[host/elysia-clarki] Enable nginx for photoprism

hosts/elysia-clarki.nix

@@ -3,7 +3,9 @@
   pkgs,
   lib,
   ...
-}: {
+}: let
+  sopsPath = key: config.sops.secrets.${key}.path;
+in {
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.supportedFilesystems = ["zfs"];
@@ -34,10 +36,21 @@
 
   services.photoprism = {
     enable = true;
-    url = "http://elysia-clarki:2342";
+    url = "https://elysia-clarki";
+    port = 2342;
     rootDir = "/srv/hnd/photoprism";
     environmentFile = config.sops.secrets."photoprism-env".path;
   };
+  services.nginx.virtualHosts."elysia-clarki" = {
+    forceSSL = true;
+    sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
+    sslCertificateKey = sopsPath "nginx-cert-key";
+    sslCertificate = sopsPath "nginx-cert-crt";
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.photoprism.port}";
+      proxyWebsockets = true;
+    };
+  };
 
   services.resticConfigured = {
     enable = true;
@@ -54,9 +67,7 @@
     organisations.default = {
       users = ["malte"];
     };
-    pki.manual = let
-      sopsPath = key: config.sops.secrets.${key}.path;
-    in {
+    pki.manual = {
       ca.cert = sopsPath "taskserver-ca-cert";
       server.key = sopsPath "taskserver-server-key";
       server.crl = sopsPath "taskserver-server-crl";
@@ -139,6 +150,14 @@
     };
     taskserver-server-cert = taskserverSecretConfig;
     photoprism-env = {};
+    nginx-cert-key = {
+      owner = config.users.users.nginx.name;
+      mode = "0400";
+    };
+    nginx-cert-crt = {
+      owner = config.users.users.nginx.name;
+      mode = "0400";
+    };
   };
 
   # This value determines the NixOS release from which the default

modules/base-system.nix

@@ -37,6 +37,10 @@ in {
     # This includes the firmware, oc
     hardware.enableAllFirmware = true;
     hardware.enableRedistributableFirmware = true;
+    # Add certificate authority used for my servers
+    security.pki.certificates = [
+      (builtins.readFile ../secrets/ca.crt)
+    ];
 
     # Use some binary caches
     nix.settings = {

modules/photoprism.nix

@@ -6,7 +6,6 @@
 }:
 # TODO: Improve with mariadb database
 let
-  port = 2342;
   uid = 458;
   gid = 458;
   cfg = config.services.photoprism;
@@ -17,6 +16,11 @@ in {
       type = types.str;
       description = "Url with http:// prefix";
     };
+    port = mkOption {
+      type = types.int;
+      default = 2342;
+      description = "Port to expose on";
+    };
     rootDir = mkOption {
       type = types.str;
       description = "Path to use for photoprism storage";
@@ -25,6 +29,7 @@ in {
       type = types.str;
       description = "Additional environment file. I.e. for specifying PHOTOPRISM_ADMIN_PASSWORD";
     };
+    openFirewall = mkEnableOption "port opening";
   };
 
   config = lib.mkIf cfg.enable {
@@ -39,13 +44,13 @@ in {
     };
 
     # Open the port in the firewall
-    networking.firewall.allowedTCPPorts = [port];
+    networking.firewall.allowedTCPPorts = lib.optional cfg.openFirewall cfg.port;
 
     virtualisation.oci-containers.containers = {
       # Configure the main container
       "photoprism" = {
         image = "photoprism/photoprism:latest";
-        ports = ["${builtins.toString port}:2342"];
+        ports = ["${builtins.toString cfg.port}:2342"];
         environment = {
           PHOTOPRISM_UPLOAD_NSFW = "true";
           PHOTOPRISM_DETECT_NSFW = "true";

secrets/ca.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF6zCCA9OgAwIBAgIUNJ+vpEQh/c/VtQ53LfKRt2uLkFkwDQYJKoZIhvcNAQEL
+BQAwgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZTYXhvbnkxEDAOBgNVBAcMB0xl
+aXB6aWcxFjAUBgNVBAoMDU1hbHRlIFRhbW1lbmExFjAUBgNVBAMMDXRhbW1lbmEu
+cm9ja3MxIjAgBgkqhkiG9w0BCQEWE21hbHRlLnRhbW1lbmFAcG0ubWUwHhcNMjIw
+NDE4MTYzNTE2WhcNMjcwNDE4MTYzNTE2WjCBhDELMAkGA1UEBhMCREUxDzANBgNV
+BAgMBlNheG9ueTEQMA4GA1UEBwwHTGVpcHppZzEWMBQGA1UECgwNTWFsdGUgVGFt
+bWVuYTEWMBQGA1UEAwwNdGFtbWVuYS5yb2NrczEiMCAGCSqGSIb3DQEJARYTbWFs
+dGUudGFtbWVuYUBwbS5tZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AK3I5+PtLd0P8ObZ0VrbUmppGyxBJOmfF8LbMZ65SvpypB6Bv6QveMGFaWMPlNnJ
+zs1jUVJFtxW+f0D0Sqyi1JEKs9Uv8JmsHihDB3kA4ITSlUocO1IYIYh/XLtUSQNg
+XhDdh/0Zrvwuegiln45v94a4Il705hcvRexvoAjqOjt3aZZovXhz6XVtmeQXH1Rc
+c6Xr26RJJIfH4n4hBoMKmj0xiQ3uYoJuiSIy8975mCf2zbehSnD4+QcOdZmpeKy/
+GfEXne+kvZucNCcj3NhfQH5rzOH4zz7c4llnK0QL3Fak6ORoXt6bn6bP7E1QCOiO
+btdjgmZmS55c475pxDUo/MHror02JoT9DOl/R6uVOvVAyBl5xmmuftWcSD5kQJYC
+iO6/YriOHQjsmGOxgVHtlBqLisBdftgAKsaG4CbbZ0CC4H6GtDHQPhc2p25M+D13
+m/NEqlp1vIwB1bBW6duCFTD3Pj/EOterUJndbYXoHIvdzf02wxFj4KW0ZiFM1Iy9
+Gxc6g1C5l1xcwp+NuibBC7i6v/7up4DEbOGdnxKxW55/u9DIMImjxOIPZs9zLgzh
+iA1M7iULAp9dhVScU87I2eOPkZhmg77JL9i2rqt03zw3/TMAtBS5XhIP3KghGs5w
+5tp1KY15JudJOyQOkzQUQEU/2REssWUZFwyF3CLsHofFAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQA/fi+Ew4v5IoB80ncBxttyjsiijAfBgNVHSMEGDAWgBQA/fi+Ew4v5IoB
+80ncBxttyjsiijAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBV
+Caiw52KiAqqxK+8drkmPlr52jxW9SCNMJDXIKPCa4S4SyVd/PzZogoqudVU+m+uI
+OvXZ4lUwR0EJc4Cjt5zUYp9wH68JN4EHX29AV5QKIOojoFvgp3/hwBCCDHjB4AYp
+BKAMwZiUn7/Z0kgvj+mk5bHU6ntqEwoXKY6so6PR7nmSSWk9iBHfza3y+O/V4+3W
+1L4+3GE/qM/pC41Ns7J5zvF3JCcYNvcbHnUrP27r0UUETf1w31aoRopA/C7LwJDP
+mYCNod39ra3Zt5GYv+23slyP+LC97UkHYF/e15logitK1FK8I0uDmhwjvk1Nu2vS
+bJdu1msvXU04EtsFHJ/gQ57c03i682G7b074BRmIH+MZBES6wI/NCZ3/8FvHAFWS
+UB6oX7DHkyMJM6EC3X/WRvvw1YG7mct7SADJ0WbjWfGvIS9mL63msP+SMgR5+isj
+21CLdIkjXaZID/Fks/9vLm7ErFnMooLm7njr0BFC2FYywPX28t3o0uFXakRU2Odf
+pYCh9zRS0d2+xM2x32mZZ5LVi8lI5E0VTPVBHUE75gzUUhx1Qip+SAJg3/oxd3tn
+W/2JML7l3ayYNVpMVO97uvawUXIZ7LFjx/LXwQUN4T2XGAJhjoNSd0uUYASDCOUb
+tga57IAQZbtH95HDJT5YiiipQfxpYY9sN0eqEYaPKA==
+-----END CERTIFICATE-----