From 1ad2b57fa04bafe926bd4dd29f7a6db0b49ec6db Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Thu, 17 Apr 2025 15:43:58 +0200 Subject: [PATCH] Add photoprism --- hosts/iron/ports.nix | 3 +- hosts/iron/secrets.yaml | 6 ++- hosts/iron/services/default.nix | 1 + hosts/iron/services/photoprism.nix | 72 ++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 hosts/iron/services/photoprism.nix diff --git a/hosts/iron/ports.nix b/hosts/iron/ports.nix index 679a355..1cbc8cf 100644 --- a/hosts/iron/ports.nix +++ b/hosts/iron/ports.nix @@ -14,6 +14,7 @@ navidrome.tcp = 4533; nginx-http.tcp = 80; nginx-https.tcp = 443; + photoprism.tcp = 2342; postfix-relay.tcp = 25; postfix-submission.tcp = 465; qbittorrent-torrent.tcp = 59832; @@ -21,8 +22,8 @@ radicale.tcp = 5232; rmfakecloud.tcp = 3000; snapserver.tcp = 1704; - snapserverTcp.tcp = 1705; snapserverHttp.tcp = 1780; + snapserverTcp.tcp = 1705; unifi-http.tcp = 8080; unifi-https.tcp = 8443; wireguard-public-ip-tunnel.udp = 51000; diff --git a/hosts/iron/secrets.yaml b/hosts/iron/secrets.yaml index e6feaa5..75630e1 100644 --- a/hosts/iron/secrets.yaml +++ b/hosts/iron/secrets.yaml @@ -14,6 +14,8 @@ home-assistant: ENC[AES256_GCM,data:wcFMxDdRCHf/shO9v2WaGgrsa9J2WP62xFs=,iv:9cke mqtt-users: home-assistant: ENC[AES256_GCM,data:oIjCw7ZnA5iOBmQdW1jcy3QQnpjT32pY,iv:5HFRkXJBdMXQbjk2ubQs3sEy5qEteiqSe2hrNc8+H40=,tag:7B6yI4oCHanE0JE/gHaKnQ==,type:str] valetudo: ENC[AES256_GCM,data:+HRz6X+A5dhmx43G99ka0u9VozuzOFWR,iv:SPw5yoiBqN7sBH5EofevacTtu45jmuTPqToKrar0aJ0=,tag:lf+usB/eNNP1yuWW/QyTqQ==,type:str] +photoprism: + oidc-secret: ENC[AES256_GCM,data:XTAiUiGZJfSZHNbz6fePl3iMDdbxFSE7+SQH2ECRFqlo7w8TAhLyNXBxlEfGvu+8vttbKdkEm0r7132Q4ftOtA==,iv:WGsQXolbtRWIq4EDgODWNmkXdOZCsA9A3Fqoo4lJyec=,tag:5zJftwB5If/RZB3hI0Ly8A==,type:str] sops: kms: [] gcp_kms: [] @@ -29,8 +31,8 @@ sops: SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-01T23:14:53Z" - mac: ENC[AES256_GCM,data:1m+Ml5Vhm87U4xz1kKNZ/4E+RqweUt2ypYh1JTYVHHV3dgySJytkwn0pFZj3RfR+z4r03hrvSuBt0ldWSn8UvGLHsJj8L9AqfDXyPg3SI6uRS6UeAbqZFs5HhNQzkNKwPnZ9KPbXJ8ab8Ck+jSfEcrtPShDOgDp9jTJZ91hTB1c=,iv:6tVJI31180asGh+MMguAeKtD4SY6W/2Pizqjt0SV4v8=,tag:0ghRP8locNjtvpIYL8tDlg==,type:str] + lastmodified: "2025-04-17T13:32:20Z" + mac: ENC[AES256_GCM,data:5LX+9RdaHlMOd/gwsr9xdQZB2IQee6xx0YxUQ+sXIXe5xH+cgw8vm0Gd1YFjOT9Yf8DZ/51y8XSOMXP/oT36iYGpenb84ZGV+9X3aAT8+PWZxr6eJ8raDTO/sof5r/qVrxHls3Hl2nmKI6UzTZD8PINThIaEdy9mpfxRrrcL/iU=,iv:pkPEWcVAZBq1HfcOMiQEt/2STbFBhSfzyz5lYoALmdI=,tag:7QvzpR/deD5B7Hm0C4ghgw==,type:str] pgp: - created_at: "2024-01-31T01:20:30Z" enc: |- diff --git a/hosts/iron/services/default.nix b/hosts/iron/services/default.nix index 94f5ccb..15537cd 100644 --- a/hosts/iron/services/default.nix +++ b/hosts/iron/services/default.nix @@ -12,6 +12,7 @@ ./navidrome.nix ./nginx.nix ./ntp.nix + ./photoprism.nix ./public-ip-tunnel.nix ./radicale.nix ./remarkable.nix diff --git a/hosts/iron/services/photoprism.nix b/hosts/iron/services/photoprism.nix new file mode 100644 index 0000000..47bbefe --- /dev/null +++ b/hosts/iron/services/photoprism.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: +let + domain = "media.weinturm-open-air.de"; + nextcloudDomain = "cloud.weinturm-open-air.de"; + inherit (config.networking) ports; + cfg = config.services.photoprism; + readSecretWrapper = pkgs.writeShellScriptBin "photoprism" '' + export PHOTOPRISM_OIDC_SECRET=$(cat "$CREDENTIALS_DIRECTORY/PHOTOPRISM_OIDC_SECRET_FILE") + + tagline[0]="Dein Blick. Unser Festival." + tagline[1]="Zeig uns das Festival durch deine Linse!" + tagline[2]="Gemeinsam festgehalten – Festivalmomente von euch für alle." + tagline[3]="Mach’s unvergesslich – lade deine Festivalfotos hoch!" + tagline[4]="Die besten Shots kommen von dir – teile sie hier." + tagline[5]="Jede Perspektive zählt – dein Foto, unser Highlight." + tagline[6]="Klick. Hochladen. Festivalgeschichte schreiben." + tagline[7]="Von der Crowd für die Crowd – Festivalfotos zum Verlieben." + tagline[8]="Dein Beitrag zum Festival-Archiv – jetzt Fotos teilen!" + tagline[9]="Weil kein Moment verloren gehen darf – deine Kamera zählt." + + size=''${#tagline[@]} + index=$(($RANDOM % $size)) + export PHOTOPRISM_SITE_CAPTION="''${tagline[$index]}" + + exec ${pkgs.photoprism}/bin/photoprism "$@" + ''; +in +{ + sops.secrets."photoprism/oidc-secret" = { + sopsFile = ../secrets.yaml; + }; + + systemd.services.photoprism.serviceConfig.LoadCredential = lib.mkForce "PHOTOPRISM_OIDC_SECRET_FILE:${config.sops.secrets."photoprism/oidc-secret".path}"; + + services.photoprism = { + enable = true; + originalsPath = "/weinturm/photoprism"; + port = ports.photoprism.tcp; + package = readSecretWrapper; + settings = { + PHOTOPRISM_SITE_URL = "https://${domain}/"; + PHOTOPRISM_OIDC_URI = "https://${nextcloudDomain}"; + PHOTOPRISM_OIDC_CLIENT = "WnqjmaPJ5c0dY7KaWmvXVVgJYNjztqTKBZ6Wq6bjYXGOwM2Xuzx2WabFlnJVRCSE"; # Client ID from settings + PHOTOPRISM_OIDC_SCOPES = "openid profile email roles"; + PHOTOPRISM_OIDC_PROVIDER = "Nextcloud"; + PHOTOPRISM_OIDC_ICON = "https://${nextcloudDomain}/apps/theming/image/logo"; + PHOTOPRISM_OIDC_REDIRECT = "true"; + PHOTOPRISM_OIDC_REGISTER = "true"; + PHOTOPRISM_OIDC_USERNAME = "preferred_username"; + PHOTOPRISM_OIDC_WEBDAV = "true"; + PHOTOPRISM_ORIGINALS_LIMIT = toString (20 * 1024); # maximum size of media files in MB + PHOTOPRISM_INDEX_SCHEDULE = "@every 4h"; + PHOTOPRISM_DEFAULT_LOCALE = "de"; + PHOTOPRISM_DEFAULT_TIMEZONE = "Europe/Berlin"; + PHOTOPRISM_SITE_TITLE = "Weinturm Medien"; + PHOTOPRISM_SITE_CAPTION = ""; + PHOTOPRISM_SITE_AUTHOR = "Jugend- und Kultur Förderverein e.V."; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + proxyWebsockets = true; + }; + }; + }; +}