[module/photoprism] Get to a working state
Now running on elysia-clarki.
This commit is contained in:
parent
4591b70541
commit
c279638182
|
@ -16,13 +16,30 @@
|
|||
dockerCompat = true;
|
||||
dockerSocket.enable = true;
|
||||
defaultNetwork.dnsname.enable = true;
|
||||
extraPackages = with pkgs; [ zfs ];
|
||||
};
|
||||
oci-containers.backend = "podman";
|
||||
# Override storage driver
|
||||
containers.storage.settings = {
|
||||
storage = {
|
||||
driver = "zfs";
|
||||
graphroot = "/var/lib/containers/storage";
|
||||
runroot = "/run/containers/storage";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.photoprism = {
|
||||
enable = true;
|
||||
url = "http://elysia-clarki:2342";
|
||||
rootDir = "/srv/hnd/photoprism";
|
||||
environmentFile = config.sops.secrets."photoprism-env".path;
|
||||
};
|
||||
sops.secrets."photoprism-env" = { };
|
||||
|
||||
services.fwupd.enable = true;
|
||||
|
||||
sops.defaultSopsFile = ../secrets/elysia-clarki/secrets.yaml;
|
||||
sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
services.ddclient = {
|
||||
|
|
|
@ -4,54 +4,58 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
{
|
||||
# Allow joypixels' license and unfree licenses in general
|
||||
nixpkgs.config = {
|
||||
allowUnfree = true;
|
||||
joypixels.acceptLicense = true;
|
||||
imports = [ ./photoprism.nix ];
|
||||
|
||||
config = {
|
||||
# Allow joypixels' license and unfree licenses in general
|
||||
nixpkgs.config = {
|
||||
allowUnfree = true;
|
||||
joypixels.acceptLicense = true;
|
||||
};
|
||||
# This includes the firmware, oc
|
||||
hardware.enableAllFirmware = true;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
# Make sure that I can login over the tailscale infrastructure
|
||||
# while increasing security
|
||||
# TODO: Restrict openssh interface, move port
|
||||
services.openssh.enable = pkgs.lib.mkDefault true;
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keyFiles = [ ../users/malte/yubikey.pub ];
|
||||
};
|
||||
# Enable mosh for some SSH superpower
|
||||
programs.mosh.enable = pkgs.lib.mkDefault true;
|
||||
|
||||
# Basic packages
|
||||
environment.systemPackages = with pkgs; [
|
||||
# I might need git for rebuilding this flake on the remote machine
|
||||
git
|
||||
# Sops is for security
|
||||
sops
|
||||
# top is lacking pizzazz
|
||||
htop
|
||||
# An initial `tailscale up` is necessary to get the network going
|
||||
tailscale
|
||||
];
|
||||
|
||||
# Language and timezone defaults
|
||||
time.timeZone = "Europe/Berlin";
|
||||
i18n.defaultLocale = pkgs.lib.mkDefault "en_US.UTF-8";
|
||||
|
||||
# Use the latest kernel, this is altered on some hosts with zfs requirements
|
||||
boot.kernelPackages = pkgs.lib.mkDefault pkgs.linuxPackages_latest;
|
||||
boot.loader.timeout = pkgs.lib.mkDefault 1;
|
||||
# This setting is fine, on hosts with x/wayland, I'll want to increase this
|
||||
boot.loader.systemd-boot.configurationLimit = 10;
|
||||
|
||||
# Network configuration with tailscale
|
||||
networking.useDHCP = false;
|
||||
# Enable tailscale!
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
interfaceName = "looking-glas";
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
|
||||
|
||||
};
|
||||
# This includes the firmware, oc
|
||||
hardware.enableAllFirmware = true;
|
||||
hardware.enableRedistributableFirmware = true;
|
||||
|
||||
# Make sure that I can login over the tailscale infrastructure
|
||||
# while increasing security
|
||||
# TODO: Restrict openssh interface, move port
|
||||
services.openssh.enable = pkgs.lib.mkDefault true;
|
||||
users.users.root = {
|
||||
openssh.authorizedKeys.keyFiles = [ ../users/malte/yubikey.pub ];
|
||||
};
|
||||
# Enable mosh for some SSH superpower
|
||||
programs.mosh.enable = pkgs.lib.mkDefault true;
|
||||
|
||||
# Basic packages
|
||||
environment.systemPackages = with pkgs; [
|
||||
# I might need git for rebuilding this flake on the remote machine
|
||||
git
|
||||
# Sops is for security
|
||||
sops
|
||||
# top is lacking pizzazz
|
||||
htop
|
||||
# An initial `tailscale up` is necessary to get the network going
|
||||
tailscale
|
||||
];
|
||||
|
||||
# Language and timezone defaults
|
||||
time.timeZone = "Europe/Berlin";
|
||||
i18n.defaultLocale = pkgs.lib.mkDefault "en_US.UTF-8";
|
||||
|
||||
# Use the latest kernel, this is altered on some hosts with zfs requirements
|
||||
boot.kernelPackages = pkgs.lib.mkDefault pkgs.linuxPackages_latest;
|
||||
boot.loader.timeout = pkgs.lib.mkDefault 1;
|
||||
# This setting is fine, on hosts with x/wayland, I'll want to increase this
|
||||
boot.loader.systemd-boot.configurationLimit = 10;
|
||||
|
||||
# Network configuration with tailscale
|
||||
networking.useDHCP = false;
|
||||
# Enable tailscale!
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
interfaceName = "looking-glas";
|
||||
};
|
||||
networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
|
||||
|
||||
}
|
||||
|
|
|
@ -1,11 +1,68 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
{
|
||||
virtualisation.oci-containers.containers."photoprism" = {
|
||||
image = "photoprism/photoprism:latest";
|
||||
dependsOn = [
|
||||
#config.virtualisation.oci-containers.containers."photoprism-mariadb"
|
||||
];
|
||||
ports = [ "2342:2342" ];
|
||||
# TODO: Improve with mariadb database
|
||||
|
||||
let
|
||||
port = 2342;
|
||||
uid = 458;
|
||||
gid = 458;
|
||||
cfg = config.services.photoprism;
|
||||
|
||||
in {
|
||||
options.services.photoprism = with lib; {
|
||||
enable = mkEnableOption "Photoprism service";
|
||||
url = mkOption {
|
||||
type = types.str;
|
||||
description = "Url with http:// prefix";
|
||||
};
|
||||
rootDir = mkOption {
|
||||
type = types.str;
|
||||
description = "Path to use for photoprism storage";
|
||||
};
|
||||
environmentFile = mkOption {
|
||||
type = types.str;
|
||||
description =
|
||||
"Additional environment file. I.e. for specifying PHOTOPRISM_ADMIN_PASSWORD";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# Create the necessary user and group
|
||||
users = {
|
||||
groups.photoprism.gid = gid;
|
||||
users.photoprism = {
|
||||
inherit uid;
|
||||
group = config.users.groups.photoprism.name;
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Open the port in the firewall
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
# Configure the main container
|
||||
"photoprism" = {
|
||||
image = "photoprism/photoprism:latest";
|
||||
ports = [ "${builtins.toString port}:2342" ];
|
||||
environment = {
|
||||
PHOTOPRISM_UPLOAD_NSFW = "true";
|
||||
PHOTOPRISM_DETECT_NSFW = "true";
|
||||
PHOTOPRISM_UID = builtins.toString uid;
|
||||
PHOTOPRISM_GID = builtins.toString gid;
|
||||
PHOTOPRISM_SITE_URL = cfg.url;
|
||||
PHOTOPRISM_SITE_TITLE = "PhotoPrism";
|
||||
PHOTOPRISM_SITE_CAPTION = "All the pictures!";
|
||||
PHOTOPRISM_SITE_DESCRIPTION = "";
|
||||
PHOTOPRISM_SITE_AUTHOR = "";
|
||||
};
|
||||
environmentFiles = [ cfg.environmentFile ];
|
||||
volumes = [
|
||||
"${cfg.rootDir}/storage:/photoprism/storage"
|
||||
"${cfg.rootDir}/import:/photoprism/import"
|
||||
"${cfg.rootDir}/originals:/photoprism/originals"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
photoprism-env: ENC[AES256_GCM,data:lbwLZz0OFjwLlBnLuqGFTXtM9JTvXIGp7gtyJRWuMxrhvAJntKk+HyJtmsj/ra3jboF5WXIZk0FHIQ==,iv:hXW5iP6EIt/Q0IkRXgonvGZWzMBsd9nTanlB+jkaARw=,tag:mGBBpvVz5NWXCk5gjUmxGA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1gg85h42mndpuc5qpxg2a794pj9szp6g020ry05tmy9rxgh2aa4asq4vfh4
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZjB2SzB0WmlONkJCaW1x
|
||||
WXI4VFBKRjE0dVMvQjJzSzF5WURHcWxlQXhzCitiT28xNVNSRUtRUnRqUHdvNkJY
|
||||
TTlQUVRjS2tEVlhxeDc0aUZ4Yitqd2MKLS0tIEZ0U2hQQnJVUWdjTHpqbGpjcjdQ
|
||||
c2F3T0RMMjhYc1pvQ2RBWm9NSFFVa3cKzuXKsvNZa6pAPceetyrHFHWG7gMPX1S0
|
||||
iPs3yu+a57SW24yasfpL6Kdk8xB7UumJJvbvQNSHd76uKTMijztLLQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-01-18T14:33:05Z"
|
||||
mac: ENC[AES256_GCM,data:NCmeFcZH9dIJ8Lo1Gk+txPpCDAgKrizlD09n0aJ3buozTsreuoe12wLnYmj5RkK6WwltrfMfpHkMDattzbzgiRVV/MV+RSjEFYDMdJG8lHrkrCCCFJVavaN/lreeKTpEx0Hvf6T8K6wsrzFshC1J6vfmMqye1laORMXEbeatBZ4=,iv:W9D6NDNr2RVz2wj2ZVUI218iyPe3fS7qG4WZ6fhXrO8=,tag:vgUy6KnbSpHdTFqyZCs61A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-01-18T14:29:34Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA/qNfAqOZjDMARAAqXFpwSPtD7TMZKKE4Qn1DXXCE0sMNOcM3ww9zvzrKgJv
|
||||
16T3JXTXuK2sc2Pwwf0jTgv4oGnI+Yt8ZHa/MtUa6rK1Xl+f7jYhdB1BLK+1WZKs
|
||||
1KpBpIXsLl2kYviajCtce8U1Vgn22yRHz7allSO5EqpFT4zQLyhvnEKJi/O2fTaq
|
||||
ho/Dm+6gapb0tbPBkxJFGjzg6OHO514wGEv4sgNQRLeoLm08uJ2VgeJH2flEGhtD
|
||||
fqAcx0D67YEfG9FISUmuoG2QsojEATdqg+w2hyrdsOq/OVHUMWzNj7ePHYkpJb6k
|
||||
vBfRLyIjyW/v46YzItme0j8jaY2jI3ZDnrAhQCB4FkrW/OYT8bKo5Kcx42Xdkx1d
|
||||
5EWuuA79tGeVL1P9zRLkekUo87y4AKtQZtMgwYPG/LY0aSM7Y3G/Qw3FxFZeI9KJ
|
||||
6m2sBlbZygsQ9cdCySIGcY21C/4nUUTxyYj1cROow7qhjBezXTWJBD5EHuus0tVY
|
||||
jdnK+yb5t1VcCMeLuUngavGfPGfl9ksefMi2Wg35X1EYcKxlfswlVCDP1d7Eb1kk
|
||||
PryaS1Dm1XnuqefOle46FMui4/zqDRMkGskBmx0suFdZGhCqn/I9jcjAVCM9PTYV
|
||||
7l+6aS60Gc5WfegZK5qR2MG1AM1pdc3EQmRgkl7O71201Db/Nfr2HZ0m722T6BbS
|
||||
XgH7MBocsnkhhdueeyPHGcFVVnud8/lFu7NgXA2j6gvUJs6J0FXJ3fquj5HC926d
|
||||
QJCU27pqRiCXFV9Fh9OFt37bZ7rZha+VetL811s4VErf9XunmPDFecI74G6BbSY=
|
||||
=Maot
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.1
|
Loading…
Reference in a new issue