From c10c155b7924fef3f8ed76c6d4758c3911b34a23 Mon Sep 17 00:00:00 2001
From: Gene Liverman <gene@technicalissues.us>
Date: Mon, 10 Nov 2025 19:35:05 -0500
Subject: [PATCH] Setup Pinchflat

This sets up the container to run as the jellyfin user and to download
to the folder where I store things from YouTube for Jellyfin already.
---
 .../nixos/nixnuc/containers/pinchflat.nix     | 39 +++++++++++++++++++
 modules/hosts/nixos/nixnuc/default.nix        |  2 +
 modules/hosts/nixos/nixnuc/secrets.yaml       |  7 ++--
 3 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 modules/hosts/nixos/nixnuc/containers/pinchflat.nix

diff --git a/modules/hosts/nixos/nixnuc/containers/pinchflat.nix b/modules/hosts/nixos/nixnuc/containers/pinchflat.nix
new file mode 100644
index 0000000..f37d7b3
--- /dev/null
+++ b/modules/hosts/nixos/nixnuc/containers/pinchflat.nix
@@ -0,0 +1,39 @@
+{ config, ... }: let
+  volume_base = "/orico/pinchflat";
+  jellyfin_youtube = "/orico/jellyfin/data/YouTube";
+  container_user = "jellyfin";
+  uid = "990";
+  gid = "989";
+in {
+  virtualisation.oci-containers.containers = {
+    "pinchflat" = {
+      autoStart = true;
+      environmentFiles = [
+        "${volume_base}/.env"
+      ];
+      extraOptions = [
+        "--security-opt"
+        "label=disable"
+        "--userns=keep-id"
+      ];
+      image = "ghcr.io/kieraneglin/pinchflat:latest";
+      ports = [
+        "8945:8945"
+      ];
+      user = "${uid}:${gid}"; # observed UID:GID of jellyfin user
+      volumes = [
+        "${volume_base}/config:/config"
+        "${jellyfin_youtube}:/downloads"
+      ];
+    };
+  };
+
+  services.restic.backups.daily.paths = [ volume_base ];
+
+  sops.secrets.pinchflat_dot_env = {
+    owner = "${container_user}";
+    path = "${volume_base}/.env";
+    restartUnits = [ "${config.virtualisation.oci-containers.containers.pinchflat.serviceName}" ];
+  };
+}
+
diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix
index 898fd94..9a33803 100644
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@@ -10,6 +10,7 @@ in {
     ./hardware-configuration.nix
     ./containers/audiobookshelf.nix
     ./containers/mountain-mesh-bot-discord.nix
+    ./containers/pinchflat.nix
     ./containers/psitransfer.nix
     ../../common/linux/lets-encrypt.nix
     ../../common/linux/restic.nix
@@ -91,6 +92,7 @@ in {
          8384 # Syncthing gui
          8888 # Atuin
          8090 # Wallabag in docker compose
+         8945 # Pinchflat in oci-container
          9090 # Prometheus Server
          9273 # Telegraf's Prometheus endpoint
         13378 # Audiobookshelf in oci-container
diff --git a/modules/hosts/nixos/nixnuc/secrets.yaml b/modules/hosts/nixos/nixnuc/secrets.yaml
index 0f91527..7f8ab72 100644
--- a/modules/hosts/nixos/nixnuc/secrets.yaml
+++ b/modules/hosts/nixos/nixnuc/secrets.yaml
@@ -11,6 +11,7 @@ mealie: ENC[AES256_GCM,data:fZFBWlh/nbxK0GA6+fb1FK6aFfbiV/GsBYKYRPgavcsB9h4HwRSZ
 mtnmesh_bot_dot_env: ENC[AES256_GCM,data:jKz0voG/a7Eq+zHI2fsejTpu5H+ic5ZE8VmtOQDQEOTvYT8GWr2oCGwh68ql7g+nU5hlNN7uLl9LreW59nTgmvWNCVjVNKchxJeydktMUoq2FlgyoC2I354bi9gFEL0X5JYRR7jG9iwy4WGyEFfhhUJn1MSwOurRZPw/tdWTUKQVwN5oqjMxkXrZhFLDzq6BrTs0hBpzRYTe,iv:ZBxHkW8VyU+8v4GiDJMEaeqm3Fdtuwm7M/7YXkfkMnw=,tag:S8hTOSicQNIAj/Gdxzw5+A==,type:str]
 nextcloud_admin_pass: ENC[AES256_GCM,data:KztB3Tkqlt73PEO41lthGYElrbwVdfqQgT6f,iv:kRwXqGJO4AUOMq+uYzndGhscaJiyvG4ANKabHHd78YM=,tag:dP3PgKafDTv8x7huKJGDqA==,type:str]
 psitransfer_dot_env: ENC[AES256_GCM,data:bhvU0AOCjecZ62BtLw4H1DdkLeatI+uUl6L7UkdDRkBF3sayO45Z1eR4q60tflXucyTGhT8WgKFz53I+C2dn265wzojIRc3Xr4TBLyWpfJ7/dct40SckgUiRvOnrefiriWQ=,iv:DGMhDkzgeupzzTJnCdVWDPUSo2wxI3MAypKQwVfHExE=,tag:KbteGqrkqgj2XB1lvlk/yQ==,type:str]
+pinchflat_dot_env: ENC[AES256_GCM,data:8DLiFXThG5PGJ0ymW5bMVy5A8dM=,iv:BGkVvxaNwFIMSaA3F6h4ZsgkC9tm1lohA0lg2pgZhpw=,tag:qQNrluP5exdKG3NXgQHM8g==,type:str]
 tandoor_db_pass: ENC[AES256_GCM,data:X0unx5jquLsUXadbF6xLjjeGY+f8Ec4kdc15JQ==,iv:XptlJHfAkF+3jbgJTqxhVReYjuVVdk3NzfPepP78DRI=,tag:3RG5P9QGCJ/fjdxWpY1xWA==,type:str]
 tandoor_secret_key: ENC[AES256_GCM,data:aSQRdtWUZQzy5rvQBPAvYFvwTqyu16UGrvUayxqi2WdsTOfqOyxQ7ywNEy/g/qPqSbwM,iv:kbct/gvfYhU6GOhkomY80o/Sx5mr9FY9SAFJGNrj3Ow=,tag:v+LKQ9UM5nzzd77By7TnGg==,type:str]
 sops:
@@ -24,7 +25,7 @@ sops:
             bHZlNTZDV2NYU1hQQy9mem80SFF6TFkKfmjkJBfTdh0vTtGaVx1t3tHJvSsAwdYD
             PF025X9U+yG2oIopwXEVBkxcD70eyuJn3OqH0xoVLBkbhNM9i8LHrA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-06T12:07:03Z"
-    mac: ENC[AES256_GCM,data:9CiwZouVAkxj8kFANfD5rXltouVZ5C1Pd8a10TeC61uCtqAJkDxDTD4odZZcODUtKigCmtgo2q1ru9njBhbW463IOEDFhdQ1mPVbWVXmyLNuSpQAfH2pFyy1kWuOj2Ol00qO/bca5ng/Yi+nAEHLUgOJSkU31DMWRBR5b3080IM=,iv:HkwXc7Oibp90D/no66PcwwNR+UfbwqdDvXHBz3+D2Oo=,tag:2mM7zEA+mHG9Oi3lOgqWLA==,type:str]
+    lastmodified: "2025-11-10T23:26:34Z"
+    mac: ENC[AES256_GCM,data:pwgPKBBp2oNu2RRZDprbpVmWxCbsReS3l5/alUfJ7KrMWU6tWiKXNbE2HY/40HYAGyJQ4Jal+u4tKEnPReVubEIe8NwuMlXaDh4ynEN1DId9FaRuCjKatkySWPOGO6DFd4Ajr1Xt1XtWVRqhlCAf5nE+nG1ZBQbloWgOEQZ9m6s=,iv:D0l5yu4lFwrboHbTN26ECPBM6MluPHGR2x6JAwbAUoE=,tag:ctlUVc2CFglsYuTYyCuuYQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0