feat: services for nas all up and running

2025-12-14 10:30:52 -06:00 · 2025-12-09 21:01:56 -06:00 · 2025-12-09 21:01:56 -06:00 · 8649008c93
commit 8649008c93
parent 92088ed139
9 changed files with 54 additions and 21 deletions
--- a/modules/nixos/homelab/guests/photoprism/config/default.nix
+++ b/modules/nixos/homelab/guests/photoprism/config/default.nix
@ -34,11 +34,12 @@ in
                enable = true;
                settings = {
                  PHOTOPRISM_SITE_URL = "https://${host}";
-                  PHOTOPRISM_DISABLE_TLS = "true";
                  PHOTOPRISM_ADMIN_USER = user;
+                  PHOTOPRISM_DISABLE_TLS = "true";
                  PHOTOPRISM_DEFAULT_LOCAL = "en";
                };
-                passwordFile = "/run/secrets/${user}-pass";
+                passwordFile = "/etc/photoprism-secrets/${user}-pass";
+                # databasePasswordFile = "/etc/photoprism-secrets/${user}-pass";
                storagePath = "/var/lib/${serviceCfg.name}";
                originalsPath = "/var/lib/${serviceCfg.name}-media";
                address = "0.0.0.0";
@ -61,17 +62,41 @@ in

            networking.firewall.allowedTCPPorts = [
              22
-              2342
+              serviceCfg.ports.port0
            ];

            systemd = {
              services = {
+                # fix-secrets-permissions = {
+                #   description = "Fix secrets permissions for photoprism";
+                #   wantedBy = [ "multi-user.target" ];
+                #   before = [
+                #     "photoprism.service"
+                #   ];
+                #   serviceConfig = {
+                #     Type = "oneshot";
+                #     RemainAfterExit = true;
+                #   };
+                #   script = ''
+                #     mkdir -p /etc/photoprism-secrets
+                #     cp /run/secrets/${user}-pass /etc/photoprism-secrets/${user}-pass
+                #     chmod 755 /etc/photoprism-secrets
+                #     chmod 644 /etc/photoprism-secrets/*
+                #   '';
+                # };
                photoprism = {
                  serviceConfig = {
                    DynamicUser = lib.mkForce false;
                    User = serviceCfg.name;
                    Group = serviceCfg.name;
+                    # Override LoadCredential to use our secrets path
+                    LoadCredential = lib.mkForce [
+                      "PHOTOPRISM_ADMIN_PASSWORD_FILE:/run/secrets/${user}-pass"
+                    ];
                  };
+                  # Make sure secrets are mounted before service starts
+                  after = [ "run-secrets.mount" ];
+                  requires = [ "run-secrets.mount" ];
                };
                systemd-networkd.wantedBy = [
                  "multi-user.target"
@ -80,7 +105,7 @@ in
              network = {
                enable = true;
                networks."20-lan" = {
-                  matchConfig.Name = "enp0s*";
+                  matchConfig.Name = "enp0s6";
                  addresses = [
                    { Address = "${ip}/24"; }
                  ];