Add photoprism

hosts/iron/ports.nix

@@ -14,6 +14,7 @@
     navidrome.tcp = 4533;
     nginx-http.tcp = 80;
     nginx-https.tcp = 443;
+    photoprism.tcp = 2342;
     postfix-relay.tcp = 25;
     postfix-submission.tcp = 465;
     qbittorrent-torrent.tcp = 59832;
@@ -21,8 +22,8 @@
     radicale.tcp = 5232;
     rmfakecloud.tcp = 3000;
     snapserver.tcp = 1704;
-    snapserverTcp.tcp = 1705;
     snapserverHttp.tcp = 1780;
+    snapserverTcp.tcp = 1705;
     unifi-http.tcp = 8080;
     unifi-https.tcp = 8443;
     wireguard-public-ip-tunnel.udp = 51000;

hosts/iron/secrets.yaml

@@ -14,6 +14,8 @@ home-assistant: ENC[AES256_GCM,data:wcFMxDdRCHf/shO9v2WaGgrsa9J2WP62xFs=,iv:9cke
 mqtt-users:
     home-assistant: ENC[AES256_GCM,data:oIjCw7ZnA5iOBmQdW1jcy3QQnpjT32pY,iv:5HFRkXJBdMXQbjk2ubQs3sEy5qEteiqSe2hrNc8+H40=,tag:7B6yI4oCHanE0JE/gHaKnQ==,type:str]
     valetudo: ENC[AES256_GCM,data:+HRz6X+A5dhmx43G99ka0u9VozuzOFWR,iv:SPw5yoiBqN7sBH5EofevacTtu45jmuTPqToKrar0aJ0=,tag:lf+usB/eNNP1yuWW/QyTqQ==,type:str]
+photoprism:
+    oidc-secret: ENC[AES256_GCM,data:XTAiUiGZJfSZHNbz6fePl3iMDdbxFSE7+SQH2ECRFqlo7w8TAhLyNXBxlEfGvu+8vttbKdkEm0r7132Q4ftOtA==,iv:WGsQXolbtRWIq4EDgODWNmkXdOZCsA9A3Fqoo4lJyec=,tag:5zJftwB5If/RZB3hI0Ly8A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,8 +31,8 @@ sops:
             SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV
             GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-01T23:14:53Z"
+    lastmodified: "2025-04-17T13:32:20Z"
-    mac: ENC[AES256_GCM,data:1m+Ml5Vhm87U4xz1kKNZ/4E+RqweUt2ypYh1JTYVHHV3dgySJytkwn0pFZj3RfR+z4r03hrvSuBt0ldWSn8UvGLHsJj8L9AqfDXyPg3SI6uRS6UeAbqZFs5HhNQzkNKwPnZ9KPbXJ8ab8Ck+jSfEcrtPShDOgDp9jTJZ91hTB1c=,iv:6tVJI31180asGh+MMguAeKtD4SY6W/2Pizqjt0SV4v8=,tag:0ghRP8locNjtvpIYL8tDlg==,type:str]
+    mac: ENC[AES256_GCM,data:5LX+9RdaHlMOd/gwsr9xdQZB2IQee6xx0YxUQ+sXIXe5xH+cgw8vm0Gd1YFjOT9Yf8DZ/51y8XSOMXP/oT36iYGpenb84ZGV+9X3aAT8+PWZxr6eJ8raDTO/sof5r/qVrxHls3Hl2nmKI6UzTZD8PINThIaEdy9mpfxRrrcL/iU=,iv:pkPEWcVAZBq1HfcOMiQEt/2STbFBhSfzyz5lYoALmdI=,tag:7QvzpR/deD5B7Hm0C4ghgw==,type:str]
     pgp:
         - created_at: "2024-01-31T01:20:30Z"
           enc: |-

hosts/iron/services/default.nix

@@ -12,6 +12,7 @@
     ./navidrome.nix
     ./nginx.nix
     ./ntp.nix
+    ./photoprism.nix
     ./public-ip-tunnel.nix
     ./radicale.nix
     ./remarkable.nix

hosts/iron/services/photoprism.nix

@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "media.weinturm-open-air.de";
+  nextcloudDomain = "cloud.weinturm-open-air.de";
+  inherit (config.networking) ports;
+  cfg = config.services.photoprism;
+  readSecretWrapper = pkgs.writeShellScriptBin "photoprism" ''
+    export PHOTOPRISM_OIDC_SECRET=$(cat "$CREDENTIALS_DIRECTORY/PHOTOPRISM_OIDC_SECRET_FILE")
+
+    tagline[0]="Dein Blick. Unser Festival."
+    tagline[1]="Zeig uns das Festival durch deine Linse!"
+    tagline[2]="Gemeinsam festgehalten – Festivalmomente von euch für alle."
+    tagline[3]="Mach’s unvergesslich – lade deine Festivalfotos hoch!"
+    tagline[4]="Die besten Shots kommen von dir – teile sie hier."
+    tagline[5]="Jede Perspektive zählt – dein Foto, unser Highlight."
+    tagline[6]="Klick. Hochladen. Festivalgeschichte schreiben."
+    tagline[7]="Von der Crowd für die Crowd – Festivalfotos zum Verlieben."
+    tagline[8]="Dein Beitrag zum Festival-Archiv – jetzt Fotos teilen!"
+    tagline[9]="Weil kein Moment verloren gehen darf – deine Kamera zählt."
+
+    size=''${#tagline[@]}
+    index=$(($RANDOM % $size))
+    export PHOTOPRISM_SITE_CAPTION="''${tagline[$index]}"
+
+    exec ${pkgs.photoprism}/bin/photoprism "$@"
+  '';
+in
+{
+  sops.secrets."photoprism/oidc-secret" = {
+    sopsFile = ../secrets.yaml;
+  };
+
+  systemd.services.photoprism.serviceConfig.LoadCredential = lib.mkForce "PHOTOPRISM_OIDC_SECRET_FILE:${config.sops.secrets."photoprism/oidc-secret".path}";
+
+  services.photoprism = {
+    enable = true;
+    originalsPath = "/weinturm/photoprism";
+    port = ports.photoprism.tcp;
+    package = readSecretWrapper;
+    settings = {
+      PHOTOPRISM_SITE_URL = "https://${domain}/";
+      PHOTOPRISM_OIDC_URI = "https://${nextcloudDomain}";
+      PHOTOPRISM_OIDC_CLIENT = "WnqjmaPJ5c0dY7KaWmvXVVgJYNjztqTKBZ6Wq6bjYXGOwM2Xuzx2WabFlnJVRCSE"; # Client ID from settings
+      PHOTOPRISM_OIDC_SCOPES = "openid profile email roles";
+      PHOTOPRISM_OIDC_PROVIDER = "Nextcloud";
+      PHOTOPRISM_OIDC_ICON = "https://${nextcloudDomain}/apps/theming/image/logo";
+      PHOTOPRISM_OIDC_REDIRECT = "true";
+      PHOTOPRISM_OIDC_REGISTER = "true";
+      PHOTOPRISM_OIDC_USERNAME = "preferred_username";
+      PHOTOPRISM_OIDC_WEBDAV = "true";
+      PHOTOPRISM_ORIGINALS_LIMIT = toString (20 * 1024); # maximum size of media files in MB
+      PHOTOPRISM_INDEX_SCHEDULE = "@every 4h";
+      PHOTOPRISM_DEFAULT_LOCALE = "de";
+      PHOTOPRISM_DEFAULT_TIMEZONE = "Europe/Berlin";
+      PHOTOPRISM_SITE_TITLE = "Weinturm Medien";
+      PHOTOPRISM_SITE_CAPTION = "";
+      PHOTOPRISM_SITE_AUTHOR = "Jugend- und Kultur Förderverein e.V.";
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}