eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/mealie.md
Erich Blume b0023fef92 Switch Mealie OIDC to confidential client 
Mealie requires OIDC_CLIENT_SECRET even though its docs say "public
client with PKCE". The token exchange happens server-side in Mealie's
Python backend, so the secret never reaches the browser.

- Generate client secret, store in 1Password
- Add to Authentik external-secret and worker env
- Switch blueprint from public to confidential
- Add ExternalSecret for mealie namespace
- Update docs to reflect confidential client

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 21:50:34 -07:00

2.3 KiB
Raw Blame History

title modified tags
Mealie 2026-03-16
service
recipes

Mealie

Self-hosted recipe manager with a REST API. Part of the meal planning pipeline: Mealie stores categorized recipes, a planner script selects balanced meals, and ollama generates a unified cooking timeline.

Quick Reference

Property Value
URL https://meals.ops.eblu.me
Tailscale URL https://meals.tail8d86e.ts.net
Namespace mealie
Image registry.ops.eblu.me/blumeops/mealie (built from source)
Database SQLite (local, at /app/data/)
API Docs https://meals.ops.eblu.me/docs
Upstream https://github.com/mealie-recipes/mealie
Manifests argocd/manifests/mealie/

Features

  • Full REST API (FastAPI) for recipe CRUD, filtering by tag/category
  • Structured recipe data: ingredients (quantity/unit/food), step-by-step instructions
  • Built-in meal planning and shopping lists
  • Recipe import from URLs
  • API token auth for automation
  • OIDC login via authentik (confidential client)

Authentication

OIDC via authentik using a confidential client. Client secret stored in 1Password (Authentik (blumeops) / mealie-client-secret) and delivered via ExternalSecret. All Authentik users can log in; members of the admins group get Mealie admin privileges via OIDC_ADMIN_GROUP.

Storage

  • 2Gi PVC at /app/data/ via standard storageClassName (minikube-hostpath)
  • SQLite database (sufficient for single-user)
  • Recipe images and assets stored alongside the database

Backup

SQLite database backed up via borgmatic's before_backup hook. Borgmatic runs kubectl exec to create a safe .backup copy (via Python's sqlite3 module), then kubectl cp to the host. The dump lands in ~/.local/share/borgmatic/k8s-dumps/mealie.db and is included in both local (sifaka) and offsite (BorgBase) backups.

Networking

Endpoint Reachable from
https://meals.ops.eblu.me Tailnet clients (via Caddy)
https://meals.tail8d86e.ts.net Tailnet clients
http://mealie.mealie.svc.cluster.local:9000 In-cluster

Related