flake.lock: Update

Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/bb036cb35383982066e01a6ac8d45597132cf5d5' (2025-04-04)
  → 'github:nix-community/home-manager/ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7' (2025-04-06)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/b3696bfb6c24aa61428839a99e8b40c53ac3a82d' (2025-03-30)
  → 'github:nix-community/nix-index-database/a36f6a7148aec2c77d78e4466215cceb2f5f4bfb' (2025-04-06)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/30705076a1748a2b2a1cf0539ea1665eef4d2f4a' (2025-04-04)
  → 'github:nixos/nixpkgs/06f3516b0397bd241bde2daefc8538fc886c5467' (2025-04-05)
• Updated input 'nixpkgs-stable':
    'github:nixos/nixpkgs/44a69ed688786e98a101f02b712c313f1ade37ab' (2025-04-02)
  → 'github:nixos/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6' (2025-04-05)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/c4a8327b0f25d1d81edecbb6105f74d7cf9d7382' (2025-04-03)
  → 'github:oxalica/rust-overlay/9d00c6b69408dd40d067603012938d9fbe95cfcd' (2025-04-06)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/cff8437c5fe8c68fc3a840a21bf1f4dc801da40d' (2025-04-04)
  → 'github:Mic92/sops-nix/523f58a4faff6c67f5f685bed33a7721e984c304' (2025-04-06)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/c8270f31af9c37e4fe5711567a6412460e94e9b7' (2025-04-04)
  → 'github:nix-community/nix-vscode-extensions/da51d4cab526bef885e8c95ab2b9455bfe0940d4' (2025-04-06)

.github/workflows/build-machines-and-homes.yml

@@ -74,7 +74,7 @@ jobs:
         run: |
           package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
           nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
             -u https://nix-community.cachix.org \
             -u https://nixcache.web.cy7.sh \
             $package
@@ -143,7 +143,7 @@ jobs:
         run: |
           package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
           nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
             -u https://nix-community.cachix.org \
             -u https://nixcache.web.cy7.sh \
             $package

.github/workflows/build-packages.yml

@@ -62,7 +62,7 @@ jobs:
         if: '!cancelled()'
         run: |
           nix run git+https://git.cy7.sh/cy/nixcp.git -- \
-            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=none' \
+            --to 's3://nixcache?endpoint=s3.cy7.sh&secret-key=/home/runner/cache-priv-key.pem&compression=zstd' \
             -u https://nix-community.cachix.org \
             -u https://nixcache.web.cy7.sh \
             "${{ matrix.package }}"

.sops.yaml

@@ -135,4 +135,10 @@ creation_rules:
           - *yt
           - *cy
           - *chunk
+  - path_regex: secrets/services/karakeep.yaml
+    key_groups:
+      - age:
+          - *yt
+          - *cy
+          - *chunk
 

flake.lock

@@ -114,11 +114,11 @@
         "rocksdb": "rocksdb"
       },
       "locked": {
-        "lastModified": 1743473828,
-        "narHash": "sha256-x/sfh6LCHGAz8rL23GHhH7dac1LtHBbRRJi1p8gOdtI=",
+        "lastModified": 1743780871,
+        "narHash": "sha256-xmDepDLHsIWiwpWYjhI40XOrV9jCKrYJQ+EK1EOIdRg=",
         "owner": "girlbossceo",
         "repo": "conduwuit",
-        "rev": "0f81c1e1ccdcb0c5c6d5a27e82f16eb37b1e61c8",
+        "rev": "4e5b87d0cd16f3d015f4b61285b369d027bb909d",
         "type": "github"
       },
       "original": {
@@ -151,11 +151,11 @@
     },
     "crane_2": {
       "locked": {
-        "lastModified": 1742394900,
-        "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
+        "lastModified": 1739936662,
+        "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
+        "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7",
         "type": "github"
       },
       "original": {
@@ -167,11 +167,11 @@
     },
     "crane_3": {
       "locked": {
-        "lastModified": 1742394900,
-        "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
+        "lastModified": 1737689766,
+        "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
+        "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527",
         "type": "github"
       },
       "original": {
@@ -182,11 +182,11 @@
     },
     "crane_4": {
       "locked": {
-        "lastModified": 1742394900,
-        "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
+        "lastModified": 1741148495,
+        "narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
+        "rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53",
         "type": "github"
       },
       "original": {
@@ -386,11 +386,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "lastModified": 1740872218,
+        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
         "type": "github"
       },
       "original": {
@@ -610,11 +610,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743556466,
-        "narHash": "sha256-rvU79DJ6rPDxiH0sTp686Vlm+JewwAZPGcwt8OfHJbM=",
+        "lastModified": 1743948087,
+        "narHash": "sha256-B6cIi2ScgVSROPPlTti6len+TdR0K25B9R3oKvbw3M8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5ee44bc7c2e853f144390a12ebe5174ad7e3b9e0",
+        "rev": "ef3b2a6b602c3f1a80c6897d6de3ee62339a3eb7",
         "type": "github"
       },
       "original": {
@@ -826,11 +826,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743306489,
-        "narHash": "sha256-LROaIjSLo347cwcHRfSpqzEOa2FoLSeJwU4dOrGm55E=",
+        "lastModified": 1743911143,
+        "narHash": "sha256-4j4JPwr0TXHH4ZyorXN5yIcmqIQr0WYacsuPA4ktONo=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "b3696bfb6c24aa61428839a99e8b40c53ac3a82d",
+        "rev": "a36f6a7148aec2c77d78e4466215cceb2f5f4bfb",
         "type": "github"
       },
       "original": {
@@ -909,11 +909,11 @@
     },
     "nixpkgs-stable_3": {
       "locked": {
-        "lastModified": 1743501102,
-        "narHash": "sha256-7PCBQ4aGVF8OrzMkzqtYSKyoQuU2jtpPi4lmABpe5X4=",
+        "lastModified": 1743813633,
+        "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "02f2af8c8a8c3b2c05028936a1e84daefa1171d4",
+        "rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6",
         "type": "github"
       },
       "original": {
@@ -973,11 +973,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1743448293,
-        "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=",
+        "lastModified": 1742669843,
+        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3",
+        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
         "type": "github"
       },
       "original": {
@@ -989,11 +989,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1743559129,
-        "narHash": "sha256-7gpAWsENV3tY2HmeHYQ2MoQxGpys+jQWnkS/BHAMXVk=",
+        "lastModified": 1743862455,
+        "narHash": "sha256-I/QXtrqznq1321mYR9TyMPX/zCWb9iAH64hO+pEBY00=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "adae22bea8bcc0aa2fd6e8732044660fb7755f5e",
+        "rev": "06f3516b0397bd241bde2daefc8538fc886c5467",
         "type": "github"
       },
       "original": {
@@ -1110,11 +1110,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743561237,
-        "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=",
+        "lastModified": 1741228283,
+        "narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "1de27ae43712a971c1da100dcd84386356f03ec7",
+        "rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403",
         "type": "github"
       },
       "original": {
@@ -1131,11 +1131,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743561237,
-        "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=",
+        "lastModified": 1741055476,
+        "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "1de27ae43712a971c1da100dcd84386356f03ec7",
+        "rev": "aefb7017d710f150970299685e8d8b549d653649",
         "type": "github"
       },
       "original": {
@@ -1151,11 +1151,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743561237,
-        "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=",
+        "lastModified": 1743906877,
+        "narHash": "sha256-Thah1oU8Vy0gs9bh5QhNcQh1iuQiowMnZPbrkURonZA=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "1de27ae43712a971c1da100dcd84386356f03ec7",
+        "rev": "9d00c6b69408dd40d067603012938d9fbe95cfcd",
         "type": "github"
       },
       "original": {
@@ -1171,11 +1171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743502316,
-        "narHash": "sha256-zI2WSkU+ei4zCxT+IVSQjNM9i0ST++T2qSFXTsAND7s=",
+        "lastModified": 1743910657,
+        "narHash": "sha256-zr2jmWeWyhCD8WmO2aWov2g0WPPuZfcJDKzMJZYGq3Y=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8",
+        "rev": "523f58a4faff6c67f5f685bed33a7721e984c304",
         "type": "github"
       },
       "original": {
@@ -1267,11 +1267,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743558944,
-        "narHash": "sha256-LtmHSXZjFXUWYwWhvEPWSbnmAD62TrvLdZGqQvcSHIY=",
+        "lastModified": 1743904774,
+        "narHash": "sha256-dHnwYLz1b6ohGP2DjWKpDFEZ9WOm4vYuPXKUna08awU=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "bc23f562c367b3e6300d596c24f0080220897df7",
+        "rev": "da51d4cab526bef885e8c95ab2b9455bfe0940d4",
         "type": "github"
       },
       "original": {

home/codium.nix

@@ -24,6 +24,7 @@
           golang.go
           ms-python.python
           christian-kohler.path-intellisense
+          # firefox-devtools.vscode-firefox-debug
         ];
       userSettings =
         let
@@ -74,6 +75,11 @@
           "telemetry.enableTelemetry" = false;
           "telemetry.telemetryLevel" = "off";
           "window.titleBarStyle" = "custom";
+          # https://github.com/ChristianKohler/PathIntellisense#installation
+          "typescript.suggest.paths" = false;
+          "javascript.suggest.paths" = false;
+
+          "path-intellisense.absolutePathToWorkspace" = true;
 
           # terminal stuff
           "terminal.integrated.cursorBlinking" = true;

home/kitty.nix

@@ -17,10 +17,11 @@
 
       # will probably lower this later but the max allowed is actually 4GB
       # this is NOT stored in memory and can only be viewed with scrollback_pager
-      "scrollback_pager_history_size" = "1024";
+      "scrollback_pager_history_size" = "10"; # in MB
       # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
       "scrollback_pager" = "bat --pager='less -FR +G'";
-      "scrollback_lines" = 20000;
+      # "scrollback_lines" = 20000;
+      wheel_scroll_multiplier = 50;
     };
     keybindings = {
       # kitty_mod is ctrl+shift by default
@@ -58,18 +59,29 @@
       "kitty_mod+alt+p" = "move_tab_backward";
       "kitty_mod+q" = "close_tab";
       "kitty_mod+t" = "new_tab_with_cwd";
-      "ctrl+f2" = "detach_tab";
 
       # hints
       # > basically means the preceding key is a prefix (think tmux)
       "kitty_mod+o>o" = "open_url_with_hints";
-      "kitty_mod+o>p" = "kitten hints --type path --program -";
-      "kitty_mod+o>n" = "kitten hints --type line --program -";
-      "kitty_mod+o>w" = "kitten hints --type word --program -";
-      "kitty_mod+o>h" = "kitten hints --type hash --program -";
+      # `--program @` means copy to clipboard
+      "kitty_mod+o>u" = "kitten hints --type url --program @";
+      "kitty_mod+o>p" = "kitten hints --type path --program @";
+      "kitty_mod+o>n" = "kitten hints --type line --program @";
+      "kitty_mod+o>w" = "kitten hints --type word --program @";
+      "kitty_mod+o>h" = "kitten hints --type hash --program @";
       "kitty_mod+o>l" = "kitten hints --type linenum";
+
+      # scrolling
+      "kitty_mod+u" = "scroll_page_up";
+      "kitty_mod+d" = "scroll_page_down";
+      "kitty_mod+a" = "scroll_home";
+      "kitty_mod+e" = "scroll_end";
+      "kitty_mod+z" = "scroll_to_prompt -1"; # scroll to previous shell prompt
+      "kitty_mod+x" = "scroll_to_prompt 1"; # scroll to next shell prompt
+      "kitty_mod+y" = "show_scrollback"; # browse scrollback buffer in pager
+      "kitty_mod+g" = "show_last_command_output"; # browse output of last command in pager
     };
   };
 
-  # programs.zsh.shellAliases."ssh" = "kitten ssh"; # doesn't seem to work with bitwarden ssh agent :(
+  programs.zsh.shellAliases."ssh" = "kitten ssh";
 }

hosts/chunk/default.nix

@@ -18,7 +18,6 @@
     ./grafana.nix
     ./conduwuit.nix
     ./immich.nix
-    ./element.nix
     ./forgejo.nix
     ./garage.nix
     ./tailscale.nix
@@ -47,20 +46,14 @@
     "rsyncnet/id_ed25519" = {
       sopsFile = ../../secrets/zh5061/chunk.yaml;
     };
-    "attic/env" = {
-      sopsFile = ../../secrets/services/attic.yaml;
-    };
     "garage/env" = {
       sopsFile = ../../secrets/services/garage.yaml;
     };
     "tailscale/auth" = {
       sopsFile = ../../secrets/services/tailscale.yaml;
     };
-    "zipline/env" = {
-      sopsFile = ../../secrets/services/zipline.yaml;
-    };
-    "searx/env" = {
-      sopsFile = ../../secrets/services/searx.yaml;
+    "karakeep/env" = {
+      sopsFile = ../../secrets/services/karakeep.yaml;
     };
   };
 
@@ -187,9 +180,10 @@
   programs.git.enable = true;
 
   my.caddy.enable = true;
-
-  # container stuff
   my.containerization.enable = true;
-
   my.authelia.enable = true;
+  my.karakeep = {
+    enable = true;
+    dataDir = "/opt/karakeep";
+  };
 }

hosts/chunk/element.nix

@@ -1,33 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}:
-{
-  virtualisation.oci-containers.containers.element = {
-    image = "vectorim/element-web";
-    autoStart = true;
-    ports = [ "127.0.0.1:8089:8089" ];
-    pull = "newer";
-    networks = [ "element-net" ];
-    environment = {
-      ELEMENT_WEB_PORT = "8089";
-    };
-  };
-
-  systemd.services.create-element-net = {
-    serviceConfig.Type = "oneshot";
-    wantedBy = with config.virtualisation.oci-containers; [
-      "${backend}-element.service"
-    ];
-    script = ''
-      ${pkgs.podman}/bin/podman network exists element-net || \
-      ${pkgs.podman}/bin/podman network create element-net
-    '';
-  };
-
-  services.caddy.virtualHosts."element.cy7.sh".extraConfig = ''
-    import common
-    reverse_proxy localhost:8089
-  '';
-}

hosts/chunk/garage.nix

@@ -17,6 +17,7 @@
       };
       admin.api_bind_addr = "[::]:3903";
       rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "100.122.132.30:3901";
       replication_factor = 1;
       db_engine = "lmdb";
       disable_scrub = true;

hosts/chunk/grafana.nix

@@ -42,6 +42,7 @@
 
   services.caddy.virtualHosts."grafana.cy7.sh".extraConfig = ''
     import common
+    import authelia
     reverse_proxy localhost:8088
   '';
 }

hosts/chunk/hedgedoc.nix

@@ -11,7 +11,7 @@
         dialect = "postgresql";
       };
       port = 8085;
-      domain = "pad.cything.io";
+      domain = "pad.cy7.sh";
       allowEmailRegister = false;
       protocolUseSSL = true;
     };

hosts/chunk/rclone.nix

@@ -14,18 +14,19 @@ let
         --config ${config.sops.secrets."rclone/config".path} \
         --allow-other \
         --cache-dir /var/cache/rclone \
-        --transfers 32 \
+        --transfers 64 \
         --vfs-cache-mode full \
         --vfs-cache-min-free-space 5G \
         --dir-cache-time 30d \
         --no-checksum \
         --no-modtime \
         --vfs-fast-fingerprint \
-        --vfs-read-chunk-size 16M \
+        --vfs-read-chunk-size 8M \
         --vfs-read-chunk-streams 16 \
-        --sftp-concurrency 64 \
+        --sftp-concurrency 128 \
         --sftp-chunk-size 255k \
         --buffer-size 0 \
+        --write-back-cache \
         ${remote} ${mount}
     '';
     ExecStop = "${lib.getExe' pkgs.fuse "fusermount"} -zu ${mount}";

modules/authelia.nix

@@ -49,9 +49,14 @@ in
         webauthn = {
           enable_passkey_login = true;
         };
+        identity_providers.oidc.claims_policies = {
+          # https://github.com/karakeep-app/karakeep/issues/410
+          # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
+          karakeep.id_token = [ "email" ];
+        };
         identity_providers.oidc.clients = [
           {
-            client_id = "immich";
+            client_id = "4EIrpRb9rnwHWjYWvlz2gYrtTmoOLF1D5gqXw28BvmOS0f-9T2p4CFwuctf4Co1hkpo2sd4Y";
             client_name = "immich";
             client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8";
             public = false;
@@ -65,7 +70,7 @@ in
             userinfo_signed_response_alg = "none";
           }
           {
-            client_id = "forgejo";
+            client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU";
             client_name = "Forgejo";
             client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA";
             public = false;
@@ -77,6 +82,34 @@ in
             userinfo_signed_response_alg = "none";
             token_endpoint_auth_method = "client_secret_basic";
           }
+          {
+            client_id = "b_ITCG0uNzy9lZ5nVC~Ny5R35te8I3hoQW1uraCbdxeiE9VuiCIelMmZZ7dAZLg_anTUWSQG";
+            client_name = "HedgeDoc";
+            client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg";
+            public = false;
+            authorization_policy = "two_factor";
+            redirect_uris = [
+              "https://pad.cy7.sh/auth/oauth2/callback"
+            ];
+            scopes = [ "openid" "profile" "email" ];
+            userinfo_signed_response_alg = "none";
+            grant_types = [ "refresh_token" "authorization_code" ];
+            response_types = [ "code" ];
+            response_modes = [ "form_post" "query" "fragment" ];
+            audience = [];
+            token_endpoint_auth_method = "client_secret_post";
+          }
+          {
+            client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
+            client_name = "Karakeep";
+            client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw";
+            public = false;
+            authorization_policy = "two_factor";
+            redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ];
+            scopes = [ "openid" "profile" "email" ];
+            userinfo_signed_response_alg = "none";
+            claims_policy = "karakeep";
+          }
         ];
       };
       secrets = {
@@ -101,4 +134,4 @@ in
       reverse_proxy localhost:9091
     '';
   };
-}
+}

modules/containerization.nix

@@ -30,6 +30,10 @@ in
         };
         # answer on /var/run/docker.sock
         dockerSocket.enable = true;
+        autoPrune = {
+          enable = true;
+          dates = "daily";
+        };
       };
       docker.enable = lib.mkIf (!cfg.usePodman) true;
       oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker";

modules/default.nix

@@ -10,5 +10,6 @@
     ./searx.nix
     ./attic.nix
     ./authelia.nix
+    ./karakeep.nix
   ];
 }

modules/karakeep.nix

@@ -0,0 +1,81 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.karakeep;
+in
+{
+  options.my.karakeep = {
+    enable = lib.mkEnableOption "karakeep";
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+    };
+    port = lib.mkOption {
+      default = 3002;
+      description = "port for the web service";
+      type = lib.types.port;
+    };
+    domain = lib.mkOption {
+      default = "keep.cy7.sh";
+      type = lib.types.str;
+    };
+    environmentFile = lib.mkOption {
+      default = config.sops.secrets."karakeep/env".path;
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers = {
+      karakeep-web = {
+        image = "ghcr.io/karakeep-app/karakeep:release";
+        pull = "newer";
+        volumes = [ "${cfg.dataDir}:/data" ];
+        ports = [ "${toString cfg.port}:3000"];
+        dependsOn = [
+          "karakeep-chrome"
+          "karakeep-meilisearch"
+        ];
+        environment = {
+          MEILI_ADDR = "http://karakeep-meilisearch:7700";
+          BROWSER_WEB_URL = "http://karakeep-chrome:9222";
+          DATA_DIR =  "/data";
+          NEXTAUTH_URL = "https://${cfg.domain}";
+          DISABLE_PASSWORD_AUTH = "true";
+          OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration";
+          OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
+          OAUTH_PROVIDER_NAME = "Authelia";
+          OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
+        };
+        # needs NEXTAUTH_SECRET
+        environmentFiles = [ "${cfg.environmentFile}" ];
+      };
+
+      karakeep-chrome = {
+        image = "ghcr.io/zenika/alpine-chrome:latest";
+        pull = "newer";
+        cmd = [
+          "--no-sandbox"
+          "--disable-gpu"
+          "--disable-dev-shm-usage"
+          "--remote-debugging-address=0.0.0.0"
+          "--remote-debugging-port=9222"
+          "--hide-scrollbars"
+        ];
+      };
+
+      karakeep-meilisearch = {
+        image = "getmeili/meilisearch:latest";
+        volumes = [ "meilisearch:/meili_data" ];
+        environment = {
+          MEILI_NO_ANALYTICS = "true";
+        };
+        # needs MEILI_MASTER_KEY
+        environmentFiles = [ "${cfg.environmentFile}" ];
+      };
+    };
+
+    services.caddy.virtualHosts.${cfg.domain}.extraConfig = ''
+      import common
+      reverse_proxy localhost:${toString cfg.port}
+    '';
+  };
+}

secrets/services/hedgedoc.yaml

@@ -1,10 +1,6 @@
 hedgedoc:
-    env: ENC[AES256_GCM,data:15rWiIYWyIJ0Hxl5I8m+EBV+FkNDT/OHlLK9shVS46UE7SQtuIh45N5hvwgs0rg9E9Tawu+lyE2aozWNh6HSDUZ1h4FYrB+JHwIetGkOqXSLHfXi,iv:v9ohLTtlxw3fsRoJJoOY5VYxVsxUyDEsQHRjcGKg/GY=,tag:Wncm1reqNblnVhRTYjU3Pg==,type:str]
+    env: ENC[AES256_GCM,data:9xnOlQrk1qCyiAHSjmu8dvj2/z/BrJlngNGAQnMwvLsL0pnyvvyJLnYWTDYix1a9o8OJUNLw6Qhq7KbY4uXfxsNZkfGdVHwvkvhySjR2rcX/r90txqHJUUIxE/TzdsBvonzQ0F85KfXhsi69gKHp016gCj+jNf6CCY+tOVpt71el4Z+jzqLHasuQET8GctKJRzHOfNfCx/X2kJeb7RQl3JFC6/VmYT45bUk7uFfveFD9ao03wJwLKi27wO1WDrfpOigFdvkmqpbWZjaILYHYmkdhdlhr7w330CiCmGHT/ssmSPcu5cYUc8tjYPgpYLjusiUzpE5jmut5GaNwZsY9hNuow/mUVnQ/tCDH0ChOq0DQisJ07VMYlRII9tMdcuT4IbjjwiRcYlORAHsTFUuo5DCaDp8a4mx846BGp1YMQsvqJQgOe4x15VMpeB/ptxm79qxcLZKZ3BkiJaKmDdWsVk9RfqVgsxqiq16Me2EQhknO2s/oBjGOaoIiT4NEuRFQl0BIPgIMD0lYzKx0uDaYyclID5W0DqMI+SrcBd+WH/BB9HPdZx92rFe34PzjZse0i6+5UZHXUu8au6CyLMqGkUlzkSFwVT5W7Lv2m9P3+6YjgPRMaYbg8b6kmavB6EtjiqWtTbMKr3nxPVYJc5FRImvebfFqiLy5MWoNV6Qe7TUGIk6QtX2OWBhQ1UB+IpR+180QH7yw7UpgJ9EM8dD2m2/smar5P0BjAaqAFib++GzoB0OfFtxJNUjrejQC11tRWBXYvcHWwa78VbKPul0xqiEMmsAZufMix4lD1EgutTf1CXfv7l0rUpLwkYbWIq2hT5UI53L0YWJDl7zlhi94ANdXV8z8kCvMeXm2Fwl/vIgJ9JuFeVeVYPpXwx2coLBwE6uI4SuFvY1d4ojvzY8KftcHWO7srVzpuwrwW+6gKLwPQyEazv+sRKXAGo0ffMO2/2KRgOu9zGwaOFaNDAZ6gYFDWbPz6TMfNWHzfLEFK5BlVAL8KDb78IODUBYcMr2CX1Y=,iv:LDkuJgxIbohEVf7wmdtOZ/vlPddMYa7uzHGkL+0MnUM=,tag:pnJiCJydjTmUbS761fPUPw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
           enc: |
@@ -24,8 +20,7 @@ sops:
             enlDZEI2NElkZkI3UmRyQUZqQWE5ZmcK2JlwNzVJNhGjyniIg9UY5tjgUKttkT3e
             9C/xag3dQCiqzX1O3o5tdhYnxXw+VxVf+qTFyyuftg5iQPZNuvX6mA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-17T03:25:54Z"
-    mac: ENC[AES256_GCM,data:1cxiK/HhqYzatT2PhZxjvtizII2QMHqbbyOujUtx4cT8x488j2wecu6hOfSkuHbQ43AxA8kDH1NAruPCSdCpj3PytMR+np+R/5WuRcK+OF/FCnWvWvvHqgDnBs/wYjllnR6HyWBlhrROpINxu9ch4fzN0Def3I7O+wJgpojnPiU=,iv:PKPykPv9zSHj9+HXnrg1v8Ty78te66D9ZH6c1V7Qlh4=,tag:JQk68u6p317r3Df+hv16+g==,type:str]
-    pgp: []
+    lastmodified: "2025-04-05T21:08:15Z"
+    mac: ENC[AES256_GCM,data:cPisYUoZWd/vd+wWzz3xTnftj1RdjK20dWFo+MKssm/eu7eCOWDIaZdcJg13gkTleBpMWQy/mG1drC6GLfGQiBmkS99UCPAoo0aLTBL4FbSm6FEXdbVjoOI7URu6Sj31drWCMAm+lXYymWsHwZJrNLhjsCTQsxTPvFq8oOdNlXo=,iv:KpmJoZ/BGEEhZ75jXfXxegNglm7k6mtleRuVud6tX2g=,tag:lsiqX+YSz4mGK6mw9gdKNg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.1

secrets/services/karakeep.yaml

@@ -0,0 +1,35 @@
+karakeep:
+    env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str]
+sops:
+    age:
+        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx
+            TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4
+            eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p
+            bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G
+            bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x
+            QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16
+            Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq
+            cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN
+            NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N
+            UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG
+            ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU
+            K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+
+            DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-05T19:44:58Z"
+    mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1