10 changed files with 45 additions and 157 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -135,10 +135,4 @@ creation_rules:
          - *yt
          - *cy
          - *chunk
  - path_regex: secrets/services/karakeep.yaml
    key_groups:
      - age:
          - *yt
          - *cy
          - *chunk
--- a/home/codium.nix
+++ b/home/codium.nix
@ -24,7 +24,6 @@
          golang.go
          ms-python.python
          christian-kohler.path-intellisense
          # firefox-devtools.vscode-firefox-debug
        ];
      userSettings =
        let
@ -75,11 +74,6 @@
          "telemetry.enableTelemetry" = false;
          "telemetry.telemetryLevel" = "off";
          "window.titleBarStyle" = "custom";
          # https://github.com/ChristianKohler/PathIntellisense#installation
          "typescript.suggest.paths" = false;
          "javascript.suggest.paths" = false;
          "path-intellisense.absolutePathToWorkspace" = true;
          # terminal stuff
          "terminal.integrated.cursorBlinking" = true;
--- a/home/kitty.nix
+++ b/home/kitty.nix
@ -21,7 +21,6 @@
      # see https://github.com/sharkdp/bat/issues/1077#issuecomment-652785399
      "scrollback_pager" = "bat --pager='less -FR +G'";
      # "scrollback_lines" = 20000;
      wheel_scroll_multiplier = 50;
    };
    keybindings = {
      # kitty_mod is ctrl+shift by default
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -18,6 +18,7 @@
    ./grafana.nix
    ./conduwuit.nix
    ./immich.nix
    ./element.nix
    ./forgejo.nix
    ./garage.nix
    ./tailscale.nix
@ -46,14 +47,20 @@
    "rsyncnet/id_ed25519" = {
      sopsFile = ../../secrets/zh5061/chunk.yaml;
    };
    "attic/env" = {
      sopsFile = ../../secrets/services/attic.yaml;
    };
    "garage/env" = {
      sopsFile = ../../secrets/services/garage.yaml;
    };
    "tailscale/auth" = {
      sopsFile = ../../secrets/services/tailscale.yaml;
    };
-    "karakeep/env" = {
+    "zipline/env" = {
-      sopsFile = ../../secrets/services/karakeep.yaml;
+      sopsFile = ../../secrets/services/zipline.yaml;
    };
    "searx/env" = {
      sopsFile = ../../secrets/services/searx.yaml;
    };
  };
@ -180,10 +187,9 @@
  programs.git.enable = true;
  my.caddy.enable = true;
  # container stuff
  my.containerization.enable = true;
  my.authelia.enable = true;
  my.karakeep = {
    enable = true;
    dataDir = "/opt/karakeep";
  };
 }
--- a/hosts/chunk/element.nix
+++ b/hosts/chunk/element.nix
@ -0,0 +1,33 @@
 {
  pkgs,
  config,
  ...
 }:
 {
  virtualisation.oci-containers.containers.element = {
    image = "vectorim/element-web";
    autoStart = true;
    ports = [ "127.0.0.1:8089:8089" ];
    pull = "newer";
    networks = [ "element-net" ];
    environment = {
      ELEMENT_WEB_PORT = "8089";
    };
  };
  systemd.services.create-element-net = {
    serviceConfig.Type = "oneshot";
    wantedBy = with config.virtualisation.oci-containers; [
      "${backend}-element.service"
    ];
    script = ''
      ${pkgs.podman}/bin/podman network exists element-net || \
      ${pkgs.podman}/bin/podman network create element-net
    '';
  };
  services.caddy.virtualHosts."element.cy7.sh".extraConfig = ''
    import common
    reverse_proxy localhost:8089
  '';
 }
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@ -49,11 +49,6 @@ in
        webauthn = {
          enable_passkey_login = true;
        };
        identity_providers.oidc.claims_policies = {
          # https://github.com/karakeep-app/karakeep/issues/410
          # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
          karakeep.id_token = [ "email" ];
        };
        identity_providers.oidc.clients = [
          {
            client_id = "immich";
@ -99,17 +94,6 @@ in
            audience = [];
            token_endpoint_auth_method = "client_secret_post";
          }
          {
            client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
            client_name = "Karakeep";
            client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw";
            public = false;
            authorization_policy = "two_factor";
            redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ];
            scopes = [ "openid" "profile" "email" ];
            userinfo_signed_response_alg = "none";
            claims_policy = "karakeep";
          }
        ];
      };
      secrets = {
--- a/modules/containerization.nix
+++ b/modules/containerization.nix
@ -30,10 +30,6 @@ in
        };
        # answer on /var/run/docker.sock
        dockerSocket.enable = true;
        autoPrune = {
          enable = true;
          dates = "daily";
        };
      };
      docker.enable = lib.mkIf (!cfg.usePodman) true;
      oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -10,6 +10,5 @@
    ./searx.nix
    ./attic.nix
    ./authelia.nix
    ./karakeep.nix
  ];
 }
--- a/modules/karakeep.nix
+++ b/modules/karakeep.nix
@ -1,82 +0,0 @@
 { config, lib, ... }:
 let
  cfg = config.my.karakeep;
 in
 {
  options.my.karakeep = {
    enable = lib.mkEnableOption "karakeep";
    dataDir = lib.mkOption {
      type = lib.types.path;
    };
    port = lib.mkOption {
      default = 3002;
      description = "port for the web service";
      type = lib.types.port;
    };
    domain = lib.mkOption {
      default = "keep.cy7.sh";
      type = lib.types.str;
    };
    environmentFile = lib.mkOption {
      default = config.sops.secrets."karakeep/env".path;
      type = lib.types.path;
    };
  };
  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers = {
      karakeep-web = {
        image = "ghcr.io/karakeep-app/karakeep:release";
        pull = "newer";
        volumes = [ "${cfg.dataDir}:/data" ];
        ports = [ "${toString cfg.port}:3000"];
        dependsOn = [
          "karakeep-chrome"
          "karakeep-meilisearch"
        ];
        environment = {
          MEILI_ADDR = "http://karakeep-meilisearch:7700";
          BROWSER_WEB_URL = "http://karakeep-chrome:9222";
          DATA_DIR =  "/data";
          NEXTAUTH_URL = "https://${cfg.domain}";
          DISABLE_PASSWORD_AUTH = "true";
          OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration";
          OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
          OAUTH_PROVIDER_NAME = "Authelia";
          OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
        };
        # needs NEXTAUTH_SECRET
        environmentFiles = [ "${cfg.environmentFile}" ];
      };
      karakeep-chrome = {
        image = "ghcr.io/zenika/alpine-chrome:latest";
        pull = "newer";
        cmd = [
          "--no-sandbox"
          "--disable-gpu"
          "--disable-dev-shm-usage"
          "--remote-debugging-address=0.0.0.0"
          "--remote-debugging-port=9222"
          "--hide-scrollbars"
        ];
      };
      karakeep-meilisearch = {
        image = "getmeili/meilisearch:latest";
        volumes = [ "meilisearch:/meili_data" ];
        environment = {
          MEILI_NO_ANALYTICS = "true";
        };
        # needs MEILI_MASTER_KEY
        environmentFiles = [ "${cfg.environmentFile}" ];
      };
    };
    services.caddy.virtualHosts.${cfg.domain}.extraConfig = ''
      import common
      import authelia
      reverse_proxy localhost:${toString cfg.port}
    '';
  };
 }
--- a/secrets/services/karakeep.yaml
+++ b/secrets/services/karakeep.yaml
@ -1,35 +0,0 @@
 karakeep:
    env: ENC[AES256_GCM,data:SWc26EQaKR5d9hMDYzVHA/r7XfjwFZ0d44Co0IS6OayR24ej7yqLAtkNttROKoKFuYc0sHgN9bOy4MyX0s3qiSWYovIIUJgFiJjPQFYDAo+50WR4+5W5FgvYI6e42fcWrQhaCXWQrDyzch/zT2OITZsjXcQhT5E+IiPLVkaGOjGptE07GjM7ZXI4UxBzINFQOhxdfIO0km1o6Wq8GhJdWsz4exz4ahRslR+WjK/flV2GZVAj6EHSJ5sHohm74QlhxaShEbc/8IKP6R2gSjBFP7l8VvwFyIUD9sLzYGvS3iU=,iv:gSPQU0bZ+VRFbuaNDc90dW0ogWX2SMH7kewtq/u/11E=,tag:L0Y4EWSQUhcn2eHt+yZ7qQ==,type:str]
 sops:
    age:
        - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaWQ1Q1JwRHJxQjNjdTAx
            TXRsWjVZOG1mNEptNVhscHBaK2I5MHhjdlFjCkNqOEhwT3hyOHpHQ2k0ZmowUXB4
            eks2dlpUS0V6VjBEYW9UWnhFOEw4VGsKLS0tIFo2a0FTRE5WdHBGVW5DOUFkaE9p
            bitvUnJXSnB6UnV3VTEzSjlSYmEwVUEKHOwFCRu+SIyM0uJ6bNEAo+MMlsc8la6G
            bLYdCoykcBu+uVXqn3BYTbrS5ylQMRYcbcPFJw5BVdmjIYF4LU5W6A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrU2ZnNVAyeVdJeHlTSW1x
            QUhKRzlNclVUWE1ucHFLZW5sL1lnUDhkd0Y4CjFuekNEOE1icDNqL1JyT0hEYW16
            Q2VyajJFWWtGUnBzOENGOEZHbWROZzAKLS0tIE8wMVc3TkV5Y1VyenIvOW02NDNq
            cStTeUcvY1pJWEN2MzFEeThKT0JPc1EKXrtVG49a6YZVKiL1F8Xg3t3niTYv3LwN
            NeAQ8srV0F6ckky7OCkvUp9GInZCWRzULXV/x+4IUb6C+KQaNm2vYA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdDdUSUlmMk5VcytyT01N
            UmRaK2k5Wkh5SlhPT3QrczY2eW9vZk5KWFZBCnBteitnNFlHdWRaaTRxSWYvYmtG
            ZnY5ZXlYa3Z5aENlRy9BQjVSU1F3UzQKLS0tIFpjN1dOaWNKaU9PaENyaXc1K3BU
            K2orZ0Y2Z05LSUZ5WHQ4TnVVY0QwSzQKiUQT4aSxXnaq0kEMp+q5WnIUoGypEmZ+
            DQEhkB9yu/BrkjXH+HGQr1W5B4sJyb5rnl0+SQ+IypRIRyaX4CdFxg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-04-05T19:44:58Z"
    mac: ENC[AES256_GCM,data:OmqsJI9BaICOTiH1cq4gZlNBbkAxn/pAOWBtkIjHdqpikABLG6fMY+sLpyeaovXjexIj9MZk7fPmV8dRZ5VNLHCqlYXK/cVoQBZ2HK+p/cGTAFelNAShu9NSgZdFmVgJJtOjVvFp8dtuY8VcQj861k/MPX0mNZt9pmXYdumjpNM=,iv:efHkp1KUctwtCjG9A8i5qs7nQfQqv2ya1yYlHHOt8pU=,tag:4lChpspl0oOUMiXzvGuA2Q==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.1