feat: add mealie

2025-10-10 14:50:40 +02:00 · 2025-05-18 20:23:05 +02:00 · 2025-05-18 20:23:05 +02:00 · af4c7db8c1
commit af4c7db8c1
parent 825babc919
26 changed files with 211 additions and 0 deletions
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -18,6 +18,7 @@ let
    "cast.photos.${globals.domains.me}"
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
+    globals.services.mealie.domain
    globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -20,6 +20,7 @@ let
    "cast.photos.${globals.domains.me}"
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
+    globals.services.mealie.domain
    globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
@ -142,6 +143,7 @@ in
      // mkMicrovm "adguardhome"
      // mkMicrovm "forgejo"
      // mkMicrovm "kanidm"
+      // mkMicrovm "mealie"
      // mkMicrovm "radicale"
      // mkMicrovm "vaultwarden"
      // mkMicrovm "web-proxy"
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -118,6 +118,7 @@ in
              "cast.photos.${globals.domains.me}"
              "photos.${globals.domains.me}"
              "s3.photos.${globals.domains.me}"
+              globals.services.mealie.domain
              globals.services.immich.domain
              globals.services.influxdb.domain
              globals.services.loki.domain
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -39,6 +39,7 @@ in
  age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
  age.secrets.kanidm-oauth2-immich = mkRandomSecret;
  age.secrets.kanidm-oauth2-firezone = mkRandomSecret;
+  age.secrets.kanidm-oauth2-mealie = mkRandomSecret;
  age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
  age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;

@ -155,6 +156,29 @@ in
        ];
      };

+      # Mealie
+      groups."mealie.access" = { };
+      groups."mealie.admins" = { };
+      systems.oauth2.mealie = {
+        displayName = "Mealie";
+        originUrl = "https://${globals.services.mealie.domain}/login";
+        originLanding = "https://${globals.services.mealie.domain}/";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-mealie.path;
+        preferShortUsername = true;
+        scopeMaps."mealie.access" = [
+          "openid"
+          "email"
+          "profile"
+        ];
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup = {
+            "mealie.access" = [ "user" ];
+            "mealie.admins" = [ "admin" ];
+          };
+        };
+      };
+
      # Paperless
      groups."paperless.access" = { };
      systems.oauth2.paperless = {
--- a/hosts/ward/guests/mealie.nix
+++ b/hosts/ward/guests/mealie.nix
@ -0,0 +1,79 @@
+{
+  config,
+  globals,
+  nodes,
+  ...
+}:
+let
+  mealieDomain = "mealie.${globals.domains.personal}";
+in
+{
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ];
+  };
+
+  # Mirror the original oauth2 secret
+  age.secrets.mealie-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-mealie) rekeyFile;
+    mode = "440";
+  };
+
+  globals.services.mealie.domain = mealieDomain;
+  globals.monitoring.http.mealie = {
+    url = "https://${mealieDomain}";
+    # FIXME: todooooooooooo
+    expectedBodyRegex = "TODO";
+    network = "internet";
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/mealie";
+      mode = "0700";
+    }
+  ];
+
+  services.mealie = {
+    enable = true;
+    settings = rec {
+      ALLOW_SIGNUP = "false";
+      BASE_URL = "https://${mealieDomain}";
+      TZ = config.time.timeZone;
+
+      TOKEN_TIME = 87600; # 10 years session time - this is only internal so who cares
+      OIDC_AUTH_ENABLED = "true";
+      OIDC_AUTO_REDIRECT = "true";
+      OIDC_CLIENT_ID = "mealie";
+      OIDC_CONFIGURATION_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${OIDC_CLIENT_ID}/.well-known/openid-configuration";
+      OIDC_SIGNUP_ENABLED = "true";
+      OIDC_USER_GROUP = "user";
+      OIDC_ADMIN_GROUP = "admin";
+    };
+  };
+
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.mealie = {
+        servers."${config.wireguard.proxy-home.ipv4}:${config.services.mealie.port}" = { };
+        extraConfig = ''
+          zone mealie 64k;
+          keepalive 2;
+        '';
+        monitoring = {
+          enable = true;
+          # FIXME: todooooooooooo
+          expectedBodyRegex = "TODO";
+        };
+      };
+      virtualHosts.${mealieDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 128M;
+        '';
+        locations."/".proxyPass = "http://mealie";
+      };
+    };
+  };
+}
--- a/hosts/ward/secrets/mealie/host.pub
+++ b/hosts/ward/secrets/mealie/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmfHyKfCoAUflxiWZF4IBLMxLtTZexaAfwVwzFJIlqH
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmfHyKfCoAUflxiWZF4IBLMxLtTZexaAfwVwzFJIlqH`