karakeep: init

flake.nix

@@ -23,6 +23,7 @@
         ./modules/nix/linux.nix
         ./modules/shell.nix
 
+        ./modules/services/karakeep.nix
         ./modules/services/pocketid.nix
         ./modules/services/caddy.nix
         ./modules/services/miniflux.nix

modules/services/glance.nix

@@ -97,6 +97,10 @@
                           title = "Miniflux";
                           url = "https://rss.${config.homelab.domain}";
                         }
+                        {
+                          title = "Karakeep";
+                          url = "https://karakeep.${config.homelab.domain}";
+                        }
                       ];
                     }
                     {

modules/services/karakeep.nix

@@ -0,0 +1,35 @@
+{ config, ... }:
+
+{
+  virtualisation.oci-containers.containers.karakeep = {
+    image = "ghcr.io/karakeep-app/karakeep:release";
+    volumes = [ "/var/lib/karakeep/data:/data" ];
+    ports = [ "8023:3000" ];
+    environment = {
+      DATA_DIR = "/data"; # dont change
+
+      OAUTH_WELLKNOWN_URL = "https://auth.${config.homelab.domain}/.well-known/openid-configuration";
+      OAUTH_PROVIDER_NAME = "PocketID";
+      NEXTAUTH_URL = "https://karakeep.${config.homelab.domain}";
+
+      DISABLE_PASSWORD_AUTH	= "true";
+      OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
+    };
+
+    environmentFiles = [
+      # put the environment variable NEXTAUTH_SECRET in here
+      # with a randomly generated string. gen with `openssl rand -base64 36`
+      /var/lib/karakeep/nextauth-secret
+
+      # https://pocket-id.org/docs/client-examples/hoarder
+      /var/lib/karakeep/oidc
+    ];
+  };
+  
+  services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
+    useACMEHost = config.homelab.domain;
+    extraConfig = ''
+      reverse_proxy http://localhost:8023
+    '';
+  };
+}