linde: set up photoprism using hetzner storage box

4 files changed, 66 insertions, 0 deletions

diff --git a/secrets/cifs-photoprism.age b/secrets/cifs-photoprism.age
new file mode 100644
index 00000000..cab56f39
--- /dev/null
+++ b/secrets/cifs-photoprism.age
Binary files differdiff --git a/secrets/photoprism.age b/secrets/photoprism.age
new file mode 100644
index 00000000..7b6534fa
--- /dev/null
+++ b/secrets/photoprism.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw n4h/PGlbNj9UGICFTdf94svZOLL2uCrtYrmRVCgquC0
+w8sZ6j2n/xlPW1KmIESNehy5M6xXzuRiYb4fWNk9bZo
+-> piv-p256 VBDKjg AvdZP758E9FCgQNfaMEH2BhPjHtZOe2hVLN008cZYeID
+jPxUhgwOLnO3ioVvinqDHVwYYWi88zH+1VoJn4lTOx8
+--- p7T2ZkbKKr7yewVtqnzYvb/9Nw06mMZZrsQaXQmT1Ts
+����R^�`bӂ�-ѵ[dGr:�4R^���Gy��*�
}�t'^�/(�<�g";��#�.:�CA�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3cfcf017..c36537a7 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -20,6 +20,8 @@ let
     powerdns = [ linde ];
     dex = [ linde ];
     golink = [ linde ];
+    photoprism = [ linde ];
+    cifs-photoprism = [ linde ];
 
     dyndns = [ nanopi ];
     syncthing = [ nanopi ];
diff --git a/system/linde.nix b/system/linde.nix
index 104a33a2..6628637e 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -45,6 +45,8 @@ in
     dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
     redis-website.file = ../secrets/redis-website.age;
+    photoprism.file = ../secrets/photoprism.age;
+    cifs-photoprism.file = ../secrets/cifs-photoprism.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
@@ -67,6 +69,7 @@ in
   environment.homeBinInPath = true;
   environment.localBinInPath = true;
   environment.systemPackages = with pkgs; [
+    cifs-utils
     htop
     lsof
     powerdns
@@ -782,6 +785,18 @@ in
             file_server
           '';
         };
+        "photos.alanpearce.eu" =
+          let
+            srv = config.services.photoprism;
+          in
+          {
+            useACMEHost = "alanpearce.eu";
+            extraConfig = ''
+              encode zstd gzip
+              ${security-headers {}}
+              reverse_proxy ${srv.address}:${toString srv.port}
+            '';
+          };
       };
   };
   systemd.services.caddy.serviceConfig = {
@@ -1123,4 +1138,46 @@ in
       default = [{ type = "insecureAcceptAnything"; }];
     };
   };
+
+  fileSystems."/srv/photoprism" = {
+    device = "//u439959-sub1.your-storagebox.de/u439959-sub1";
+    fsType = "smb3";
+    options =
+      let
+        # prevents hanging on network split
+        automount_opts = [
+          "x-systemd.automount"
+          "noauto"
+          "x-systemd.idle-timeout=1h"
+          "x-systemd.mount-timeout=5s"
+        ];
+        uid = 64600;
+      in
+      automount_opts ++ [
+        "credentials=${config.age.secrets.cifs-photoprism.path}"
+        "seal"
+        "multichannel"
+        "nobrl" # needed for sqlite
+        "forceuid"
+        "forcegid"
+        "uid=${toString uid}"
+        "gid=${toString uid}"
+      ];
+  };
+  services.photoprism = {
+    enable = true;
+    passwordFile = config.age.secrets.photoprism.path;
+    originalsPath = "/srv/photoprism/originals";
+    importPath = "/srv/photoprism/import";
+    settings = {
+      PHOTOPRISM_SITE_URL = "https://photos.alanpearce.eu";
+      PHOTOPRISM_SITE_CAPTION = "Alan‘s Photos";
+      PHOTOPRISM_DISABLE_TLS = "true";
+      PHOTOPRISM_SIDECAR_PATH = "/srv/photoprism/sidecar";
+      PHOTOPRISM_SPONSOR = "true";
+    };
+  };
+  systemd.services.photoprism = {
+    unitConfig.RequiresMountsFor = "/srv/photoprism";
+  };
 }