🏡 my personal home lab
kitchenowl
+95
-2
+7
hosts/rk1-node-2.nix
+7
hosts/rk1-node-2.nix
+3
modules/caddy.nix
+3
modules/caddy.nix
···
51
51
"nas.goo.garden".extraConfig = ''
52
52
reverse_proxy 10.0.0.2:5000
53
53
'';
54
+
"kitchen.goo.garden".extraConfig = ''
55
+
reverse_proxy rk1-node-2:9080
56
+
'';
54
57
"probe.outerwilds.space".extraConfig = ''
55
58
reverse_proxy localhost:${config.services.uptime-kuma.settings.PORT}
56
59
'';
+81
modules/kitchenowl.nix
+81
modules/kitchenowl.nix
···
1
+
{ config, ... }:
2
+
{
3
+
virtualisation.oci-containers = {
4
+
backend = "podman";
5
+
containers = {
6
+
kitchenowl-web = {
7
+
image = "tombursch/kitchenowl-web:latest";
8
+
dependsOn = [ "kitchenowl" ];
9
+
environment = {
10
+
BACK_URL = "localhost:5000";
11
+
};
12
+
extraOptions = [ "--pod=kitchenowl-pod" ];
13
+
};
14
+
15
+
kitchenowl = {
16
+
image = "tombursch/kitchenowl-backend:latest";
17
+
environmentFiles = [ config.sops.templates."kitchenowl.env".path ];
18
+
volumes = [ "/var/lib/kitchenowl:/data" ];
19
+
dependsOn = [ "kitchenowl-db" ];
20
+
extraOptions = [ "--pod=kitchenowl-pod" ];
21
+
};
22
+
23
+
kitchenowl-db = {
24
+
image = "postgres:18";
25
+
environmentFiles = [ config.sops.templates."kitchenowl-db.env".path ];
26
+
volumes = [ "/var/lib/kitchenowl-db:/var/lib/postgresql" ];
27
+
extraOptions = [ "--pod=kitchenowl-pod" ];
28
+
};
29
+
};
30
+
};
31
+
32
+
systemd.services.kitchenowl-pod = {
33
+
serviceConfig = {
34
+
Type = "oneshot";
35
+
RemainAfterExit = true;
36
+
ExecStart = "${config.virtualisation.podman.package}/bin/podman pod create --name kitchenowl-pod -p 9080:80";
37
+
ExecStop = "${config.virtualisation.podman.package}/bin/podman pod rm -f kitchenowl-pod";
38
+
};
39
+
wantedBy = [ "multi-user.target" ];
40
+
};
41
+
42
+
systemd.services.podman-kitchenowl-web = {
43
+
after = [ "kitchenowl-pod.service" ];
44
+
requires = [ "kitchenowl-pod.service" ];
45
+
};
46
+
systemd.services.podman-kitchenowl = {
47
+
after = [ "kitchenowl-pod.service" ];
48
+
requires = [ "kitchenowl-pod.service" ];
49
+
};
50
+
systemd.services.podman-kitchenowl-db = {
51
+
after = [ "kitchenowl-pod.service" ];
52
+
requires = [ "kitchenowl-pod.service" ];
53
+
};
54
+
55
+
sops.templates."kitchenowl.env".content = ''
56
+
JWT_SECRET_KEY=${config.sops.placeholder.kitchenowl-jwt-secret}
57
+
DB_DRIVER=postgresql
58
+
DB_HOST=localhost
59
+
DB_PORT=5432
60
+
DB_NAME=kitchenowl
61
+
DB_USER=kitchenowl
62
+
DB_PASSWORD=${config.sops.placeholder.kitchenowl-db-password}
63
+
FRONT_URL=https://kitchen.goo.garden
64
+
OIDC_ISSUER=https://id.goo.garden
65
+
OIDC_CLIENT_ID=${config.sops.placeholder.kitchenowl-oidc-client-id}
66
+
OIDC_CLIENT_SECRET=${config.sops.placeholder.kitchenowl-oidc-client-secret}
67
+
OPEN_REGISTRATION=false
68
+
'';
69
+
sops.templates."kitchenowl-db.env".content = ''
70
+
POSTGRES_DB=kitchenowl
71
+
POSTGRES_USER=kitchenowl
72
+
POSTGRES_PASSWORD=${config.sops.placeholder.kitchenowl-db-password}
73
+
'';
74
+
75
+
sops.secrets.kitchenowl-jwt-secret = { };
76
+
sops.secrets.kitchenowl-db-password = { };
77
+
sops.secrets.kitchenowl-oidc-client-id = { };
78
+
sops.secrets.kitchenowl-oidc-client-secret = { };
79
+
80
+
networking.firewall.allowedTCPPorts = [ 9080 ];
81
+
}
+4
-2
secrets/secrets.yaml
+4
-2
secrets/secrets.yaml
···
8
8
pocket-id-encryption-key: ENC[AES256_GCM,data:GotMtKCXugB+qNvMPRoLHLNFfb60+ngX+ykfInbK1QmRv8SME1+gEjFb08XzodzuydlAKqdR/0svIZPw88YA4g==,iv:7ub4AxT6Dnrr/aE5Wvuyp5hWk8D+zNUMG+P6bYLWGVM=,tag:SlKYIB59TX4lEedgUWBHFw==,type:str]
9
9
kitchenowl-jwt-secret: ENC[AES256_GCM,data:legJFjeCURS2aiVBm5rY9Yz4/9cje22zMn6nRbLfliHSI3Bj2viVvsSCvOnvR+VxCcoJYwPhJPmaMGlCf5LV6g==,iv:vbygH1lPayQeoyemFNLqxJy6N24VvxC4qzj0UKceF9Q=,tag:QPO0/0G9xfpLUg6rjtiEKQ==,type:str]
10
10
kitchenowl-db-password: ENC[AES256_GCM,data:dLbd7ikyUqudXHpdohzwoSGdR4XwrDJpiV5Zxvfvm+kyDgLyoNFeIR2riMxAwSXgoOwNxpsNe9Zhtm6sdsVwTg==,iv:KlVfJwJDGxqzCq3e+208vhtTxA736s6mbweF9Dbjzq8=,tag:AvDPlFZk+7UpeuIL0RAhEA==,type:str]
11
+
kitchenowl-oidc-client-id: ENC[AES256_GCM,data:ifQHYZP6Z3H1SQkQ8XRaZ//GuWf6Jn98+q3nXs7QXGu8QywO,iv:1jfTO846YR57WwCGhVEoxHQZr2W92Z7pWDYPceHDMYo=,tag:BOf81pF/tWDE2Z7/tTHV0g==,type:str]
12
+
kitchenowl-oidc-client-secret: ENC[AES256_GCM,data:rAaxP7OZoQ/soElu10BYnI7L1Fze3AwXkZE1geZ87jE=,iv:nZpHxJZPRndNpAJVrB6YsKPS1SgovfcFIZ9XtP+8dEY=,tag:N6ew5wyFhZChIf5yBV/bVQ==,type:str]
11
13
backup-repository: ENC[AES256_GCM,data:v6tUjTwVsym8i52jcapjSRXPIjX2xNFY+bZRkHnVsp4AebcksHzHEDX6N4BF3OuQ2KepOfHngMn61Mk=,iv:HPV+8aCPpvFnytja6RUA7hJdtz2BMI1zsH01w1J9r2w=,tag:znMIFmrcsKTIq2TowhAV0w==,type:str]
12
14
backup-identity: ENC[AES256_GCM,data:8TJP7vSWJAj56AcczQhMRoQqahxM4EGzPm+wk1apMD+L3pybXh/4LPp0DNcGugOb3RPTyjki6jZArDgiirS+ltbldaNQPZaZ4cFrtiJVt8D/iQlsgM9tR8oC7bcR4KV+UoVeeXJN0fWqy5U+IzJ87ZRKKyb9i8WKhPuWFIftb4KqZRyada7jhl/SzwuoIcw9BagMJPLv6BaUmNp1j5fOHvo7RseImiIqsbVo37NTqMMQf7PKM5gsMU6bbeAMjtdeC2RNVG21eop8JlO5uYVyjGxyl5wfU+PwMSRc+XNpgeVEv9mjdo6dkG3QC2poHZ77ot4py6HzQPUZjwLyFsr0ccC4e6e0PNOBtTPtku/LnXHsV45LB9Q3X7t9VSYCTtlJul2W8huZuCRnv7crvIUW21ZMTWiwMbqNEqDUJTBcPLDi42Ea4CvA+I6ODJP8n5g7GTHW0ggy6FtjVXH5DzhzJJULQ27kq97EWi43bSRv0N+N5C1viM+j+hs6tM5eQ15niRVB,iv:YpRoGlD8YFxZ+RChb6T4Eh665AMTTeTJXRFR0xa7l3k=,tag:FWOVonF+SYbbgQoopa2lhA==,type:str]
13
15
sops:
···
57
59
ajA5bDZCY1BnblVYRGQ1QTE2S2I4M2cKSIGmFBP6sqiiM+cvTMQuZHit9fN5Vffk
58
60
1pWz8xSen/tqoywqipRf3LqzFb2K7Bx15vwazHbm6LJJa+ZQaruVMg==
59
61
-----END AGE ENCRYPTED FILE-----
60
-
lastmodified: "2026-03-23T21:37:21Z"
61
-
mac: ENC[AES256_GCM,data:tILV9atrmApL7LjUaMrLuLpLzPg6hVG1nKdOTa+2G7pWoxSSFHoWgYonhqe40T5ThDhm0lp2m4w4Eg1qbEAnvB8fJm36rf6GyrJ9WbRbTIF6EZxyYoTk+ooE5JewIkZR4Q9+116sQmvBuwS65L6UjPo7xW9avW98GBLAzgIUonw=,iv:tYvwF9NBtFCXr3+acTES4RSyV4Vu6+HJlXoTrpdjNCQ=,tag:Iv4qczCUyUJJfUOnz0QYlg==,type:str]
62
+
lastmodified: "2026-03-23T23:11:06Z"
63
+
mac: ENC[AES256_GCM,data:7nZnj5jAqzpqrXWql5cZtfLZBfv/mGE2+PoimeRp/lPtG8StD2FkCFNfaeIjCEMc7IfiWdowGVYCRWGh+d0OsbD/u8pwHBkQd+DwcJocIn9EvYzOMnN/1F5R9yXHTWwrVC0KjM6XIwZ9q+M7WfZhTzEEDyCe+HVqDcg6sgtZvKs=,iv:JNHRrrNxSQItxFWVnEWf3vGFlq3uiFdaHgGWdEIVJI0=,tag:fAsEIj4Cd/t3C6gx+SQurQ==,type:str]
62
64
unencrypted_suffix: _unencrypted
63
65
version: 3.12.1