nixos-config/modules/karakeep.nix

{ config, lib, ... }:
let
  cfg = config.my.karakeep;
in
{
  options.my.karakeep = {
    enable = lib.mkEnableOption "karakeep";
    dataDir = lib.mkOption {
      type = lib.types.path;
    };
    port = lib.mkOption {
      default = 3002;
      description = "port for the web service";
      type = lib.types.port;
    };
    domain = lib.mkOption {
      default = "keep.cy7.sh";
      type = lib.types.str;
    };
    environmentFile = lib.mkOption {
      default = config.sops.secrets."karakeep/env".path;
      type = lib.types.path;
    };
  };

  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers = {
      karakeep-web = {
        image = "ghcr.io/karakeep-app/karakeep:release";
        pull = "newer";
        volumes = [ "${cfg.dataDir}:/data" ];
        ports = [ "${toString cfg.port}:3000"];
        dependsOn = [
          "karakeep-chrome"
          "karakeep-meilisearch"
        ];
        environment = {
          MEILI_ADDR = "http://karakeep-meilisearch:7700";
          BROWSER_WEB_URL = "http://karakeep-chrome:9222";
          DATA_DIR =  "/data";
          NEXTAUTH_URL = "https://${cfg.domain}";
          DISABLE_PASSWORD_AUTH = "true";
          OAUTH_WELLKNOWN_URL = "https://auth.cy7.sh/.well-known/openid-configuration";
          OAUTH_CLIENT_ID = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
          OAUTH_PROVIDER_NAME = "Authelia";
          OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
        };
        # needs NEXTAUTH_SECRET
        environmentFiles = [ "${cfg.environmentFile}" ];
      };

      karakeep-chrome = {
        image = "ghcr.io/zenika/alpine-chrome:latest";
        pull = "newer";
        cmd = [
          "--no-sandbox"
          "--disable-gpu"
          "--disable-dev-shm-usage"
          "--remote-debugging-address=0.0.0.0"
          "--remote-debugging-port=9222"
          "--hide-scrollbars"
        ];
      };

      karakeep-meilisearch = {
        image = "getmeili/meilisearch:latest";
        volumes = [ "meilisearch:/meili_data" ];
        environment = {
          MEILI_NO_ANALYTICS = "true";
        };
        # needs MEILI_MASTER_KEY
        environmentFiles = [ "${cfg.environmentFile}" ];
      };
    };

    services.caddy.virtualHosts.${cfg.domain}.extraConfig = ''
      import common
      reverse_proxy localhost:${toString cfg.port}
    '';
  };
}