dots/modules/services/karakeep.nix
Nico 93f912d548
services: move all secrets into /media/secrets
moves all secrets into one centralised location in
/media/secrets and uses systemd-tmpfiles to set the
appropriate permissions for them
2026-02-20 17:14:03 +11:00

38 lines
1.1 KiB
Nix

{ config, ... }:
{
services.karakeep = {
enable = true;
extraEnvironment = {
PORT = "8023";
OAUTH_WELLKNOWN_URL = "https://${config.homelab.authDomain}/oauth2/openid/karakeep/.well-known/openid-configuration";
OAUTH_PROVIDER_NAME = "${config.homelab.domain}";
NEXTAUTH_URL = "https://karakeep.${config.homelab.domain}";
DISABLE_PASSWORD_AUTH = "true";
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
};
# put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file
# https://docs.karakeep.app/configuration/environment-variables#authentication--signup
environmentFile = "/media/secrets/karakeep";
};
systemd.tmpfiles.rules = [
"f /media/secrets/karakeep 0400 karakeep karakeep"
];
fileSystems."/var/lib/karakeep" = {
device = "/media/apps/karakeep";
options = [ "bind" ];
};
services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
useACMEHost = config.homelab.domain;
extraConfig = ''
reverse_proxy http://localhost:8023
import block_non_private_ips
'';
};
}