nix-config/config/services/paperless.nix

{
  pkgs,
  nodes,
  globals,
  config,
  lib,
  ...
}:
let
  paperlessBackupDir = "/var/cache/backups/paperless";
in
{
  systemd.tmpfiles.settings = {
    "10-paperless".${paperlessBackupDir}.d = {
      inherit (config.services.paperless) user;
      mode = "0770";
    };
  };
  age.secrets.resticpasswd = {
    generator.script = "alnum";
  };
  age.secrets.paperlessHetznerSsh = {
    generator.script = "ssh-ed25519";
  };
  services.restic.backups = {
    main = {
      user = "root";
      timerConfig = {
        OnCalendar = "06:00";
        Persistent = true;
        RandomizedDelaySec = "3h";
      };
      initialize = true;
      passwordFile = config.age.secrets.resticpasswd.path;
      hetznerStorageBox = {
        enable = true;
        inherit (globals.hetzner) mainUser;
        inherit (globals.hetzner.users.paperless) subUid path;
        sshAgeSecret = "paperlessHetznerSsh";
      };
      paths = [ paperlessBackupDir ];
      #pruneOpts = [
      #  "--keep-daily 10"
      #  "--keep-weekly 7"
      #  "--keep-monthly 12"
      #  "--keep-yearly 75"
      #];
    };
  };
  systemd.services.paperless-backup =
    let
      cfg = config.systemd.services.paperless-consumer;
    in
    {
      description = "Paperless document backup";
      serviceConfig = lib.recursiveUpdate cfg.serviceConfig {
        ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${paperlessBackupDir}";
        ReadWritePaths = cfg.serviceConfig.ReadWritePaths ++ [ paperlessBackupDir ];
        Restart = "no";
        Type = "oneshot";
      };
      inherit (cfg) environment;
      requiredBy = [ "restic-backups-main.service" ];
      before = [ "restic-backups-main.service" ];
    };

  wireguard.services = {
    client.via = "nucnix";
    firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ config.services.paperless.port ];
  };

  age.secrets.paperless-admin-passwd = {
    generator.script = "alnum";
    mode = "440";
    group = "paperless";
  };
  users.users.paperless.isSystemUser = true;
  services.paperless = {
    enable = true;
    address = "0.0.0.0";
    port = 3000;
    passwordFile = config.age.secrets.paperless-admin-passwd.path;
    consumptionDir = "/paperless/consume";
    mediaDir = "/paperless/media";
    settings = {
      PAPERLESS_URL = "https://${globals.services.paperless.domain}";
      PAPERLESS_ALLOWED_HOSTS = globals.services.paperless.domain;
      PAPERLESS_CORS_ALLOWED_HOSTS = "https://${globals.services.paperless.domain}";
      PAPERLESS_TRUSTED_PROXIES = nodes.nucnix-nginx.config.wireguard.services.ipv4;

      PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";

      PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
        openid_connect = {
          OAUTH_PKCE_ENABLED = "True";
          APPS = [
            rec {
              provider_id = "kanidm";
              name = "Kanidm";
              client_id = "paperless";
              settings.server_url = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
            }
          ];
        };
      };

      # let nginx do all the compression
      PAPERLESS_ENABLE_COMPRESSION = false;
      PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
      PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
      PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING";
      PAPERLESS_CONSUMER_RECURSIVE = true;
      PAPERLESS_FILENAME_FORMAT = "{owner_username}/{created_year}-{created_month}-{created_day}_{asn}_{title}";
      PAPERLESS_NUMBER_OF_SUGESSTED_DATES = 11;
      PAPERLESS_OCR_LANGUAGE = "deu+eng";
      PAPERLESS_TASK_WORKERS = 4;
      PAPERLESS_WEBSERVER_WORKERS = 4;
    };
  };
  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/paperless";
      user = "paperless";
      group = "paperless";
      mode = "0750";
    }
  ];
  environment.persistence."/state".directories = [
    {
      directory = paperlessBackupDir;
      user = "paperless";
      group = "paperless";
      mode = "0770";
    }
  ];
  # Mirror the original oauth2 secret
  age.secrets.paperless-oauth2-client-secret = {
    inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-paperless) rekeyFile;
    mode = "440";
    group = "paperless";
  };

  systemd.services.paperless-web.script = lib.mkBefore ''
    paperlessClientSecret=$(< ${config.age.secrets.paperless-oauth2-client-secret.path})
    export PAPERLESS_SOCIALACCOUNT_PROVIDERS="$( <<< $PAPERLESS_SOCIALACCOUNT_PROVIDERS ${pkgs.jq}/bin/jq -c --arg paperlessClientSecret "$paperlessClientSecret" '.openid_connect.APPS.[0].secret = $paperlessClientSecret')"
  '';
}
feat: paperless 2024-01-18 00:39:25 +01:00			`{`
feat: paperless oauth 2024-03-12 22:49:54 +01:00			`pkgs,`
			`nodes,`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`globals,`
feat: paperless 2024-01-18 00:39:25 +01:00			`config,`
			`lib,`
			`...`
reformat 2024-07-26 22:12:48 +02:00			`}:`
			`let`
feat: paperless backups 2024-01-19 22:33:03 +01:00			`paperlessBackupDir = "/var/cache/backups/paperless";`
reformat 2024-07-26 22:12:48 +02:00			`in`
			`{`
feat: paperless backups 2024-01-19 22:33:03 +01:00			`systemd.tmpfiles.settings = {`
			`"10-paperless".${paperlessBackupDir}.d = {`
			`inherit (config.services.paperless) user;`
			`mode = "0770";`
			`};`
			`};`
			`age.secrets.resticpasswd = {`
			`generator.script = "alnum";`
			`};`
			`age.secrets.paperlessHetznerSsh = {`
			`generator.script = "ssh-ed25519";`
			`};`
			`services.restic.backups = {`
			`main = {`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`user = "root";`
feat: paperless backups 2024-01-19 22:33:03 +01:00			`timerConfig = {`
			`OnCalendar = "06:00";`
			`Persistent = true;`
			`RandomizedDelaySec = "3h";`
			`};`
			`initialize = true;`
			`passwordFile = config.age.secrets.resticpasswd.path;`
			`hetznerStorageBox = {`
			`enable = true;`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`inherit (globals.hetzner) mainUser;`
			`inherit (globals.hetzner.users.paperless) subUid path;`
feat: paperless backups 2024-01-19 22:33:03 +01:00			`sshAgeSecret = "paperlessHetznerSsh";`
			`};`
reformat 2024-07-26 22:12:48 +02:00			`paths = [ paperlessBackupDir ];`
feat: append only backups 2024-08-08 20:08:01 +02:00			`#pruneOpts = [`
			`# "--keep-daily 10"`
			`# "--keep-weekly 7"`
			`# "--keep-monthly 12"`
			`# "--keep-yearly 75"`
			`#];`
feat: paperless backups 2024-01-19 22:33:03 +01:00			`};`
			`};`
reformat 2024-07-26 22:12:48 +02:00			`systemd.services.paperless-backup =`
			`let`
			`cfg = config.systemd.services.paperless-consumer;`
			`in`
			`{`
			`description = "Paperless document backup";`
			`serviceConfig = lib.recursiveUpdate cfg.serviceConfig {`
feat: paperless backups 2024-01-19 22:33:03 +01:00			`ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${paperlessBackupDir}";`
reformat 2024-07-26 22:12:48 +02:00			`ReadWritePaths = cfg.serviceConfig.ReadWritePaths ++ [ paperlessBackupDir ];`
feat: paperless backups 2024-01-19 22:33:03 +01:00			`Restart = "no";`
			`Type = "oneshot";`
			`};`
reformat 2024-07-26 22:12:48 +02:00			`inherit (cfg) environment;`
			`requiredBy = [ "restic-backups-main.service" ];`
			`before = [ "restic-backups-main.service" ];`
			`};`
feat: paperless backups 2024-01-19 22:33:03 +01:00
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`wireguard.services = {`
			`client.via = "nucnix";`
			`firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ config.services.paperless.port ];`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`};`
feat: wireguard samba network 2024-03-15 17:57:23 +01:00
feat: paperless 2024-01-18 00:39:25 +01:00			`age.secrets.paperless-admin-passwd = {`
			`generator.script = "alnum";`
			`mode = "440";`
			`group = "paperless";`
			`};`
			`users.users.paperless.isSystemUser = true;`
			`services.paperless = {`
			`enable = true;`
			`address = "0.0.0.0";`
			`port = 3000;`
			`passwordFile = config.age.secrets.paperless-admin-passwd.path;`
			`consumptionDir = "/paperless/consume";`
			`mediaDir = "/paperless/media";`
			`settings = {`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`PAPERLESS_URL = "https://${globals.services.paperless.domain}";`
			`PAPERLESS_ALLOWED_HOSTS = globals.services.paperless.domain;`
			`PAPERLESS_CORS_ALLOWED_HOSTS = "https://${globals.services.paperless.domain}";`
			`PAPERLESS_TRUSTED_PROXIES = nodes.nucnix-nginx.config.wireguard.services.ipv4;`
feat: paperless 2024-01-18 00:39:25 +01:00
feat: paperless oauth 2024-03-12 22:49:54 +01:00			`PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";`

			`PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {`
			`openid_connect = {`
fix: typo in paperless 2024-03-13 00:11:18 +01:00			`OAUTH_PKCE_ENABLED = "True";`
feat: paperless oauth 2024-03-12 22:49:54 +01:00			`APPS = [`
			`rec {`
			`provider_id = "kanidm";`
			`name = "Kanidm";`
			`client_id = "paperless";`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`settings.server_url = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";`
feat: paperless oauth 2024-03-12 22:49:54 +01:00			`}`
			`];`
			`};`
			`};`

feat: paperless 2024-01-18 00:39:25 +01:00			`# let nginx do all the compression`
			`PAPERLESS_ENABLE_COMPRESSION = false;`
			`PAPERLESS_CONSUMER_ENABLE_BARCODES = true;`
			`PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;`
			`PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING";`
			`PAPERLESS_CONSUMER_RECURSIVE = true;`
			`PAPERLESS_FILENAME_FORMAT = "{owner_username}/{created_year}-{created_month}-{created_day}_{asn}_{title}";`
			`PAPERLESS_NUMBER_OF_SUGESSTED_DATES = 11;`
			`PAPERLESS_OCR_LANGUAGE = "deu+eng";`
			`PAPERLESS_TASK_WORKERS = 4;`
			`PAPERLESS_WEBSERVER_WORKERS = 4;`
			`};`
			`};`
			`environment.persistence."/persist".directories = [`
			`{`
			`directory = "/var/lib/paperless";`
			`user = "paperless";`
			`group = "paperless";`
			`mode = "0750";`
			`}`
			`];`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`environment.persistence."/state".directories = [`
			`{`
			`directory = paperlessBackupDir;`
			`user = "paperless";`
			`group = "paperless";`
			`mode = "0770";`
			`}`
			`];`
feat: paperless oauth 2024-03-12 22:49:54 +01:00			`# Mirror the original oauth2 secret`
			`age.secrets.paperless-oauth2-client-secret = {`
			`inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-paperless) rekeyFile;`
			`mode = "440";`
			`group = "paperless";`
			`};`

			`systemd.services.paperless-web.script = lib.mkBefore ''`
			`paperlessClientSecret=$(< ${config.age.secrets.paperless-oauth2-client-secret.path})`
			`export PAPERLESS_SOCIALACCOUNT_PROVIDERS="$( <<< $PAPERLESS_SOCIALACCOUNT_PROVIDERS ${pkgs.jq}/bin/jq -c --arg paperlessClientSecret "$paperlessClientSecret" '.openid_connect.APPS.[0].secret = $paperlessClientSecret')"`
			`'';`
feat: paperless 2024-01-18 00:39:25 +01:00			`}`