all repos — nixfiles @ 019976b57ef1fedc24fc7fc6f5e69f25e8f8612e

System and user configuration, managed by nix and home-manager

linde: set up photoprism using hetzner storage box

Alan Pearce
commit

019976b57ef1fedc24fc7fc6f5e69f25e8f8612e

parent

64eccd54a840a924eac98bcfa884d65b19c22636

4 files changed, 66 insertions(+), 0 deletions(-)

jump to
A secrets/cifs-photoprism.age

Not showing binary file.

A secrets/photoprism.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw n4h/PGlbNj9UGICFTdf94svZOLL2uCrtYrmRVCgquC0
+w8sZ6j2n/xlPW1KmIESNehy5M6xXzuRiYb4fWNk9bZo
+-> piv-p256 VBDKjg AvdZP758E9FCgQNfaMEH2BhPjHtZOe2hVLN008cZYeID
+jPxUhgwOLnO3ioVvinqDHVwYYWi88zH+1VoJn4lTOx8
+--- p7T2ZkbKKr7yewVtqnzYvb/9Nw06mMZZrsQaXQmT1Ts
+R^`bӂ-ѵ[dGr:4R^Gy*}t'^/(<g";#.:CA
M secrets/secrets.nixsecrets/secrets.nix
@@ -20,6 +20,8 @@ paperless = [ linde ];
     powerdns = [ linde ];
     dex = [ linde ];
     golink = [ linde ];
+    photoprism = [ linde ];
+    cifs-photoprism = [ linde ];
 
     dyndns = [ nanopi ];
     syncthing = [ nanopi ];
M system/linde.nixsystem/linde.nix
@@ -45,6 +45,8 @@ binarycache.file = ../secrets/binarycache.age;
     dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
     redis-website.file = ../secrets/redis-website.age;
+    photoprism.file = ../secrets/photoprism.age;
+    cifs-photoprism.file = ../secrets/cifs-photoprism.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";

@@ -67,6 +69,7 @@
   environment.homeBinInPath = true;
   environment.localBinInPath = true;
   environment.systemPackages = with pkgs; [
+    cifs-utils
     htop
     lsof
     powerdns

@@ -782,6 +785,18 @@ root * /srv/http/go
             file_server
           '';
         };
+        "photos.alanpearce.eu" =
+          let
+            srv = config.services.photoprism;
+          in
+          {
+            useACMEHost = "alanpearce.eu";
+            extraConfig = ''
+              encode zstd gzip
+              ${security-headers {}}
+              reverse_proxy ${srv.address}:${toString srv.port}
+            '';
+          };
       };
   };
   systemd.services.caddy.serviceConfig = {

@@ -1122,5 +1137,47 @@ enable = true;
     policy = {
       default = [{ type = "insecureAcceptAnything"; }];
     };
+  };
+
+  fileSystems."/srv/photoprism" = {
+    device = "//u439959-sub1.your-storagebox.de/u439959-sub1";
+    fsType = "smb3";
+    options =
+      let
+        # prevents hanging on network split
+        automount_opts = [
+          "x-systemd.automount"
+          "noauto"
+          "x-systemd.idle-timeout=1h"
+          "x-systemd.mount-timeout=5s"
+        ];
+        uid = 64600;
+      in
+      automount_opts ++ [
+        "credentials=${config.age.secrets.cifs-photoprism.path}"
+        "seal"
+        "multichannel"
+        "nobrl" # needed for sqlite
+        "forceuid"
+        "forcegid"
+        "uid=${toString uid}"
+        "gid=${toString uid}"
+      ];
+  };
+  services.photoprism = {
+    enable = true;
+    passwordFile = config.age.secrets.photoprism.path;
+    originalsPath = "/srv/photoprism/originals";
+    importPath = "/srv/photoprism/import";
+    settings = {
+      PHOTOPRISM_SITE_URL = "https://photos.alanpearce.eu";
+      PHOTOPRISM_SITE_CAPTION = "Alan‘s Photos";
+      PHOTOPRISM_DISABLE_TLS = "true";
+      PHOTOPRISM_SIDECAR_PATH = "/srv/photoprism/sidecar";
+      PHOTOPRISM_SPONSOR = "true";
+    };
+  };
+  systemd.services.photoprism = {
+    unitConfig.RequiresMountsFor = "/srv/photoprism";
   };
 }