diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml index c955639..290761f 100644 --- a/.github/workflows/build-machines-and-homes.yml +++ b/.github/workflows/build-machines-and-homes.yml @@ -74,7 +74,7 @@ jobs: run: | package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" nix run git+https://git.cy7.sh/cy/nixcp.git -- \ - --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ + --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \ -u https://nix-community.cachix.org \ -u https://nixcache.web.cy7.sh \ $package @@ -143,7 +143,7 @@ jobs: run: | package=".#homeConfigurations."${{ matrix.home }}".activationPackage" nix run git+https://git.cy7.sh/cy/nixcp.git -- \ - --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ + --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \ -u https://nix-community.cachix.org \ -u https://nixcache.web.cy7.sh \ $package diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index c188482..4f76a1d 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -62,7 +62,7 @@ jobs: if: '!cancelled()' run: | nix run git+https://git.cy7.sh/cy/nixcp.git -- \ - --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \ + --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \ -u https://nix-community.cachix.org \ -u https://nixcache.web.cy7.sh \ "${{ matrix.package }}" diff --git a/.sops.yaml b/.sops.yaml index 21d2151..5dca48c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -135,4 +135,10 @@ creation_rules: - *yt - *cy - *chunk + - path_regex: secrets/services/karakeep.yaml + key_groups: + - age: + - *yt + - *cy + - *chunk diff --git a/flake.lock b/flake.lock index 0fe0871..ba20fb3 100644 --- a/flake.lock +++ b/flake.lock @@ -114,11 +114,11 @@ "rocksdb": "rocksdb" }, "locked": { - "lastModified": 1743473828, - "narHash": "sha256-x/sfh6LCHGAz8rL23GHhH7dac1LtHBbRRJi1p8gOdtI=", + "lastModified": 1743780871, + "narHash": "sha256-xmDepDLHsIWiwpWYjhI40XOrV9jCKrYJQ+EK1EOIdRg=", "owner": "girlbossceo", "repo": "conduwuit", - "rev": "0f81c1e1ccdcb0c5c6d5a27e82f16eb37b1e61c8", + "rev": "4e5b87d0cd16f3d015f4b61285b369d027bb909d", "type": "github" }, "original": { @@ -151,11 +151,11 @@ }, "crane_2": { "locked": { - "lastModified": 1742394900, - "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", + "lastModified": 1739936662, + "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=", "owner": "ipetkov", "repo": "crane", - "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", + "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7", "type": "github" }, "original": { @@ -167,11 +167,11 @@ }, "crane_3": { "locked": { - "lastModified": 1742394900, - "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", + "lastModified": 1737689766, + "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=", "owner": "ipetkov", "repo": "crane", - "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", + "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "crane_4": { "locked": { - "lastModified": 1742394900, - "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=", + "lastModified": 1741148495, + "narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=", "owner": "ipetkov", "repo": "crane", - "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd", + "rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53", "type": "github" }, "original": { @@ -386,11 +386,11 @@ ] }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1740872218, + "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "3876f6b87db82f33775b1ef5ea343986105db764", "type": "github" }, "original": { @@ -610,11 +610,11 @@ ] }, "locked": { - "lastModified": 1743556466, - "narHash": "sha256-rvU79DJ6rPDxiH0sTp686Vlm+JewwAZPGcwt8OfHJbM=", + "lastModified": 1743948087, + "narHash": "sha256-B6cIi2ScgVSROPPlTti6len+TdR0K25B9R3oKvbw3M8=", "owner": "nix-community", "repo": "home-manager", - "rev": "5ee44bc7c2e853f144390a12ebe5174ad7e3b9e0", + "rev": "ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7", "type": "github" }, "original": { @@ -826,11 +826,11 @@ ] }, "locked": { - "lastModified": 1743306489, - "narHash": "sha256-LROaIjSLo347cwcHRfSpqzEOa2FoLSeJwU4dOrGm55E=", + "lastModified": 1743911143, + "narHash": "sha256-4j4JPwr0TXHH4ZyorXN5yIcmqIQr0WYacsuPA4ktONo=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "b3696bfb6c24aa61428839a99e8b40c53ac3a82d", + "rev": "a36f6a7148aec2c77d78e4466215cceb2f5f4bfb", "type": "github" }, "original": { @@ -909,11 +909,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1743501102, - "narHash": "sha256-7PCBQ4aGVF8OrzMkzqtYSKyoQuU2jtpPi4lmABpe5X4=", + "lastModified": 1743813633, + "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "02f2af8c8a8c3b2c05028936a1e84daefa1171d4", + "rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6", "type": "github" }, "original": { @@ -973,11 +973,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1743448293, - "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=", + "lastModified": 1742669843, + "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3", + "rev": "1e5b653dff12029333a6546c11e108ede13052eb", "type": "github" }, "original": { @@ -989,11 +989,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1743559129, - "narHash": "sha256-7gpAWsENV3tY2HmeHYQ2MoQxGpys+jQWnkS/BHAMXVk=", + "lastModified": 1743862455, + "narHash": "sha256-I/QXtrqznq1321mYR9TyMPX/zCWb9iAH64hO+pEBY00=", "owner": "nixos", "repo": "nixpkgs", - "rev": "adae22bea8bcc0aa2fd6e8732044660fb7755f5e", + "rev": "06f3516b0397bd241bde2daefc8538fc886c5467", "type": "github" }, "original": { @@ -1110,11 +1110,11 @@ ] }, "locked": { - "lastModified": 1743561237, - "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=", + "lastModified": 1741228283, + "narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1de27ae43712a971c1da100dcd84386356f03ec7", + "rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403", "type": "github" }, "original": { @@ -1131,11 +1131,11 @@ ] }, "locked": { - "lastModified": 1743561237, - "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=", + "lastModified": 1741055476, + "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1de27ae43712a971c1da100dcd84386356f03ec7", + "rev": "aefb7017d710f150970299685e8d8b549d653649", "type": "github" }, "original": { @@ -1151,11 +1151,11 @@ ] }, "locked": { - "lastModified": 1743561237, - "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=", + "lastModified": 1743906877, + "narHash": "sha256-Thah1oU8Vy0gs9bh5QhNcQh1iuQiowMnZPbrkURonZA=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1de27ae43712a971c1da100dcd84386356f03ec7", + "rev": "9d00c6b69408dd40d067603012938d9fbe95cfcd", "type": "github" }, "original": { @@ -1171,11 +1171,11 @@ ] }, "locked": { - "lastModified": 1743502316, - "narHash": "sha256-zI2WSkU+ei4zCxT+IVSQjNM9i0ST++T2qSFXTsAND7s=", + "lastModified": 1743910657, + "narHash": "sha256-zr2jmWeWyhCD8WmO2aWov2g0WPPuZfcJDKzMJZYGq3Y=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8", + "rev": "523f58a4faff6c67f5f685bed33a7721e984c304", "type": "github" }, "original": { @@ -1267,11 +1267,11 @@ ] }, "locked": { - "lastModified": 1743558944, - "narHash": "sha256-LtmHSXZjFXUWYwWhvEPWSbnmAD62TrvLdZGqQvcSHIY=", + "lastModified": 1743904774, + "narHash": "sha256-dHnwYLz1b6ohGP2DjWKpDFEZ9WOm4vYuPXKUna08awU=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "bc23f562c367b3e6300d596c24f0080220897df7", + "rev": "da51d4cab526bef885e8c95ab2b9455bfe0940d4", "type": "github" }, "original": { diff --git a/home/codium.nix b/home/codium.nix index 117c9e0..706736d 100644 --- a/home/codium.nix +++ b/home/codium.nix @@ -24,6 +24,7 @@ golang.go ms-python.python christian-kohler.path-intellisense + # firefox-devtools.vscode-firefox-debug ]; userSettings = let @@ -74,6 +75,11 @@ "telemetry.enableTelemetry" = false; "telemetry.telemetryLevel" = "off"; "window.titleBarStyle" = "custom"; + # https://github.com/ChristianKohler/PathIntellisense#installation + "typescript.suggest.paths" = false; + "javascript.suggest.paths" = false; + + "path-intellisense.absolutePathToWorkspace" = true; # terminal stuff "terminal.integrated.cursorBlinking" = true; diff --git a/home/kitty.nix b/home/kitty.nix index ea7047f..a77a432 100644 --- a/home/kitty.nix +++ b/home/kitty.nix @@ -17,10 +17,11 @@ # will probably lower this later but the max allowed is actually 4GB # this is NOT stored in memory and can only be viewed with scrollback_pager - "scrollback_pager_history_size" = "1024"; + "scrollback_pager_history_size" = "10"; # in MB # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399 "scrollback_pager" = "bat --pager='less -FR +G'"; - "scrollback_lines" = 20000; + # "scrollback_lines" = 20000; + wheel_scroll_multiplier = 50; }; keybindings = { # kitty_mod is ctrl+shift by default @@ -58,18 +59,29 @@ "kitty_mod+alt+p" = "move_tab_backward"; "kitty_mod+q" = "close_tab"; "kitty_mod+t" = "new_tab_with_cwd"; - "ctrl+f2" = "detach_tab"; # hints # > basically means the preceding key is a prefix (think tmux) "kitty_mod+o>o" = "open_url_with_hints"; - "kitty_mod+o>p" = "kitten hints --type path --program -"; - "kitty_mod+o>n" = "kitten hints --type line --program -"; - "kitty_mod+o>w" = "kitten hints --type word --program -"; - "kitty_mod+o>h" = "kitten hints --type hash --program -"; + # `--program @` means copy to clipboard + "kitty_mod+o>u" = "kitten hints --type url --program @"; + "kitty_mod+o>p" = "kitten hints --type path --program @"; + "kitty_mod+o>n" = "kitten hints --type line --program @"; + "kitty_mod+o>w" = "kitten hints --type word --program @"; + "kitty_mod+o>h" = "kitten hints --type hash --program @"; "kitty_mod+o>l" = "kitten hints --type linenum"; + + # scrolling + "kitty_mod+u" = "scroll_page_up"; + "kitty_mod+d" = "scroll_page_down"; + "kitty_mod+a" = "scroll_home"; + "kitty_mod+e" = "scroll_end"; + "kitty_mod+z" = "scroll_to_prompt -1"; # scroll to previous shell prompt + "kitty_mod+x" = "scroll_to_prompt 1"; # scroll to next shell prompt + "kitty_mod+y" = "show_scrollback"; # browse scrollback buffer in pager + "kitty_mod+g" = "show_last_command_output"; # browse output of last command in pager }; }; - # programs.zsh.shellAliases."ssh" = "kitten ssh"; # doesn't seem to work with bitwarden ssh agent :( + programs.zsh.shellAliases."ssh" = "kitten ssh"; } diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 56bae51..9c6289d 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -18,7 +18,6 @@ ./grafana.nix ./conduwuit.nix ./immich.nix - ./element.nix ./forgejo.nix ./garage.nix ./tailscale.nix @@ -47,20 +46,14 @@ "rsyncnet/id_ed25519" = { sopsFile = ../../secrets/zh5061/chunk.yaml; }; - "attic/env" = { - sopsFile = ../../secrets/services/attic.yaml; - }; "garage/env" = { sopsFile = ../../secrets/services/garage.yaml; }; "tailscale/auth" = { sopsFile = ../../secrets/services/tailscale.yaml; }; - "zipline/env" = { - sopsFile = ../../secrets/services/zipline.yaml; - }; - "searx/env" = { - sopsFile = ../../secrets/services/searx.yaml; + "karakeep/env" = { + sopsFile = ../../secrets/services/karakeep.yaml; }; }; @@ -187,9 +180,10 @@ programs.git.enable = true; my.caddy.enable = true; - - # container stuff my.containerization.enable = true; - my.authelia.enable = true; + my.karakeep = { + enable = true; + dataDir = "/opt/karakeep"; + }; } diff --git a/hosts/chunk/element.nix b/hosts/chunk/element.nix deleted file mode 100644 index 5a12e1e..0000000 --- a/hosts/chunk/element.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - pkgs, - config, - ... -}: -{ - virtualisation.oci-containers.containers.element = { - image = "vectorim/element-web"; - autoStart = true; - ports = [ "127.0.0.1:8089:8089" ]; - pull = "newer"; - networks = [ "element-net" ]; - environment = { - ELEMENT_WEB_PORT = "8089"; - }; - }; - - systemd.services.create-element-net = { - serviceConfig.Type = "oneshot"; - wantedBy = with config.virtualisation.oci-containers; [ - "${backend}-element.service" - ]; - script = '' - ${pkgs.podman}/bin/podman network exists element-net || \ - ${pkgs.podman}/bin/podman network create element-net - ''; - }; - - services.caddy.virtualHosts."element.cy7.sh".extraConfig = '' - import common - reverse_proxy localhost:8089 - ''; -} diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix index 982e1f4..a36dc49 100644 --- a/hosts/chunk/garage.nix +++ b/hosts/chunk/garage.nix @@ -17,6 +17,7 @@ }; admin.api_bind_addr = "[::]:3903"; rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "100.122.132.30:3901"; replication_factor = 1; db_engine = "lmdb"; disable_scrub = true; diff --git a/hosts/chunk/grafana.nix b/hosts/chunk/grafana.nix index f79a7ff..33a77a0 100644 --- a/hosts/chunk/grafana.nix +++ b/hosts/chunk/grafana.nix @@ -42,6 +42,7 @@ services.caddy.virtualHosts."grafana.cy7.sh".extraConfig = '' import common + import authelia reverse_proxy localhost:8088 ''; } diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix index 62505f9..1e7e497 100644 --- a/hosts/chunk/hedgedoc.nix +++ b/hosts/chunk/hedgedoc.nix @@ -11,7 +11,7 @@ dialect = "postgresql"; }; port = 8085; - domain = "pad.cything.io"; + domain = "pad.cy7.sh"; allowEmailRegister = false; protocolUseSSL = true; }; diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix index c592fbb..1c474af 100644 --- a/hosts/chunk/rclone.nix +++ b/hosts/chunk/rclone.nix @@ -14,18 +14,19 @@ let --config ${config.sops.secrets."rclone/config".path} \ --allow-other \ --cache-dir /var/cache/rclone \ - --transfers 32 \ + --transfers 64 \ --vfs-cache-mode full \ --vfs-cache-min-free-space 5G \ --dir-cache-time 30d \ --no-checksum \ --no-modtime \ --vfs-fast-fingerprint \ - --vfs-read-chunk-size 16M \ + --vfs-read-chunk-size 8M \ --vfs-read-chunk-streams 16 \ - --sftp-concurrency 64 \ + --sftp-concurrency 128 \ --sftp-chunk-size 255k \ --buffer-size 0 \ + --write-back-cache \ ${remote} ${mount} ''; ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}"; diff --git a/modules/authelia.nix b/modules/authelia.nix index afd8b52..f231f50 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -49,9 +49,14 @@ in webauthn = { enable_passkey_login = true; }; + identity_providers.oidc.claims_policies = { + # https://github.com/karakeep-app/karakeep/issues/410 + # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter + karakeep.id_token = [ "email" ]; + }; identity_providers.oidc.clients = [ { - client_id = "immich"; + client_id = "4EIrpRb9rnwHWjYWvlz2gYrtTmoOLF1D5gqXw28BvmOS0f-9T2p4CFwuctf4Co1hkpo2sd4Y"; client_name = "immich"; client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8"; public = false; @@ -65,7 +70,7 @@ in userinfo_signed_response_alg = "none"; } { - client_id = "forgejo"; + client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU"; client_name = "Forgejo"; client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA"; public = false; @@ -77,6 +82,34 @@ in userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_basic"; } + { + client_id = "b_ITCG0uNzy9lZ5nVC~Ny5R35te8I3hoQW1uraCbdxeiE9VuiCIelMmZZ7dAZLg_anTUWSQG"; + client_name = "HedgeDoc"; + client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://pad.cy7.sh/auth/oauth2/callback" + ]; + scopes = [ "openid" "profile" "email" ]; + userinfo_signed_response_alg = "none"; + grant_types = [ "refresh_token" "authorization_code" ]; + response_types = [ "code" ]; + response_modes = [ "form_post" "query" "fragment" ]; + audience = []; + token_endpoint_auth_method = "client_secret_post"; + } + { + client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5"; + client_name = "Karakeep"; + client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ]; + scopes = [ "openid" "profile" "email" ]; + userinfo_signed_response_alg = "none"; + claims_policy = "karakeep"; + } ]; }; secrets = { @@ -101,4 +134,4 @@ in reverse_proxy localhost:9091 ''; }; -} \ No newline at end of file +} diff --git a/modules/containerization.nix b/modules/containerization.nix index fd39da9..2bcc8dd 100644 --- a/modules/containerization.nix +++ b/modules/containerization.nix @@ -30,6 +30,10 @@ in }; # answer on /var/run/docker.sock dockerSocket.enable = true; + autoPrune = { + enable = true; + dates = "daily"; + }; }; docker.enable = lib.mkIf (!cfg.usePodman) true; oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker"; diff --git a/modules/default.nix b/modules/default.nix index db7bfa4..0d4638f 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -10,5 +10,6 @@ ./searx.nix ./attic.nix ./authelia.nix + ./karakeep.nix ]; } diff --git a/modules/karakeep.nix b/modules/karakeep.nix new file mode 100644 index 0000000..3e75f74 --- /dev/null +++ b/modules/karakeep.nix @@ -0,0 +1,81 @@ +{ config, lib, ... }: +let + cfg = config.my.karakeep; +in +{ + options.my.karakeep = { + enable = lib.mkEnableOption "karakeep"; + dataDir = lib.mkOption { + type = lib.types.path; + }; + port = lib.mkOption { + default = 3002; + description = "port for the web service"; + type = lib.types.port; + }; + domain = lib.mkOption { + default = "keep.cy7.sh"; + type = lib.types.str; + }; + environmentFile = lib.mkOption { + default = config.sops.secrets."karakeep/env".path; + type = lib.types.path; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.oci-containers.containers = { + karakeep-web = { + image = "ghcr.io/karakeep-app/karakeep:release"; + pull = "newer"; + volumes = [ "${cfg.dataDir}:/data" ]; + ports = [ "${toString cfg.port}:3000"]; + dependsOn = [ + "karakeep-chrome" + "karakeep-meilisearch" + ]; + environment = { + MEILI_ADDR = "http://karakeep-meilisearch:7700"; + BROWSER_WEB_URL = "http://karakeep-chrome:9222"; + DATA_DIR = "/data"; + NEXTAUTH_URL = "https://${cfg.domain}"; + DISABLE_PASSWORD_AUTH = "true"; + OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration"; + OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5"; + OAUTH_PROVIDER_NAME = "Authelia"; + OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true"; + }; + # needs NEXTAUTH_SECRET + environmentFiles = [ "${cfg.environmentFile}" ]; + }; + + karakeep-chrome = { + image = "ghcr.io/zenika/alpine-chrome:latest"; + pull = "newer"; + cmd = [ + "--no-sandbox" + "--disable-gpu" + "--disable-dev-shm-usage" + "--remote-debugging-address=0.0.0.0" + "--remote-debugging-port=9222" + "--hide-scrollbars" + ]; + }; + + karakeep-meilisearch = { + image = "getmeili/meilisearch:latest"; + volumes = [ "meilisearch:/meili_data" ]; + environment = { + MEILI_NO_ANALYTICS = "true"; + }; + # needs MEILI_MASTER_KEY + environmentFiles = [ "${cfg.environmentFile}" ]; + }; + }; + + services.caddy.virtualHosts.${cfg.domain}.extraConfig = '' + import common + reverse_proxy localhost:${toString cfg.port} + ''; + }; +} \ No newline at end of file diff --git a/secrets/services/hedgedoc.yaml b/secrets/services/hedgedoc.yaml index 84ef3d6..0c693dc 100644 --- a/secrets/services/hedgedoc.yaml +++ b/secrets/services/hedgedoc.yaml @@ -1,10 +1,6 @@ hedgedoc: - env: ENC[AES256_GCM,data:15rWiIYWyIJ0Hxl5I8m+EBV+FkNDT/OHlLK9shVS46UE7SQtuIh45N5hvwgs0rg9E9Tawu+lyE2aozWNh6HSDUZ1h4FYrB+JHwIetGkOqXSLHfXi,iv:v9ohLTtlxw3fsRoJJoOY5VYxVsxUyDEsQHRjcGKg/GY=,tag:Wncm1reqNblnVhRTYjU3Pg==,type:str] + env: ENC[AES256_GCM,data:9xnOlQrk1qCyiAHSjmu8dvj2/z/BrJlngNGAQnMwvLsL0pnyvvyJLnYWTDYix1a9o8OJUNLw6Qhq7KbY4uXfxsNZkfGdVHwvkvhySjR2rcX/r90txqHJUUIxE/TzdsBvonzQ0F85KfXhsi69gKHp016gCj+jNf6CCY+tOVpt71el4Z+jzqLHasuQET8GctKJRzHOfNfCx/X2kJeb7RQl3JFC6/VmYT45bUk7uFfveFD9ao03wJwLKi27wO1WDrfpOigFdvkmqpbWZjaILYHYmkdhdlhr7w330CiCmGHT/ssmSPcu5cYUc8tjYPgpYLjusiUzpE5jmut5GaNwZsY9hNuow/mUVnQ/tCDH0ChOq0DQisJ07VMYlRII9tMdcuT4IbjjwiRcYlORAHsTFUuo5DCaDp8a4mx846BGp1YMQsvqJQgOe4x15VMpeB/ptxm79qxcLZKZ3BkiJaKmDdWsVk9RfqVgsxqiq16Me2EQhknO2s/oBjGOaoIiT4NEuRFQl0BIPgIMD0lYzKx0uDaYyclID5W0DqMI+SrcBd+WH/BB9HPdZx92rFe34PzjZse0i6+5UZHXUu8au6CyLMqGkUlzkSFwVT5W7Lv2m9P3+6YjgPRMaYbg8b6kmavB6EtjiqWtTbMKr3nxPVYJc5FRImvebfFqiLy5MWoNV6Qe7TUGIk6QtX2OWBhQ1UB+IpR+180QH7yw7UpgJ9EM8dD2m2/smar5P0BjAaqAFib++GzoB0OfFtxJNUjrejQC11tRWBXYvcHWwa78VbKPul0xqiEMmsAZufMix4lD1EgutTf1CXfv7l0rUpLwkYbWIq2hT5UI53L0YWJDl7zlhi94ANdXV8z8kCvMeXm2Fwl/vIgJ9JuFeVeVYPpXwx2coLBwE6uI4SuFvY1d4ojvzY8KftcHWO7srVzpuwrwW+6gKLwPQyEazv+sRKXAGo0ffMO2/2KRgOu9zGwaOFaNDAZ6gYFDWbPz6TMfNWHzfLEFK5BlVAL8KDb78IODUBYcMr2CX1Y=,iv:LDkuJgxIbohEVf7wmdtOZ/vlPddMYa7uzHGkL+0MnUM=,tag:pnJiCJydjTmUbS761fPUPw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn enc: | @@ -24,8 +20,7 @@ sops: enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e 9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-17T03:25:54Z" - mac: ENC[AES256_GCM,data:1cxiK/HhqYzatT2PhZxjvtizII2QMHqbbyOujUtx4cT8x488j2wecu6hOfSkuHbQ43AxA8kDH1NAruPCSdCpj3PytMR+np+R/5WuRcK+OF/FCnWvWvvHqgDnBs/wYjllnR6HyWBlhrROpINxu9ch4fzN0Def3I7O+wJgpojnPiU=,iv:PKPykPv9zSHj9+HXnrg1v8Ty78te66D9ZH6c1V7Qlh4=,tag:JQk68u6p317r3Df+hv16+g==,type:str] - pgp: [] + lastmodified: "2025-04-05T21:08:15Z" + mac: ENC[AES256_GCM,data:cPisYUoZWd/vd+wWzz3xTnftj1RdjK20dWFo+MKssm/eu7eCOWDIaZdcJg13gkTleBpMWQy/mG1drC6GLfGQiBmkS99UCPAoo0aLTBL4FbSm6FEXdbVjoOI7URu6Sj31drWCMAm+lXYymWsHwZJrNLhjsCTQsxTPvFq8oOdNlXo=,iv:KpmJoZ/BGEEhZ75jXfXxegNglm7k6mtleRuVud6tX2g=,tag:lsiqX+YSz4mGK6mw9gdKNg==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.1 diff --git a/secrets/services/karakeep.yaml b/secrets/services/karakeep.yaml new file mode 100644 index 0000000..cc09262 --- /dev/null +++ b/secrets/services/karakeep.yaml @@ -0,0 +1,35 @@ +karakeep: + env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str] +sops: + age: + - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx + TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4 + eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p + bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G + bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x + QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16 + Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq + cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN + NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N + UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG + ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU + K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+ + DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-05T19:44:58Z" + mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.1