feat: add mealie

2025-05-18 20:23:05 +02:00 · 2025-05-18 20:23:05 +02:00 · af4c7db8c1
commit af4c7db8c1
parent 825babc919
26 changed files with 211 additions and 0 deletions
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -18,6 +18,7 @@ let
    "cast.photos.${globals.domains.me}"
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
+    globals.services.mealie.domain
    globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -20,6 +20,7 @@ let
    "cast.photos.${globals.domains.me}"
    "photos.${globals.domains.me}"
    "s3.photos.${globals.domains.me}"
+    globals.services.mealie.domain
    globals.services.immich.domain
    globals.services.influxdb.domain
    globals.services.loki.domain
@ -142,6 +143,7 @@ in
      // mkMicrovm "adguardhome"
      // mkMicrovm "forgejo"
      // mkMicrovm "kanidm"
+      // mkMicrovm "mealie"
      // mkMicrovm "radicale"
      // mkMicrovm "vaultwarden"
      // mkMicrovm "web-proxy"
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -118,6 +118,7 @@ in
              "cast.photos.${globals.domains.me}"
              "photos.${globals.domains.me}"
              "s3.photos.${globals.domains.me}"
+              globals.services.mealie.domain
              globals.services.immich.domain
              globals.services.influxdb.domain
              globals.services.loki.domain
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -39,6 +39,7 @@ in
  age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
  age.secrets.kanidm-oauth2-immich = mkRandomSecret;
  age.secrets.kanidm-oauth2-firezone = mkRandomSecret;
+  age.secrets.kanidm-oauth2-mealie = mkRandomSecret;
  age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
  age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;

@ -155,6 +156,29 @@ in
        ];
      };

+      # Mealie
+      groups."mealie.access" = { };
+      groups."mealie.admins" = { };
+      systems.oauth2.mealie = {
+        displayName = "Mealie";
+        originUrl = "https://${globals.services.mealie.domain}/login";
+        originLanding = "https://${globals.services.mealie.domain}/";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-mealie.path;
+        preferShortUsername = true;
+        scopeMaps."mealie.access" = [
+          "openid"
+          "email"
+          "profile"
+        ];
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup = {
+            "mealie.access" = [ "user" ];
+            "mealie.admins" = [ "admin" ];
+          };
+        };
+      };
+
      # Paperless
      groups."paperless.access" = { };
      systems.oauth2.paperless = {
--- a/hosts/ward/guests/mealie.nix
+++ b/hosts/ward/guests/mealie.nix
@ -0,0 +1,79 @@
+{
+  config,
+  globals,
+  nodes,
+  ...
+}:
+let
+  mealieDomain = "mealie.${globals.domains.personal}";
+in
+{
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ];
+  };
+
+  # Mirror the original oauth2 secret
+  age.secrets.mealie-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-mealie) rekeyFile;
+    mode = "440";
+  };
+
+  globals.services.mealie.domain = mealieDomain;
+  globals.monitoring.http.mealie = {
+    url = "https://${mealieDomain}";
+    # FIXME: todooooooooooo
+    expectedBodyRegex = "TODO";
+    network = "internet";
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/mealie";
+      mode = "0700";
+    }
+  ];
+
+  services.mealie = {
+    enable = true;
+    settings = rec {
+      ALLOW_SIGNUP = "false";
+      BASE_URL = "https://${mealieDomain}";
+      TZ = config.time.timeZone;
+
+      TOKEN_TIME = 87600; # 10 years session time - this is only internal so who cares
+      OIDC_AUTH_ENABLED = "true";
+      OIDC_AUTO_REDIRECT = "true";
+      OIDC_CLIENT_ID = "mealie";
+      OIDC_CONFIGURATION_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${OIDC_CLIENT_ID}/.well-known/openid-configuration";
+      OIDC_SIGNUP_ENABLED = "true";
+      OIDC_USER_GROUP = "user";
+      OIDC_ADMIN_GROUP = "admin";
+    };
+  };
+
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.mealie = {
+        servers."${config.wireguard.proxy-home.ipv4}:${config.services.mealie.port}" = { };
+        extraConfig = ''
+          zone mealie 64k;
+          keepalive 2;
+        '';
+        monitoring = {
+          enable = true;
+          # FIXME: todooooooooooo
+          expectedBodyRegex = "TODO";
+        };
+      };
+      virtualHosts.${mealieDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 128M;
+        '';
+        locations."/".proxyPass = "http://mealie";
+      };
+    };
+  };
+}
--- a/hosts/ward/secrets/mealie/host.pub
+++ b/hosts/ward/secrets/mealie/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmfHyKfCoAUflxiWZF4IBLMxLtTZexaAfwVwzFJIlqH
--- a/secrets/generated/sentinel/loki-basic-auth-hashes.age
+++ b/secrets/generated/sentinel/loki-basic-auth-hashes.age
--- a/secrets/generated/ward-kanidm/kanidm-oauth2-mealie.age
+++ b/secrets/generated/ward-kanidm/kanidm-oauth2-mealie.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 cJsUAs5kab+tag5KhjwJ+ZsCdnyDmXkQR89R9Yg9wlU
+h5hbA32BsvgNHm9N2Z3MNeBaSh62jMZZXadwQ67p6TM
+-> piv-p256 xqSe8Q A+J9DUC4CyzTSM8AeSrXggvg+iEG+EeVLZ6y2vZoFxdp
+kr6Te/2pBpsQ67/veC2zmFLoFo8az8UG20KVLrNjg1c
+-> '58-grease
+gd23myuHckOq82KNxQJ8wLupxTIEi3VQ2KdJEfKGay3EQQziBFFNeLwpXOOr1UzZ
+PnBY8e3gER+J0XKrFBVgvukbLfPxO0U6oa3uJStKpqIS0M+0CxTm6SYX752+dA
+--- zG8eAxMs4mHvZXAHGko6cWwiCbocn/QkCOz91D8a6Yw
+¥hS™}ÊÞöúd¥Nb�ñŒUŽkÕÙ—TQ³.ôý ŠU™B€ˆ;Ž%Ó½�
+,n>f ?xÆ8âº¹²ôFÌi,y�ç—$ÍÉÃ8£ß
--- a/secrets/generated/ward-mealie/promtail-loki-basic-auth-password.age
+++ b/secrets/generated/ward-mealie/promtail-loki-basic-auth-password.age
--- a/secrets/generated/ward-mealie/telegraf-influxdb-token.age
+++ b/secrets/generated/ward-mealie/telegraf-influxdb-token.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 N9dmnsf18HnbTxhRcEH/xtfpPAJSWfCnhqf+zXxuAXo
+x5s33yPRTyR8/dObTK93N6TqQVxM5mq00eb8ELmHt2M
+-> piv-p256 xqSe8Q A8iifEpFK/miSnKIeTMtanK1xqwBsLrWlCA8REv9+WgI
+am4/Lch1SEVBfDm91jYqJdeGdcQyWl9XWEjLP/mDHFw
+-> k-grease Kc$ G/
+jO05FKqhHg
+--- LhH0UM9+rOqKAvfRt4SQ8zOSPgXPUs7sGIY1O9qvZDQ
+rP›P'€6q—¶¥ŠUKÏ@Ø�ždøF\ó/DÓøA•æ\1D…°xD’jèã·÷´ðŽ`!ëkq¦�òüìFø×ñÉ°ÐJêyìi8
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age
--- a/secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age
+++ b/secrets/rekeyed/sentinel/0eaa4bb18cbfcecdc7f5b14bf1f05cdf-loki-basic-auth-hashes.age
--- a/secrets/rekeyed/sentinel/754829daef824cd4d3b0deaad3d35a85-loki-basic-auth-hashes.age
+++ b/secrets/rekeyed/sentinel/754829daef824cd4d3b0deaad3d35a85-loki-basic-auth-hashes.age
--- a/secrets/rekeyed/sire-influxdb/549767bc6a22e6cb8bee4ca26ce4db3b-telegraf-influxdb-token-ward-mealie.age
+++ b/secrets/rekeyed/sire-influxdb/549767bc6a22e6cb8bee4ca26ce4db3b-telegraf-influxdb-token-ward-mealie.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ MN56T24f/dSVI6afWn7jc/lkOVJZtf02XCtxyWStSG0
+gUT9Wx23QhRVLvAR9p2XzIH7ssu56We1XhtEIN4t30s
+-> gwO<i-grease 1 1,V `fi%x
+R9yRyHD2DrNdqX8cBHBy6ipUv5WgzunD09E6Qo3PBZoCESgp/G3d1qBR7+PCtIJd
+6GbTl/rnPwkMJ9oQOdQFu/2Peg
+--- /vpQXk7HmKsvhJ1fhh9SimoGHKbjJyRJYEGer7t/DpY
+.mÅ ã_ÛŽB49å<.T@bü0f=F³íMmíyìÆ9¿�q¥bì/þZpõèõRßüfÑó>1¼‰ÁˆØ™ù´»�9“(Ë¶ø](
--- a/secrets/rekeyed/ward-kanidm/b2f37c3b6f744289f78131fe5bcf2a07-kanidm-oauth2-mealie.age
+++ b/secrets/rekeyed/ward-kanidm/b2f37c3b6f744289f78131fe5bcf2a07-kanidm-oauth2-mealie.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 QciEZQ Mb7FWnZMyUpEI72QX/92B+l2E756oTlZwrGpR6htERQ
+txqIzt+oJiHjsE6xDUlWSLaEyu2BNpPAMpzDFGIIeBI
+-> jV-grease
+pt4Kb7YOgGqbqug5THlDQgE2dEC7OTfwkz3wi5B5K5jFFwWUOB/2b5FP72flL0IO
+prmEssYGvxfptw
+--- RhK7j5bP4w7SrnHNYWffHBQA3yq1/Btv1v8GnV7WKgk
+şoą·\ĹU€¤áši5rîu.€n‹ëjv<�÷ńŽ±Húnőr*TÇ—LßÓëžŁű-FđSXŚ�sě	+({Ü„NÉ�•fó7nëk •r"n
--- a/secrets/rekeyed/ward-mealie/0e26f79cf1faf0b8aed1fda123df3d8d-telegraf-influxdb-token.age
+++ b/secrets/rekeyed/ward-mealie/0e26f79cf1faf0b8aed1fda123df3d8d-telegraf-influxdb-token.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lvVD1Q YXn9WHQpMzpHXr8+kFMIdSyQ/rk3NwEukoV+qciYTTY
+yoAXvZkuiHE0KW3weO2oX51TFLY1f2ANh9pNBG6o1Rc
+-> Wf6oihH1-grease
+1JCd3EhtX+OYjlmSt17OWxet/+bHlRtfDHIhMFRbTvdjt8saIRffxRYASWkg+HCR
+3cUlOR/aCG22BsI
+--- /ObukYBUdzN3bdi0YFdBch219+aRwQpzoNPGcnM6oeI
+Ão‡úoF6FŠ^š§ðXÊôcNË£-ßÑ~ŽÆûŸ¶�ŽpY¾U�Z8ÎZé"ªá‡YUÞ:1bYp^U´Í”×Î¥ß„†ŽŒi?OÌ
--- a/secrets/rekeyed/ward-mealie/0e775e81155a16c48a693985ef87ce87-wireguard-proxy-home-priv-ward-mealie.age
+++ b/secrets/rekeyed/ward-mealie/0e775e81155a16c48a693985ef87ce87-wireguard-proxy-home-priv-ward-mealie.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lvVD1Q XH+1hvyyrVDswacwgSVP6jSIcailJbsCdRarwlMnrzs
+e+R58+qCvCxy64/v3c7ljVL41MIqqUIlkyi/QNmyOY
+-> u}-grease y vy?+:1
+B05VV7/MovZh2CbxdJotf+f40O9c97r4XU3KV4Ke1yqqrBjapMhNl/6z/WZakK/l
+WEzGOxhRn8lXQc6Gaxa3VkQzIrPFD2ZOSxFTjscPVwFL9hunJ3+104Px
+--- 3K6Z/4SOPvxVVHpHpCDlkujxGLR6empVqF/DcFcYJn8
+¯ì“ÞHÇJ5c½p(+ŒûšêiKŠ{å
¡+À&ølµéI†âÀÈ9�8WÎÓyu¶Ñ4‰Â„Ò”KéTQ÷iET£Hµþ7Õ‚
--- a/secrets/rekeyed/ward-mealie/40eee60695582040333e4fab6b3e99ab-wireguard-proxy-home-psks-ward+ward-mealie.age
+++ b/secrets/rekeyed/ward-mealie/40eee60695582040333e4fab6b3e99ab-wireguard-proxy-home-psks-ward+ward-mealie.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lvVD1Q iShb88vIuWOY66+uWNmMQtezGJJSfmMwNmT0ddPQ8Fs
+zC7Lk8BgMap9E1/T2DkMLeYNSzv49qxT/lAXsOgHT/M
+-> $LQ9%qm-grease ?F' B:CTB(
+l/BZ/6lu6OFFEtKQO4/i6W8W+YMg0opJSJ903Yk
+--- 1nUvsKXuR/xpxmAY2WGKpk162DSm1kulcWc6YT2+SPc
+FÆ\ž«£cçbÆb(áº9[tš3föÜ*QõogcgsÏ,º§�;ál´	@@óƒ¬�–¢lÃQ]ƒ‚ˆ�n	‡‘•ùÞ-z!®?Kà
--- a/secrets/rekeyed/ward-mealie/78d5e2eb2bb8a805e8d94c21fd1f2022-mealie-oauth2-client-secret.age
+++ b/secrets/rekeyed/ward-mealie/78d5e2eb2bb8a805e8d94c21fd1f2022-mealie-oauth2-client-secret.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lvVD1Q 1ftd4N+uIcmtSGYOerFKVH6fQavXooDt0f7BgCgzCmk
+DjCtfR88tAJQUSSQt9vTlOG5nhQ1iCnbiGcbDw/crOY
+-> #fyuI5Mu-grease
+SnraD1nrsAszqx7zmuLw3i8vC+epOSHg6DIsHRY
+--- /OdJQCUMgxTacJEAubG8PysIiI2yc6ECnu/3Xxn28xA
+žùf4¢¿bŠ@POˆt±ÐSYa�sáe;�ôº¸¢V¹hŽÉõ„¹CÕ�àW¹¤ßø=`“È€zrýþý9Ù‘…t°]“(K-‹`fÞ¾ö
--- a/secrets/rekeyed/ward-mealie/dc45f32dc1bb8bf998a5743315023e84-promtail-loki-basic-auth-password.age
+++ b/secrets/rekeyed/ward-mealie/dc45f32dc1bb8bf998a5743315023e84-promtail-loki-basic-auth-password.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 lvVD1Q ilziysyxRUkLfYFbS5Q0pruB+dUmuOtmd6fGjsITRS0
+n086Qtr6zcm0Ozkon6BGUggP8a1qm8XouAg31YrO12I
+-> ei0^-grease 6G|p@_
+JEm5VZ+YV1hAtz++5XikLeeSySYaeuBI1glv4Np75mkYQftRRsoJczNM5FWMnBjx
+87w/3gNwFeKlpxsP0j4RavIm2XqCOvzIQb7tIJuP3EM9nrA6GgAb
+--- +zULhUPkWO/20iwtnz4Y3Jf89pw4w3UiTLgRtaGnFgs
+t®:…1»uR	œ"2]ïŸÚ«"~ö,‚©q˜Þ?¾l ”8¸|õ6Þ<ž�·ÐŠHæ$)®GcìÃM0fy„ð"änPö§ï¿ÒÛ¡5¡
--- a/secrets/rekeyed/ward-web-proxy/06b01e2633342abd576d676cc0a97b4b-loki-basic-auth-hashes.age
+++ b/secrets/rekeyed/ward-web-proxy/06b01e2633342abd576d676cc0a97b4b-loki-basic-auth-hashes.age
--- a/secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age
+++ b/secrets/rekeyed/ward-web-proxy/09683ecb6ba69322f3aa1c34b6ed6dfd-loki-basic-auth-hashes.age
--- a/secrets/rekeyed/ward/0c369898cbf97acc545fd1502c22a698-wireguard-proxy-home-psks-ward+ward-mealie.age
+++ b/secrets/rekeyed/ward/0c369898cbf97acc545fd1502c22a698-wireguard-proxy-home-psks-ward+ward-mealie.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg E2ZHUBua1uN2jqFcGZRadRQQ6MbSdqp6eX4kNzjwaXk
+lvjp5twZimfTkbWx7KG4y0Ifg7CVvyeHCINYkgjo7q8
+-> xOBGCH-grease .fe[Q3 Dzm=`! ggW
+DsoXiHXKTej5cYbRdR+IAjlHGBGY1wBujsyeHBL+ZYWMBsK1AvJeUivTjGQAXw
+--- NLQ3LLLx8SOcGJxG+bUYnPJ0xiBRTuT1IJG5DxdWjv8
+^£ÆŽ
VÖu�ouù°þÔœ ð}s!³Œ-ìY�Ìa«7YH³¹_æÚÀšÂ9ù¬AÄ²8c·^T<G·�Ee�Çë5V
Á…Jï}L
--- a/secrets/wireguard/proxy-home/keys/ward-mealie.age
+++ b/secrets/wireguard/proxy-home/keys/ward-mealie.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 IGuSeVYlhS4zQIPtGjEdfz0aRlWwW9p7v1dnZE+0Y1s
+Va/LZJGX6lcWIJO88z6VOXy/nj/71CknrE6vfhqYLx4
+-> piv-p256 xqSe8Q A9v78VaWAYGK0qcnH9628aP26j86H5Lv37snchHbrqO2
+1QEZrG2VFBogG/3GrYmKREA97+srQJnYebgYqitBQ1w
+-> R-/_~K-grease
+sXTbRG1LknmW4uaybnfCc7wRhkE0LR6lIF7BfXJfh+NqyUZqiobiySS61RWGRp2x
+6Mg8FuOwz4XVYPVLEZ/+170XqvNHTU5il1xP579N7ovN2Q
+--- jcRvGpWSesVfxcd/PeUl/VnA52jkliI30rC55RgZiwc
+&$úq\;˜¢£RØ¸îA©,Ø¬¹-ÚwyL–Ç²›€¼CxU3	¶¹ß/¸étòýÂvhÇ-hÄ>£Ìzï„Qö$IÌ�Ó
--- a/secrets/wireguard/proxy-home/keys/ward-mealie.pub
+++ b/secrets/wireguard/proxy-home/keys/ward-mealie.pub
@ -0,0 +1 @@
+2N/eyBW8vTKV7Q5CKAr6+37AH0DdB7RRHpvbXaWwOx4=
--- a/secrets/wireguard/proxy-home/psks/ward+ward-mealie.age
+++ b/secrets/wireguard/proxy-home/psks/ward+ward-mealie.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 WghdrFO5I3jJ32m9Z/LoSsbmA3KFSji4XwvejaR+mG8
+1EISuNRcxxldcjPRNFUupQ4KldvIbsBfwq3OrIRO3XM
+-> piv-p256 xqSe8Q A38ktdHkbuqywFR1vLYmjZ/4bwwCsMtpiYw+JeBZ8hJI
+7rd7W2o43+ic0akAqDZz3pP+iAE1I+nt38CVLylY2qg
+-> tssi"-grease /c?&9>,} P5}~<: eE~$p\C
+V7OSW0OxjRENAvsYvwHiHRQHDIFBbn8zElLW9BNntLDNMjhjNl8KEgbciRBKYCkU
+t7I
+--- eY9b9CPUwHCuj97O8Io5epNsxGdlVR4v48BFg+v/Lp0
+Æ
+Õ!^KêýÆ£?Ï°è	||ˆLà–m¥…¹òmJFèÆ¢)IÃ^Ì´)O'p¾ŽF‰…ÃœÇ.«p"IpÚæª½|s[E°ÔŒ«‚
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmfHyKfCoAUflxiWZF4IBLMxLtTZexaAfwVwzFJIlqH`
				`@ -0,0 +1 @@`
				`2N/eyBW8vTKV7Q5CKAr6+37AH0DdB7RRHpvbXaWwOx4=`