cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

init karakeep (hoarder)

Browse source
This commit is contained in:
cy 2025-04-05 16:46:32 -04:00
parent f7157a11ed
commit 895052fb20
Signed by: cy
SSH key fingerprint: SHA256:o/geVWV4om1QhUSkKvDQeW/eAihwnjyXkqMwrVdbuts
6 changed files with 145 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -135,4 +135,10 @@ creation_rules:
- *yt - *yt
- *cy - *cy
- *chunk - *chunk
- path_regex: secrets/services/karakeep.yaml
key_groups:
- age:
- *yt
- *cy
- *chunk

17
hosts/chunk/default.nix
View file

@ -46,20 +46,14 @@
"rsyncnet/id_ed25519" = { "rsyncnet/id_ed25519" = {
sopsFile = ../../secrets/zh5061/chunk.yaml; sopsFile = ../../secrets/zh5061/chunk.yaml;
}; };
"attic/env" = {
sopsFile = ../../secrets/services/attic.yaml;
};
"garage/env" = { "garage/env" = {
sopsFile = ../../secrets/services/garage.yaml; sopsFile = ../../secrets/services/garage.yaml;
}; };
"tailscale/auth" = { "tailscale/auth" = {
sopsFile = ../../secrets/services/tailscale.yaml; sopsFile = ../../secrets/services/tailscale.yaml;
}; };
"zipline/env" = { "karakeep/env" = {
sopsFile = ../../secrets/services/zipline.yaml; sopsFile = ../../secrets/services/karakeep.yaml;
};
"searx/env" = {
sopsFile = ../../secrets/services/searx.yaml;
}; };
}; };
@ -186,9 +180,10 @@
programs.git.enable = true; programs.git.enable = true;
my.caddy.enable = true; my.caddy.enable = true;
# container stuff
my.containerization.enable = true; my.containerization.enable = true;
my.authelia.enable = true; my.authelia.enable = true;
my.karakeep = {
enable = true;
dataDir = "/opt/karakeep";
};
} }

16
modules/authelia.nix
View file

@ -49,6 +49,11 @@ in
webauthn = { webauthn = {
enable_passkey_login = true; enable_passkey_login = true;
}; };
identity_providers.oidc.claims_policies = {
# https://github.com/karakeep-app/karakeep/issues/410
# https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
karakeep.id_token = [ "email" ];
};
identity_providers.oidc.clients = [ identity_providers.oidc.clients = [
{ {
client_id = "immich"; client_id = "immich";
@ -94,6 +99,17 @@ in
audience = []; audience = [];
token_endpoint_auth_method = "client_secret_post"; token_endpoint_auth_method = "client_secret_post";
} }
{
client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
client_name = "Karakeep";
client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw";
public = false;
authorization_policy = "two_factor";
redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ];
scopes = [ "openid" "profile" "email" ];
userinfo_signed_response_alg = "none";
claims_policy = "karakeep";
}
]; ];
}; };
secrets = { secrets = {

1
modules/default.nix
View file

@ -10,5 +10,6 @@
./searx.nix ./searx.nix
./attic.nix ./attic.nix
./authelia.nix ./authelia.nix
./karakeep.nix
]; ];
} }

81
modules/karakeep.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, ... }:
let
cfg = config.my.karakeep;
in
{
options.my.karakeep = {
enable = lib.mkEnableOption "karakeep";
dataDir = lib.mkOption {
type = lib.types.path;
};
port = lib.mkOption {
default = 3002;
description = "port for the web service";
type = lib.types.port;
};
domain = lib.mkOption {
default = "keep.cy7.sh";
type = lib.types.str;
};
environmentFile = lib.mkOption {
default = config.sops.secrets."karakeep/env".path;
type = lib.types.path;
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
karakeep-web = {
image = "ghcr.io/karakeep-app/karakeep:release";
pull = "newer";
volumes = [ "${cfg.dataDir}:/data" ];
ports = [ "${toString cfg.port}:3000"];
dependsOn = [
"karakeep-chrome"
"karakeep-meilisearch"
];
environment = {
MEILI_ADDR = "http://karakeep-meilisearch:7700";
BROWSER_WEB_URL = "http://karakeep-chrome:9222";
DATA_DIR = "/data";
NEXTAUTH_URL = "https://${cfg.domain}";
DISABLE_PASSWORD_AUTH = "true";
OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration";
OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
OAUTH_PROVIDER_NAME = "Authelia";
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
};
# needs NEXTAUTH_SECRET
environmentFiles = [ "${cfg.environmentFile}" ];
};
karakeep-chrome = {
image = "ghcr.io/zenika/alpine-chrome:latest";
pull = "newer";
cmd = [
"--no-sandbox"
"--disable-gpu"
"--disable-dev-shm-usage"
"--remote-debugging-address=0.0.0.0"
"--remote-debugging-port=9222"
"--hide-scrollbars"
];
};
karakeep-meilisearch = {
image = "getmeili/meilisearch:latest";
volumes = [ "meilisearch:/meili_data" ];
environment = {
MEILI_NO_ANALYTICS = "true";
};
# needs MEILI_MASTER_KEY
environmentFiles = [ "${cfg.environmentFile}" ];
};
};
services.caddy.virtualHosts.${cfg.domain}.extraConfig = ''
import common
reverse_proxy localhost:${toString cfg.port}
'';
};
}

35
secrets/services/karakeep.yaml Normal file
View file

@ -0,0 +1,35 @@
karakeep:
env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str]
sops:
age:
- recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx
TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4
eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p
bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G
bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x
QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16
Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq
cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN
NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N
UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG
ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU
K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+
DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-05T19:44:58Z"
mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1