Nico
93f912d548
moves all secrets into one centralised location in /media/secrets and uses systemd-tmpfiles to set the appropriate permissions for them
38 lines
1.1 KiB
Nix
38 lines
1.1 KiB
Nix
{ config, ... }:
|
|
|
|
{
|
|
services.karakeep = {
|
|
enable = true;
|
|
extraEnvironment = {
|
|
PORT = "8023";
|
|
|
|
OAUTH_WELLKNOWN_URL = "https://${config.homelab.authDomain}/oauth2/openid/karakeep/.well-known/openid-configuration";
|
|
OAUTH_PROVIDER_NAME = "${config.homelab.domain}";
|
|
NEXTAUTH_URL = "https://karakeep.${config.homelab.domain}";
|
|
|
|
DISABLE_PASSWORD_AUTH = "true";
|
|
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = "true";
|
|
};
|
|
|
|
# put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file
|
|
# https://docs.karakeep.app/configuration/environment-variables#authentication--signup
|
|
environmentFile = "/media/secrets/karakeep";
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"f /media/secrets/karakeep 0400 karakeep karakeep"
|
|
];
|
|
|
|
fileSystems."/var/lib/karakeep" = {
|
|
device = "/media/apps/karakeep";
|
|
options = [ "bind" ];
|
|
};
|
|
|
|
services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
|
|
useACMEHost = config.homelab.domain;
|
|
extraConfig = ''
|
|
reverse_proxy http://localhost:8023
|
|
import block_non_private_ips
|
|
'';
|
|
};
|
|
}
|