Open poperigby opened 2 weeks ago
litchipi
commented
2 weeks ago Tested on VM, works fine with the base configuration.
The problem comes from the credentialsFile = config.sops.templates.mealie-secrets.path; part of your configuration, it seams that you need the setup the user mealie to get access to the /run/secret directory.
I'm not familiar with sops, is there a group you could add the user mealie to so that it can access the directory ?
anoadragon453
commented
2 weeks ago You can allow a specific user/group access to the decrypted sops secret file using the sops.secrets.<secret name>.{user,group} options.
See this example in my config: https://github.com/anoadragon453/dotfiles/blob/20a1fa7f42f6722db5bba941de762c4df3dc2697/flake.nix#L523
poperigby
commented
2 weeks ago It still doesn't work after doing that.
I wonder if it's some state getting left over that screws something up, because it's weird it would still not work after removing everything but enable = true.
I deleted /var/lib/mealie though, and it's still happening, and it also still works if I role back to 1.7.0.
Although, I am using PostgreSQL so maybe it's something in there? Note that it's happening in init_db.
Here's my updated Nix file:
{ config, lib, ... }:
let
cfg = config.services.mealie;
in
{
services = {
mealie = {
enable = true;
credentialsFile = config.sops.templates.mealie-secrets.path;
settings = {
ALLOW_SIGNUP = false;
MAX_WORKERS = 1;
WEB_CONCURRENCY = 1;
BASE_URL = "https://food.haddock.cc";
# Database
DB_ENGINE = "postgres";
# https://github.com/mealie-recipes/mealie/issues/3573
POSTGRES_URL_OVERRIDE = "postgresql://mealie:@localhost/mealie?host=/run/postgresql";
# OpenID Connect
OIDC_AUTH_ENABLED = true;
OIDC_SIGNUP_ENABLED = true;
OIDC_CONFIGURATION_URL = "https://auth.haddock.cc/.well-known/openid-configuration";
OIDC_AUTO_REDIRECT = true;
OIDC_ADMIN_GROUP = "lldap_admin";
};
};
caddy.virtualHosts."food.haddock.cc".extraConfig = ''
import auth
reverse_proxy :${builtins.toString cfg.port}
'';
};
systemd.services.mealie = {
unitConfig = {
After = [ "authelia-haddock.service" ];
Requires = [ "authelia-haddock.service" ];
};
# DynamicUser messes with sops-nix
serviceConfig.DynamicUser = lib.mkForce false;
};
# Setup a user and group for Mealie
users = {
users.mealie = {
group = "mealie";
isSystemUser = true;
};
groups.mealie = {};
};
sops = {
templates.mealie-secrets = {
content = ''
OIDC_CLIENT_ID=${config.sops.placeholder.mealie-oidc-client-id_mealie}
'';
owner = "mealie";
group = "mealie";
};
secrets = {
mealie-oidc-client-id_mealie = {
key = "haddock/mealie/oidc_client_id";
owner = "mealie";
group = "mealie";
};
mealie-oidc-client-id_authelia = {
key = "haddock/mealie/oidc_client_id";
owner = "authelia-haddock";
group = "mealie";
};
};
};
}
Birdy2014
commented
2 weeks ago The issue seems to have something to do with this mealie commit: https://github.com/mealie-recipes/mealie/commit/445754c5d844ccf098f3678bc4f3cc9642bdaad6
Mealie 1.9.0 works when the commit is reverted: https://github.com/Birdy2014/nixos-config/blob/4d9925c230ab7088e913c8e666f8529435db9f6c/hosts/seidenschwanz/services/mealie.nix#L8-L19
Describe the bug
Mealie was updated from 1.7.0 to 1.9.0, and it's now failing to launch, even though I'm using the exact same configuration. It actually seems that just enabling Mealie, with no configuration isn't working. What's weird is that the error is referring to
/run/secrets, which is a sops-nix directory. I even rebooted, but it's still getting that particular errorSteps To Reproduce
Use the following configuration:
Expected behavior
Mealie successfully starts.
Additional context
Here's my original Nix configuration:
Notify maintainers
@litchipi @anoadragon453
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"and paste the result.Add a :+1: reaction to issues you find important.