tandoor
Recipe management and meal planning application
Example
{config, ...}: {
nps.stacks.tandoor = {
enable = true;
secretKeyFile = config.sops.secrets."tandoor/secret_key".path;
db.passwordFile = config.sops.secrets."tandoor/db_password".path;
oidc = {
enable = true;
clientSecretFile = config.sops.secrets."tandoor/authelia/client_secret".path;
clientSecretHash = "$pbkdf2-sha512$...";
};
containers.tandoor.extraEnv = {
# https://docs.tandoor.dev/system/configuration/#default-permissions
SOCIAL_DEFAULT_ACCESS = 1;
SOCIAL_DEFAULT_GROUP = "user";
};
};
}Stack Options
nps.stacks.tandoor.containers.tandoor
Alias of {option}services.podman.containers.tandoor.
nps.stacks.tandoor.containers.tandoor-db
Alias of {option}services.podman.containers.tandoor-db.
nps.stacks.tandoor.db.passwordFile
Path to the file containing the database password
nps.stacks.tandoor.db.username
Database user name
nps.stacks.tandoor.enable
Whether to enable tandoor.
nps.stacks.tandoor.oidc.clientSecretFile
The file containing the client secret for the OIDC client that will be registered in Authelia.
For examples on how to generate a client secret, see
https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
stringconfig.sops.secrets."immich/authelia/client_secret".path"nps.stacks.tandoor.oidc.clientSecretHash
The client secret hash. For examples on how to generate a client secret, see https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#client-secret
The value can be passed in multiple ways:
- As a literal string
- As an absolute path to a file containing the hash (
toFile) - As an absolute oath to a file containing the client_secret, in which case the hash will be automatically computed (
toHash) - As
null
If left unset (null), the client secret will be read from the file specified in the clientSecretFile option and hashed automatically before being passed to the Authelia container.
null or string or (submodule)null# Literal String:
"$pbkdf2-sha512$310000$cbOAIWbfz3vCVXIPIp6d2A$J0klwULa6TvPRCU1HAfuKua/dMKTl8gbTYJz2N73ejGUu0LUGz/y3kwmJLuKuAYGg3WQOT0q9ZzVHHUvpKpgvQ"
# Client secret hash stored in a file
{ fromFile = config.sops.secrets."immich/client_secret_hash".path; }
# Client secret stored in a file: Hash will be computed dynamically
{ toHash = config.sops.secrets."immich/client_secret".path; }
# Null (default): Hash will be computed automatically based on the clientSecretFile option
# Equivalent to { toHash = cfg.oidc.clientSecretFile; }
nullnps.stacks.tandoor.oidc.enable
Whether to enable OIDC login with Authelia. This will register an OIDC client in Authelia and setup the necessary configuration.
For details, see:
nps.stacks.tandoor.oidc.userGroup
Users must be a part of this group to be able to log in.
nps.stacks.tandoor.secretKeyFile
Path to the file containing the Paperless secret key
See https://docs.tandoor.dev/system/configuration/#secret-key