sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mynixos-config/hosts/ward/guests/mealie.nix

103 lines
2.9 KiB
Nix
Raw Permalink Blame History

{
config,
globals,
nodes,
...
}:
let
mealieDomain = "mealie.${globals.domains.me}";
in
{
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
[
config.services.mealie.port
];
# Mirror the original oauth2 secret, but prepend OIDC_CLIENT_SECRET=
# so it can be used as an EnvironmentFile
age.secrets.oauth2-client-secret = {
generator.dependencies = [
nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-mealie
];
generator.script =
{
lib,
decrypt,
deps,
...
}:
''
echo -n "OIDC_CLIENT_SECRET="
${decrypt} ${lib.escapeShellArg (lib.head deps).file}
'';
mode = "440";
};
globals.services.mealie.domain = mealieDomain;
# FIXME: internal monitoring not possible because DNS resolves to sentinel
# since adguardhome is not active in server's dns
# globals.monitoring.http.mealie = {
# url = "https://${mealieDomain}";
# expectedBodyRegex = ''<title>Mealie'';
# network = "home-lan.vlans.services";
# };
environment.persistence."/persist".directories = [
{
directory = "/var/lib/private/mealie";
mode = "0700";
}
];
services.mealie = {
enable = true;
settings = rec {
BASE_URL = "https://${mealieDomain}";
TZ = config.time.timeZone;
TOKEN_TIME = 87600; # 10 years session time - this is only internal so who cares
ALLOW_SIGNUP = "false";
OIDC_AUTH_ENABLED = "true";
OIDC_SIGNUP_ENABLED = "true";
OIDC_AUTO_REDIRECT = "true";
OIDC_REMEMBER_ME = "true";
OIDC_CLIENT_ID = "mealie";
OIDC_USER_CLAIM = "preferred_username";
OIDC_PROVIDER_NAME = "Kanidm";
OIDC_CONFIGURATION_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${OIDC_CLIENT_ID}/.well-known/openid-configuration";
OIDC_USER_GROUP = "mealie.access@${globals.services.kanidm.domain}";
OIDC_ADMIN_GROUP = "mealie.admins@${globals.services.kanidm.domain}";
};
trustedProxies = [ globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 ];
credentialsFile = config.age.secrets.oauth2-client-secret.path;
};
nodes.ward-web-proxy = {
services.nginx = {
upstreams.mealie = {
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.mealie.port}" =
{ };
extraConfig = ''
zone mealie 64k;
keepalive 2;
'';
monitoring = {
enable = true;
expectedStatus = 200;
expectedBodyRegex = ''<title>Mealie'';
};
};
virtualHosts.${mealieDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
extraConfig = ''
client_max_body_size 128M;
'';
locations."/".proxyPass = "http://mealie";
};
};
};
}
Reference in a new issue View git blame Copy permalink