diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 2dd1244..cdc2d0b 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -52,6 +52,11 @@ domain = "budget.${privateDomain}"; doBackups = true; }; + + karakeep = { + enable = true; + domain = "bookmarks.${privateDomain}"; + }; }; }; } diff --git a/hosts/vps-private/secrets.json b/hosts/vps-private/secrets.json index 76bac85..1be85cb 100644 --- a/hosts/vps-private/secrets.json +++ b/hosts/vps-private/secrets.json @@ -21,6 +21,9 @@ "api-key": "ENC[AES256_GCM,data:RV/+aEQRcfQ9LMjZjxGNvCeiso51VqvqrOBRRrR/dXhmBvyoGuh2LaAjyoDoWEjWy5kIStStR+jXZEFWZ8KXvnmEnoU=,iv:j3sYW85Vf88EfeOfezlspDxEms6YqZYnzy5JAiES3+U=,tag:0M9vDvsirc6ze3Ut+yMSoA==,type:str]", "secret-api-key": "ENC[AES256_GCM,data:SUngZ65fBmC9WlPkmJMjyBb6sHREKhqyRj9fsBGkj5IyjtGDfQ1b7Iv0VNeSY//bWv0VZruwT48a320BUlg1xiNCKU8=,iv:glUaArlHJsxCP5z3y7JnWvmtsdRzszXhYydpd1YaX5U=,tag:185iAkQ/J9CfKkTsgPP6lA==,type:str]" }, + "karakeep": { + "openai-api-key": "ENC[AES256_GCM,data:ZOVkdDWpSJ98spHm3XUuGZ4vrRBEUyCBE4Nnpm/zVwKSi6yDbbKyZffc4jwOiffUVhwM5HKmUEosI2Qdn7Z7yjJHSHgrn9mN/e7mKIrPkzZx+FNsVfPx6RAzstgbxkBjBshGiGEPcamevAMEhPlnhucqwanDk65OSn6ohQ+RCsQvKe9HsgvVq6ERPGWkHKPAAaop5asZ3ljjQ4ZEla/Q3K7/HjC6hqg=,iv:Dmx6C3jyNk4lFlv220Dkp4+UFQEushPgEwN9hexbZtU=,tag:8w55PPnbrysohj1kUztADA==,type:str]" + }, "sops": { "age": [ { @@ -32,8 +35,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2026-01-14T19:40:46Z", - "mac": "ENC[AES256_GCM,data:+0TFeTpGFWwry9PdMMrLTdpvqccvsTh2x1Sh1tpaK3SGa4o+dSC1qKsHMmlhMscuPeo/NbnSHXQ0gW6uuc6KqI4oWP/d806PCKVICKBHmuPiWV5v8o0HmTuK43kSQrwsoaf1+MymfDzBNfCE0S3exEFGkF64fCwofF7LscKsuS8=,iv:yv/igV1ZugPIuCwPY/vK3WbDP8qb6YAaG48QmvHPVdA=,tag:uBeyG0eLOqu3GAI7+ZJoQQ==,type:str]", + "lastmodified": "2026-02-10T16:57:40Z", + "mac": "ENC[AES256_GCM,data:nxP4NpN42CrhfBncgepdrF/4J9inbmFiTUy8y0DUWiP+5Utp2Xdz7ySiPOCXqBLBasqPO8TvL1CfK5uPnST+n7EspZAyCDfzrc6x5dVkmE9DrURrAep8Yz3OmpK/udgn5SKIByHxdoo5I3CHkLLr7VwgETTxlMxJtnMLNfcy8zA=,iv:VURJnLY8onsXt8c7zcHfeOPHkHb/xiEASOvMrvaayZ4=,tag:wmsoeeXYSy/Z/E8Wr6ioGQ==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.11.0" } diff --git a/modules/home/programs/firefox.nix b/modules/home/programs/firefox.nix index 50b7087..0f78491 100644 --- a/modules/home/programs/firefox.nix +++ b/modules/home/programs/firefox.nix @@ -5,10 +5,76 @@ lib, ... }: -{ - options.custom.programs.firefox.enable = lib.mkEnableOption ""; +let + cfg = config.custom.programs.firefox; + + mkExtension = + { + name, + uuid, + defaultArea, + ... + }: + { + name = uuid; + value = { + install_url = "file:///${ + inputs.firefox-addons.packages.${pkgs.stdenv.hostPlatform.system}.${name} + }/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${uuid}.xpi"; + installation_mode = "force_installed"; + default_area = defaultArea; + }; + }; +in +{ + options.custom.programs.firefox = { + enable = lib.mkEnableOption ""; + extensions = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule ( + { name, ... }: + { + options = { + enable = lib.mkEnableOption "" // { + default = true; + }; + name = lib.mkOption { + type = lib.types.nonEmptyStr; + default = name; + }; + uuid = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + defaultArea = lib.mkOption { + type = lib.types.enum [ + "menupanel" + "navbar" + ]; + default = "menupanel"; + }; + }; + } + ) + ); + default = { }; + }; + }; + + config = lib.mkIf cfg.enable { + custom.programs.firefox.extensions = { + dictionary-german.uuid = "de-DE@dictionaries.addons.mozilla.org"; + ublock-origin.uuid = "uBlock0@raymondhill.net"; + bitwarden.uuid = "{446900e4-71c2-419f-a6a7-df9c091e268b}"; + return-youtube-dislikes.uuid = "{762f9885-5a13-4abd-9c77-433dcd38b8fd}"; + sponsorblock.uuid = "sponsorBlocker@ajay.app"; + clearurls.uuid = "{74145f27-f039-47ce-a470-a662b129930a}"; + karakeep = { + uuid = "addon@karakeep.app"; + defaultArea = "navbar"; + }; + }; - config = lib.mkIf config.custom.programs.firefox.enable { programs.firefox = { enable = true; @@ -40,29 +106,16 @@ }; policies.ExtensionSettings = - let - extension = shortId: uuid: { - name = uuid; - value = { - install_url = "file:///${ - inputs.firefox-addons.packages.${pkgs.stdenv.hostPlatform.system}.${shortId} - }/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${uuid}.xpi"; - installation_mode = "force_installed"; - default_area = "menupanel"; - }; - }; - in - { + ( + cfg.extensions + |> lib.attrValues + |> lib.filter ({ enable, ... }: enable) + |> lib.map mkExtension + |> lib.listToAttrs + ) + // { "*".installation_mode = "blocked"; - } - // lib.listToAttrs [ - (extension "dictionary-german" "de-DE@dictionaries.addons.mozilla.org") - (extension "ublock-origin" "uBlock0@raymondhill.net") - (extension "bitwarden" "{446900e4-71c2-419f-a6a7-df9c091e268b}") - (extension "return-youtube-dislikes" "{762f9885-5a13-4abd-9c77-433dcd38b8fd}") - (extension "sponsorblock" "sponsorBlocker@ajay.app") - (extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}") - ]; + }; }; }; } diff --git a/modules/system/web-services/karakeep.nix b/modules/system/web-services/karakeep.nix new file mode 100644 index 0000000..19d1449 --- /dev/null +++ b/modules/system/web-services/karakeep.nix @@ -0,0 +1,62 @@ +{ config, lib, ... }: +let + cfg = config.custom.web-services.karakeep; +in +{ + options.custom.web-services.karakeep = { + enable = lib.mkEnableOption ""; + domain = lib.mkOption { + type = lib.types.nonEmptyStr; + default = ""; + }; + port = lib.mkOption { + type = lib.types.port; + default = 18195; + }; + }; + + config = lib.mkIf cfg.enable { + sops = { + secrets."karakeep/openai-api-key" = { }; + templates."karakeep.env" = { + content = "OPENAI_API_KEY=${config.sops.placeholder."karakeep/openai-api-key"}"; + owner = config.users.users.karakeep.name; + restartUnits = [ "karakeep-web.service" ]; + }; + }; + + services.karakeep = { + enable = true; + environmentFile = config.sops.templates."karakeep.env".path; + extraEnvironment = { + PORT = toString cfg.port; + DISABLE_NEW_RELEASE_CHECK = "true"; + OCR_LANGS = "eng,deu"; + }; + }; + + users = { + users.meilisearch = { + isSystemUser = true; + group = config.users.groups.meilisearch.name; + }; + groups.meilisearch = { }; + }; + + systemd.services.meilisearch.serviceConfig = { + DynamicUser = lib.mkForce false; + User = config.users.users.meilisearch.name; + Group = config.users.groups.meilisearch.name; + ReadWritePaths = lib.mkForce [ ]; + }; + + custom = { + services.caddy.virtualHosts.${cfg.domain}.port = cfg.port; + + persistence.directories = [ + "/var/lib/karakeep" + "/var/lib/meilisearch" + ]; + }; + }; +}