Arion: Add recipes

2025-03-10 21:25:06 +01:00 · 2025-03-10 21:25:06 +01:00 · db64b8d2fb
commit db64b8d2fb
parent f5f9de6142
3 changed files with 142 additions and 0 deletions
--- a/hosts/franz/arion/recipes/arion-compose.nix
+++ b/hosts/franz/arion/recipes/arion-compose.nix
@ -0,0 +1,81 @@
+{
+  project.name = "recipes";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+  networks.internal = { };
+
+  services = {
+    mealie.service = {
+      image = "ghcr.io/mealie-recipes/mealie:v2.5.0";
+      container_name = "mealie";
+      # deploy.resources.limits.memory = "1000M";
+      labels = {
+        "traefik.enable" = "true";
+        "diun.enable" = "true";
+        "traefik.docker.network" = "dmz";
+
+        "traefik.http.services.mealie.loadbalancer.server.port" = "9000";
+        "traefik.http.routers.mealie.service" = "mealie";
+        "traefik.http.routers.mealie.entrypoints" = "websecure";
+        "traefik.http.routers.mealie.rule" = "Host(`recipes.ghoscht.com`)";
+        "traefik.http.routers.mealie.tls" = "true";
+        "traefik.http.routers.mealie.tls.certresolver" = "letsencrypt";
+
+        "pihole.custom-record" = "[[\"recipes.ghoscht.com\", \"ghoscht.com\"]]";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/recipes/mealie_data/:/app/data/"
+      ];
+      environment = {
+        ALLOW_SIGNUP = "false";
+        PUID = "1000";
+        PGID = "1000";
+        TZ = "Europe/Berlin";
+        BASE_URL = "https://recipes.ghoscht.com";
+        # Database Settings
+        DB_ENGINE = "postgres";
+        POSTGRES_SERVER = "postgres";
+        POSTGRES_PORT = "5432";
+        # OIDC
+        OIDC_AUTH_ENABLED = "true";
+        OIDC_CONFIGURATION_URL = "https://auth.ghoscht.com/application/o/mealie/.well-known/openid-configuration";
+        OIDC_PROVIDER_NAME = "Authentik";
+        OIDC_USER_GROUP = "Mealie User";
+        OIDC_ADMIN_GROUP = "Mealie Admin";
+        OIDC_AUTO_REDIRECT = "true";
+        OIDC_REMEMBER_ME = "true";
+      };
+      env_file = [ "/home/ghoscht/.docker/recipes/mealie.env" ];
+      restart = "always";
+      depends_on = [ "postgres" ];
+      networks = [
+        "dmz"
+        "internal"
+      ];
+    };
+    postgres.service = {
+      image = "postgres:17.2";
+      restart = "always";
+      volumes = [
+        "/home/ghoscht/.docker/recipes/postgres_data:/var/lib/postgresql/data"
+      ];
+      env_file = [ "/home/ghoscht/.docker/recipes/mealie_db.env" ];
+      healthcheck = {
+        test = [
+          "CMD-SHELL"
+          "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
+        ];
+        start_period = "20s";
+        interval = "30s";
+        retries = 5;
+        timeout = "5s";
+      };
+      networks = [
+        "internal"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/recipes/arion-pkgs.nix
+++ b/hosts/franz/arion/recipes/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/recipes/default.nix
+++ b/hosts/franz/arion/recipes/default.nix
@ -0,0 +1,55 @@
+{ config, ... }:
+let
+  vars = import ../../../../vars.nix;
+in
+{
+  virtualisation.arion = {
+    projects.recipes.settings = {
+      imports = [ ./arion-compose.nix ];
+    };
+  };
+  sops.secrets = {
+    "recipes/db_user" = {
+      owner = vars.user;
+    };
+    "recipes/db_password" = {
+      owner = vars.user;
+    };
+    "recipes/db_name" = {
+      owner = vars.user;
+    };
+
+    "recipes/mealie_oidc_client_id" = {
+      owner = vars.user;
+    };
+    "recipes/mealie_oidc_client_secret" = {
+      owner = vars.user;
+    };
+  };
+
+  sops.templates = {
+    "mealie_db.env" = {
+      path = "/home/${vars.user}/.docker/recipes/mealie_db.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        POSTGRES_USER="${config.sops.placeholder."recipes/db_user"}"
+        POSTGRES_PASSWORD="${config.sops.placeholder."recipes/db_password"}"
+        POSTGRES_DB="${config.sops.placeholder."recipes/db_name"}"
+      '';
+    };
+    "mealie.env" = {
+      path = "/home/${vars.user}/.docker/recipes/mealie.env";
+      owner = vars.user;
+      mode = "0775";
+      content = ''
+        OIDC_CLIENT_ID="${config.sops.placeholder."recipes/mealie_oidc_client_id"}"
+        OIDC_CLIENT_SECRET="${config.sops.placeholder."recipes/mealie_oidc_client_secret"}"
+
+        POSTGRES_USER="${config.sops.placeholder."recipes/db_user"}"
+        POSTGRES_PASSWORD="${config.sops.placeholder."recipes/db_password"}"
+        POSTGRES_DB="${config.sops.placeholder."recipes/db_name"}"
+      '';
+    };
+  };
+}