refactor: native deps auto-wire via mkPodmanService, no manual wiring needed

mkPodmanService now accepts appDir in its outer import args and auto-derives
native systemd deps from metadata.yaml — same IFD pattern as mkPodmanApp.

Apps using mkPodmanService directly (e.g. authentik) declare:
  mkPodmanService = import .../podman-service.nix { inherit pkgs lib; appDir = ./.; };

Deps from integrations.*.compatible[].app auto-apply to every container created
via that import. No extraAfter/extraRequires for native services needed.

authentik loses its manual redis.service wiring — now comes from metadata.yaml.

Author: d-buckner

apps/authentik/module.nix

@@ -5,9 +5,7 @@ let
   bloudCfg = config.bloud;
   traefikCfg = config.bloud.apps.traefik;
   postgresCfg = config.bloud.apps.postgres;
-  mkPodmanService = import ../../nixos/lib/podman-service.nix { inherit pkgs lib; };
-  nativeDeps = import ../../nixos/lib/metadata.nix { inherit pkgs lib; };
-  nativeIntegrationDeps = nativeDeps ./metadata.yaml;
+  mkPodmanService = import ../../nixos/lib/podman-service.nix { inherit pkgs lib; appDir = ./.; };
   # Note: App-specific blueprints are now generated by the host-agent from metadata.yaml SSO config
 
   userHome = "/home/${bloudCfg.user}";
@@ -155,8 +153,8 @@ in
         network = "apps-net";
         dependsOn = [ "apps-network" ];
         userns = "keep-id";
-        extraAfter = [ "bloud-db-init.service" ] ++ nativeIntegrationDeps;
-        extraRequires = [ "bloud-db-init.service" ] ++ nativeIntegrationDeps;
+        extraAfter = [ "bloud-db-init.service" ];
+        extraRequires = [ "bloud-db-init.service" ];
         # Wire up configurator to run after container starts (sets admin password, etc.)
         bloudAppName = "authentik";
         bloudAgentPath = bloudCfg.agentPath;
@@ -194,8 +192,8 @@ in
         network = "apps-net";
         dependsOn = [ "apps-network" ];
         userns = "keep-id";
-        extraAfter = [ "bloud-db-init.service" ] ++ nativeIntegrationDeps;
-        extraRequires = [ "bloud-db-init.service" ] ++ nativeIntegrationDeps;
+        extraAfter = [ "bloud-db-init.service" ];
+        extraRequires = [ "bloud-db-init.service" ];
       };
 
       # Authentik nginx proxy (adds X-Forwarded-Host header for correct OAuth URLs)

nixos/lib/podman-app.nix

@@ -70,12 +70,11 @@
 }:
 
 let
-  mkPodmanService = import ./podman-service.nix { inherit pkgs lib; };
+  # Pass appDir so mkPodmanService auto-derives native deps from metadata.yaml.
+  mkPodmanService = import ./podman-service.nix { inherit pkgs lib; inherit appDir; };
   nativeDeps = import ./metadata.nix { inherit pkgs lib; };
 
-  # Auto-derive native service deps from metadata.yaml (IFD) when appDir is provided.
-  # Convention: integrations.*.compatible[].app → "{app}.service" (canonical alias).
-  # Native apps (postgres, redis) expose real system aliases; container app names are no-ops.
+  # Used for the db-init service's after list (mkPodmanService handles the main container).
   nativeIntegrationDeps = if appDir == null then [] else nativeDeps (appDir + "/metadata.yaml");
 
   # References to other configs
@@ -190,11 +189,9 @@ let
     };
   };
 
-  # Extra systemd dependencies for database init + native integration deps
+  # Extra systemd dependencies for database init (native deps handled by mkPodmanService)
   dbExtraAfter = lib.optionals (database != null) [ "${serviceName}-db-init.service" ];
   dbExtraRequires = lib.optionals (database != null) [ "${serviceName}-db-init.service" ];
-  containerExtraAfter = dbExtraAfter ++ nativeIntegrationDeps;
-  containerExtraRequires = dbExtraRequires ++ nativeIntegrationDeps;
 
   # Port option (only if port is specified)
   portOption = lib.optionalAttrs (port != null) {
@@ -245,8 +242,8 @@ in
           volumes = allVolumes;
           network = network;
           dependsOn = [ "apps-network" ] ++ normalizedDependsOn;
-          extraAfter = containerExtraAfter;
-          extraRequires = containerExtraRequires;
+          extraAfter = dbExtraAfter;
+          extraRequires = dbExtraRequires;
           # Bloud configurator hooks (uses dev path for now, will be packaged later)
           bloudAppName = name;
           bloudAgentPath = config.bloud.agentPath;

nixos/lib/podman-service.nix

@@ -1,16 +1,17 @@
-{ pkgs, lib, ... }:
-
-# Helper function to create a systemd user service for a podman container
-# This abstracts the common patterns for running containers with rootless podman
+# Pass appDir = ./. in the import to auto-derive native service deps from metadata.yaml:
+#   mkPodmanService = import ../../nixos/lib/podman-service.nix { inherit pkgs lib; appDir = ./.; };
 #
 # Parameters:
-#   waitFor - list of {container, command} to health check before starting
-#             e.g. [{ container = "postgres"; command = "pg_isready -U user"; }]
+#   waitFor      - list of {container, command} to health check before starting
 #   bloudAppName - if set, runs bloud-agent configure prestart/poststart hooks
 #   bloudAgentPath - path to bloud-agent binary (required if bloudAppName is set)
 
+{ pkgs, lib, appDir ? null }:
+
 { name, image, ports ? [], environment ? {}, volumes ? [], network ? null, dependsOn ? [], cmd ? [], userns ? null, waitFor ? [], extraAfter ? [], extraRequires ? [], bloudAppName ? null, bloudAgentPath ? null, envFile ? null, preStartScript ? null }:
 let
+  nativeDeps = import ./metadata.nix { inherit pkgs lib; };
+  nativeIntegrationDeps = if appDir == null then [] else nativeDeps (appDir + "/metadata.yaml");
   # Generate health check script for each waitFor entry
   mkHealthCheck = { container, command, timeout ? 60 }: ''
     echo "Waiting for ${container} to be ready..."
@@ -41,9 +42,9 @@ let
 in
 {
   description = "Podman container: ${name}";
-  after = [ "network-online.target" "bloud-init-secrets.service" ] ++ (map (dep: "podman-${dep}.service") dependsOn) ++ extraAfter;
+  after = [ "network-online.target" "bloud-init-secrets.service" ] ++ (map (dep: "podman-${dep}.service") dependsOn) ++ extraAfter ++ nativeIntegrationDeps;
   wants = [ "network-online.target" "bloud-init-secrets.service" ] ++ (map (dep: "podman-${dep}.service") dependsOn);
-  requires = extraRequires;
+  requires = extraRequires ++ nativeIntegrationDeps;
   wantedBy = [ "bloud-apps.target" ];
 
   # Add /run/wrappers/bin to PATH for newuidmap/newgidmap (rootless podman)