firefox: Add karakeep extension

hosts/vps-private/default.nix

@@ -52,6 +52,11 @@
           domain = "budget.${privateDomain}";
           doBackups = true;
         };
+
+        karakeep = {
+          enable = true;
+          domain = "bookmarks.${privateDomain}";
+        };
       };
     };
 }

hosts/vps-private/secrets.json

@@ -21,6 +21,9 @@
     "api-key": "ENC[AES256_GCM,data:RV/+aEQRcfQ9LMjZjxGNvCeiso51VqvqrOBRRrR/dXhmBvyoGuh2LaAjyoDoWEjWy5kIStStR+jXZEFWZ8KXvnmEnoU=,iv:j3sYW85Vf88EfeOfezlspDxEms6YqZYnzy5JAiES3+U=,tag:0M9vDvsirc6ze3Ut+yMSoA==,type:str]",
     "secret-api-key": "ENC[AES256_GCM,data:SUngZ65fBmC9WlPkmJMjyBb6sHREKhqyRj9fsBGkj5IyjtGDfQ1b7Iv0VNeSY//bWv0VZruwT48a320BUlg1xiNCKU8=,iv:glUaArlHJsxCP5z3y7JnWvmtsdRzszXhYydpd1YaX5U=,tag:185iAkQ/J9CfKkTsgPP6lA==,type:str]"
   },
+  "karakeep": {
+    "openai-api-key": "ENC[AES256_GCM,data:ZOVkdDWpSJ98spHm3XUuGZ4vrRBEUyCBE4Nnpm/zVwKSi6yDbbKyZffc4jwOiffUVhwM5HKmUEosI2Qdn7Z7yjJHSHgrn9mN/e7mKIrPkzZx+FNsVfPx6RAzstgbxkBjBshGiGEPcamevAMEhPlnhucqwanDk65OSn6ohQ+RCsQvKe9HsgvVq6ERPGWkHKPAAaop5asZ3ljjQ4ZEla/Q3K7/HjC6hqg=,iv:Dmx6C3jyNk4lFlv220Dkp4+UFQEushPgEwN9hexbZtU=,tag:8w55PPnbrysohj1kUztADA==,type:str]"
+  },
   "sops": {
     "age": [
       {
@@ -32,8 +35,8 @@
         "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n"
       }
     ],
-    "lastmodified": "2026-01-14T19:40:46Z",
-    "mac": "ENC[AES256_GCM,data:+0TFeTpGFWwry9PdMMrLTdpvqccvsTh2x1Sh1tpaK3SGa4o+dSC1qKsHMmlhMscuPeo/NbnSHXQ0gW6uuc6KqI4oWP/d806PCKVICKBHmuPiWV5v8o0HmTuK43kSQrwsoaf1+MymfDzBNfCE0S3exEFGkF64fCwofF7LscKsuS8=,iv:yv/igV1ZugPIuCwPY/vK3WbDP8qb6YAaG48QmvHPVdA=,tag:uBeyG0eLOqu3GAI7+ZJoQQ==,type:str]",
+    "lastmodified": "2026-02-10T16:57:40Z",
+    "mac": "ENC[AES256_GCM,data:nxP4NpN42CrhfBncgepdrF/4J9inbmFiTUy8y0DUWiP+5Utp2Xdz7ySiPOCXqBLBasqPO8TvL1CfK5uPnST+n7EspZAyCDfzrc6x5dVkmE9DrURrAep8Yz3OmpK/udgn5SKIByHxdoo5I3CHkLLr7VwgETTxlMxJtnMLNfcy8zA=,iv:VURJnLY8onsXt8c7zcHfeOPHkHb/xiEASOvMrvaayZ4=,tag:wmsoeeXYSy/Z/E8Wr6ioGQ==,type:str]",
     "unencrypted_suffix": "_unencrypted",
     "version": "3.11.0"
   }

modules/home/programs/firefox.nix

@@ -5,10 +5,76 @@
   lib,
   ...
 }:
-{
-  options.custom.programs.firefox.enable = lib.mkEnableOption "";
+let
+  cfg = config.custom.programs.firefox;
+
+  mkExtension =
+    {
+      name,
+      uuid,
+      defaultArea,
+      ...
+    }:
+    {
+      name = uuid;
+      value = {
+        install_url = "file:///${
+          inputs.firefox-addons.packages.${pkgs.stdenv.hostPlatform.system}.${name}
+        }/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${uuid}.xpi";
+        installation_mode = "force_installed";
+        default_area = defaultArea;
+      };
+    };
+in
+{
+  options.custom.programs.firefox = {
+    enable = lib.mkEnableOption "";
+    extensions = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.submodule (
+          { name, ... }:
+          {
+            options = {
+              enable = lib.mkEnableOption "" // {
+                default = true;
+              };
+              name = lib.mkOption {
+                type = lib.types.nonEmptyStr;
+                default = name;
+              };
+              uuid = lib.mkOption {
+                type = lib.types.nonEmptyStr;
+                default = "";
+              };
+              defaultArea = lib.mkOption {
+                type = lib.types.enum [
+                  "menupanel"
+                  "navbar"
+                ];
+                default = "menupanel";
+              };
+            };
+          }
+        )
+      );
+      default = { };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    custom.programs.firefox.extensions = {
+      dictionary-german.uuid = "de-DE@dictionaries.addons.mozilla.org";
+      ublock-origin.uuid = "uBlock0@raymondhill.net";
+      bitwarden.uuid = "{446900e4-71c2-419f-a6a7-df9c091e268b}";
+      return-youtube-dislikes.uuid = "{762f9885-5a13-4abd-9c77-433dcd38b8fd}";
+      sponsorblock.uuid = "sponsorBlocker@ajay.app";
+      clearurls.uuid = "{74145f27-f039-47ce-a470-a662b129930a}";
+      karakeep = {
+        uuid = "addon@karakeep.app";
+        defaultArea = "navbar";
+      };
+    };
 
-  config = lib.mkIf config.custom.programs.firefox.enable {
     programs.firefox = {
       enable = true;
 
@@ -40,29 +106,16 @@
       };
 
       policies.ExtensionSettings =
-        let
-          extension = shortId: uuid: {
-            name = uuid;
-            value = {
-              install_url = "file:///${
-                inputs.firefox-addons.packages.${pkgs.stdenv.hostPlatform.system}.${shortId}
-              }/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/${uuid}.xpi";
-              installation_mode = "force_installed";
-              default_area = "menupanel";
-            };
-          };
-        in
-        {
+        (
+          cfg.extensions
+          |> lib.attrValues
+          |> lib.filter ({ enable, ... }: enable)
+          |> lib.map mkExtension
+          |> lib.listToAttrs
+        )
+        // {
           "*".installation_mode = "blocked";
-        }
-        // lib.listToAttrs [
-          (extension "dictionary-german" "de-DE@dictionaries.addons.mozilla.org")
-          (extension "ublock-origin" "uBlock0@raymondhill.net")
-          (extension "bitwarden" "{446900e4-71c2-419f-a6a7-df9c091e268b}")
-          (extension "return-youtube-dislikes" "{762f9885-5a13-4abd-9c77-433dcd38b8fd}")
-          (extension "sponsorblock" "sponsorBlocker@ajay.app")
-          (extension "clearurls" "{74145f27-f039-47ce-a470-a662b129930a}")
-        ];
+        };
     };
   };
 }

modules/system/web-services/karakeep.nix

@@ -0,0 +1,62 @@
+{ config, lib, ... }:
+let
+  cfg = config.custom.web-services.karakeep;
+in
+{
+  options.custom.web-services.karakeep = {
+    enable = lib.mkEnableOption "";
+    domain = lib.mkOption {
+      type = lib.types.nonEmptyStr;
+      default = "";
+    };
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 18195;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops = {
+      secrets."karakeep/openai-api-key" = { };
+      templates."karakeep.env" = {
+        content = "OPENAI_API_KEY=${config.sops.placeholder."karakeep/openai-api-key"}";
+        owner = config.users.users.karakeep.name;
+        restartUnits = [ "karakeep-web.service" ];
+      };
+    };
+
+    services.karakeep = {
+      enable = true;
+      environmentFile = config.sops.templates."karakeep.env".path;
+      extraEnvironment = {
+        PORT = toString cfg.port;
+        DISABLE_NEW_RELEASE_CHECK = "true";
+        OCR_LANGS = "eng,deu";
+      };
+    };
+
+    users = {
+      users.meilisearch = {
+        isSystemUser = true;
+        group = config.users.groups.meilisearch.name;
+      };
+      groups.meilisearch = { };
+    };
+
+    systemd.services.meilisearch.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = config.users.users.meilisearch.name;
+      Group = config.users.groups.meilisearch.name;
+      ReadWritePaths = lib.mkForce [ ];
+    };
+
+    custom = {
+      services.caddy.virtualHosts.${cfg.domain}.port = cfg.port;
+
+      persistence.directories = [
+        "/var/lib/karakeep"
+        "/var/lib/meilisearch"
+      ];
+    };
+  };
+}