";
+    dependsOn = [];
+    hostName = "auth";
+    port = 3000;
+    public = false;
+    domain = blazestar;
+    homepageOpts = {
+      group = "Infra";
+      name = "Pocket ID";
+      icon = "pocket-id";
+      description = "Pocket ID Auth Server";
+    };
+    volumes = [
+      "/tank/pocket-id/data:/app/backend/data"
+    ];
+    environment = {
+      PUBLIC_APP_URL = "https://auth.${blazestar}";
+      # Whether the app is behind a reverse proxy.
+      TRUST_PROXY = "true";
+      PUID = toString userIds.pocket-id.uid;
+      PGID = toString userIds.pocket-id.gid;
+    };
+  };
+}

system/hosts/mcp/containers/user-ids.nix

@@ -0,0 +1,8 @@
+{
+  gitea = 2001;
+  timetagger = 2002;
+  pocket-id = {
+    uid = 2003;
+    gid = 2003;
+  };
+}