[module/photoprism] Get to a working state

Now running on elysia-clarki.

hosts/elysia-clarki.nix

@@ -16,13 +16,30 @@
       dockerCompat = true;
       dockerSocket.enable = true;
       defaultNetwork.dnsname.enable = true;
+      extraPackages = with pkgs; [ zfs ];
     };
     oci-containers.backend = "podman";
+    # Override storage driver
+    containers.storage.settings = {
+      storage = {
+        driver = "zfs";
+        graphroot = "/var/lib/containers/storage";
+        runroot = "/run/containers/storage";
+      };
+    };
   };
 
+  services.photoprism = {
+    enable = true;
+    url = "http://elysia-clarki:2342";
+    rootDir = "/srv/hnd/photoprism";
+    environmentFile = config.sops.secrets."photoprism-env".path;
+  };
+  sops.secrets."photoprism-env" = { };
+
   services.fwupd.enable = true;
 
-  sops.defaultSopsFile = ../secrets/elysia-clarki/secrets.yaml;
+  sops.defaultSopsFile = ../secrets/hosts/elysia-clarki/secrets.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   services.ddclient = {

modules/base-system.nix

@@ -4,54 +4,58 @@
 { pkgs, config, ... }:
 
 {
-  # Allow joypixels' license and unfree licenses in general
-  nixpkgs.config = {
-    allowUnfree = true;
-    joypixels.acceptLicense = true;
+  imports = [ ./photoprism.nix ];
+
+  config = {
+    # Allow joypixels' license and unfree licenses in general
+    nixpkgs.config = {
+      allowUnfree = true;
+      joypixels.acceptLicense = true;
+    };
+    # This includes the firmware, oc
+    hardware.enableAllFirmware = true;
+    hardware.enableRedistributableFirmware = true;
+
+    # Make sure that I can login over the tailscale infrastructure
+    # while increasing security
+    # TODO: Restrict openssh interface, move port
+    services.openssh.enable = pkgs.lib.mkDefault true;
+    users.users.root = {
+      openssh.authorizedKeys.keyFiles = [ ../users/malte/yubikey.pub ];
+    };
+    # Enable mosh for some SSH superpower
+    programs.mosh.enable = pkgs.lib.mkDefault true;
+
+    # Basic packages
+    environment.systemPackages = with pkgs; [
+      # I might need git for rebuilding this flake on the remote machine
+      git
+      # Sops is for security
+      sops
+      # top is lacking pizzazz
+      htop
+      # An initial `tailscale up` is necessary to get the network going
+      tailscale
+    ];
+
+    # Language and timezone defaults
+    time.timeZone = "Europe/Berlin";
+    i18n.defaultLocale = pkgs.lib.mkDefault "en_US.UTF-8";
+
+    # Use the latest kernel, this is altered on some hosts with zfs requirements
+    boot.kernelPackages = pkgs.lib.mkDefault pkgs.linuxPackages_latest;
+    boot.loader.timeout = pkgs.lib.mkDefault 1;
+    # This setting is fine, on hosts with x/wayland, I'll want to increase this
+    boot.loader.systemd-boot.configurationLimit = 10;
+
+    # Network configuration with tailscale
+    networking.useDHCP = false;
+    # Enable tailscale!
+    services.tailscale = {
+      enable = true;
+      interfaceName = "looking-glas";
+    };
+    networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
+
   };
-  # This includes the firmware, oc
-  hardware.enableAllFirmware = true;
-  hardware.enableRedistributableFirmware = true;
-
-  # Make sure that I can login over the tailscale infrastructure
-  # while increasing security
-  # TODO: Restrict openssh interface, move port
-  services.openssh.enable = pkgs.lib.mkDefault true;
-  users.users.root = {
-    openssh.authorizedKeys.keyFiles = [ ../users/malte/yubikey.pub ];
-  };
-  # Enable mosh for some SSH superpower
-  programs.mosh.enable = pkgs.lib.mkDefault true;
-
-  # Basic packages
-  environment.systemPackages = with pkgs; [
-    # I might need git for rebuilding this flake on the remote machine
-    git
-    # Sops is for security
-    sops
-    # top is lacking pizzazz
-    htop
-    # An initial `tailscale up` is necessary to get the network going
-    tailscale
-  ];
-
-  # Language and timezone defaults
-  time.timeZone = "Europe/Berlin";
-  i18n.defaultLocale = pkgs.lib.mkDefault "en_US.UTF-8";
-
-  # Use the latest kernel, this is altered on some hosts with zfs requirements
-  boot.kernelPackages = pkgs.lib.mkDefault pkgs.linuxPackages_latest;
-  boot.loader.timeout = pkgs.lib.mkDefault 1;
-  # This setting is fine, on hosts with x/wayland, I'll want to increase this
-  boot.loader.systemd-boot.configurationLimit = 10;
-
-  # Network configuration with tailscale
-  networking.useDHCP = false;
-  # Enable tailscale!
-  services.tailscale = {
-    enable = true;
-    interfaceName = "looking-glas";
-  };
-  networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
-
 }

modules/photoprism.nix

@@ -1,11 +1,68 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, ... }:
 
-{
-  virtualisation.oci-containers.containers."photoprism" = {
-    image = "photoprism/photoprism:latest";
-    dependsOn = [
-      #config.virtualisation.oci-containers.containers."photoprism-mariadb"
-    ];
-    ports = [ "2342:2342" ];
+# TODO: Improve with mariadb database
+
+let
+  port = 2342;
+  uid = 458;
+  gid = 458;
+  cfg = config.services.photoprism;
+
+in {
+  options.services.photoprism = with lib; {
+    enable = mkEnableOption "Photoprism service";
+    url = mkOption {
+      type = types.str;
+      description = "Url with http:// prefix";
+    };
+    rootDir = mkOption {
+      type = types.str;
+      description = "Path to use for photoprism storage";
+    };
+    environmentFile = mkOption {
+      type = types.str;
+      description =
+        "Additional environment file. I.e. for specifying PHOTOPRISM_ADMIN_PASSWORD";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Create the necessary user and group
+    users = {
+      groups.photoprism.gid = gid;
+      users.photoprism = {
+        inherit uid;
+        group = config.users.groups.photoprism.name;
+        isSystemUser = true;
+      };
+    };
+
+    # Open the port in the firewall
+    networking.firewall.allowedTCPPorts = [ port ];
+
+    virtualisation.oci-containers.containers = {
+      # Configure the main container
+      "photoprism" = {
+        image = "photoprism/photoprism:latest";
+        ports = [ "${builtins.toString port}:2342" ];
+        environment = {
+          PHOTOPRISM_UPLOAD_NSFW = "true";
+          PHOTOPRISM_DETECT_NSFW = "true";
+          PHOTOPRISM_UID = builtins.toString uid;
+          PHOTOPRISM_GID = builtins.toString gid;
+          PHOTOPRISM_SITE_URL = cfg.url;
+          PHOTOPRISM_SITE_TITLE = "PhotoPrism";
+          PHOTOPRISM_SITE_CAPTION = "All the pictures!";
+          PHOTOPRISM_SITE_DESCRIPTION = "";
+          PHOTOPRISM_SITE_AUTHOR = "";
+        };
+        environmentFiles = [ cfg.environmentFile ];
+        volumes = [
+          "${cfg.rootDir}/storage:/photoprism/storage"
+          "${cfg.rootDir}/import:/photoprism/import"
+          "${cfg.rootDir}/originals:/photoprism/originals"
+        ];
+      };
+    };
   };
 }

secrets/hosts/elysia-clarki/secrets.yaml

@@ -0,0 +1,41 @@
+photoprism-env: ENC[AES256_GCM,data:lbwLZz0OFjwLlBnLuqGFTXtM9JTvXIGp7gtyJRWuMxrhvAJntKk+HyJtmsj/ra3jboF5WXIZk0FHIQ==,iv:hXW5iP6EIt/Q0IkRXgonvGZWzMBsd9nTanlB+jkaARw=,tag:mGBBpvVz5NWXCk5gjUmxGA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gg85h42mndpuc5qpxg2a794pj9szp6g020ry05tmy9rxgh2aa4asq4vfh4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZjB2SzB0WmlONkJCaW1x
+            WXI4VFBKRjE0dVMvQjJzSzF5WURHcWxlQXhzCitiT28xNVNSRUtRUnRqUHdvNkJY
+            TTlQUVRjS2tEVlhxeDc0aUZ4Yitqd2MKLS0tIEZ0U2hQQnJVUWdjTHpqbGpjcjdQ
+            c2F3T0RMMjhYc1pvQ2RBWm9NSFFVa3cKzuXKsvNZa6pAPceetyrHFHWG7gMPX1S0
+            iPs3yu+a57SW24yasfpL6Kdk8xB7UumJJvbvQNSHd76uKTMijztLLQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-01-18T14:33:05Z"
+    mac: ENC[AES256_GCM,data:NCmeFcZH9dIJ8Lo1Gk+txPpCDAgKrizlD09n0aJ3buozTsreuoe12wLnYmj5RkK6WwltrfMfpHkMDattzbzgiRVV/MV+RSjEFYDMdJG8lHrkrCCCFJVavaN/lreeKTpEx0Hvf6T8K6wsrzFshC1J6vfmMqye1laORMXEbeatBZ4=,iv:W9D6NDNr2RVz2wj2ZVUI218iyPe3fS7qG4WZ6fhXrO8=,tag:vgUy6KnbSpHdTFqyZCs61A==,type:str]
+    pgp:
+        - created_at: "2022-01-18T14:29:34Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA/qNfAqOZjDMARAAqXFpwSPtD7TMZKKE4Qn1DXXCE0sMNOcM3ww9zvzrKgJv
+            16T3JXTXuK2sc2Pwwf0jTgv4oGnI+Yt8ZHa/MtUa6rK1Xl+f7jYhdB1BLK+1WZKs
+            1KpBpIXsLl2kYviajCtce8U1Vgn22yRHz7allSO5EqpFT4zQLyhvnEKJi/O2fTaq
+            ho/Dm+6gapb0tbPBkxJFGjzg6OHO514wGEv4sgNQRLeoLm08uJ2VgeJH2flEGhtD
+            fqAcx0D67YEfG9FISUmuoG2QsojEATdqg+w2hyrdsOq/OVHUMWzNj7ePHYkpJb6k
+            vBfRLyIjyW/v46YzItme0j8jaY2jI3ZDnrAhQCB4FkrW/OYT8bKo5Kcx42Xdkx1d
+            5EWuuA79tGeVL1P9zRLkekUo87y4AKtQZtMgwYPG/LY0aSM7Y3G/Qw3FxFZeI9KJ
+            6m2sBlbZygsQ9cdCySIGcY21C/4nUUTxyYj1cROow7qhjBezXTWJBD5EHuus0tVY
+            jdnK+yb5t1VcCMeLuUngavGfPGfl9ksefMi2Wg35X1EYcKxlfswlVCDP1d7Eb1kk
+            PryaS1Dm1XnuqefOle46FMui4/zqDRMkGskBmx0suFdZGhCqn/I9jcjAVCM9PTYV
+            7l+6aS60Gc5WfegZK5qR2MG1AM1pdc3EQmRgkl7O71201Db/Nfr2HZ0m722T6BbS
+            XgH7MBocsnkhhdueeyPHGcFVVnud8/lFu7NgXA2j6gvUJs6J0FXJ3fquj5HC926d
+            QJCU27pqRiCXFV9Fh9OFt37bZ7rZha+VetL811s4VErf9XunmPDFecI74G6BbSY=
+            =Maot
+            -----END PGP MESSAGE-----
+          fp: 71E08E591553F5EA4CB98745BCE9E4BF632E7CED
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1