nix-config/modules/services/paperless.nix

147 lines
4.7 KiB
Nix
Raw Normal View History

2024-01-18 00:39:25 +01:00
{
2024-03-12 22:49:54 +01:00
pkgs,
nodes,
2024-01-18 00:39:25 +01:00
config,
lib,
...
}: let
paperlessdomain = "ppl.${config.secrets.secrets.global.domains.web}";
2024-01-19 22:33:03 +01:00
paperlessBackupDir = "/var/cache/backups/paperless";
2024-01-18 00:39:25 +01:00
in {
2024-01-19 22:33:03 +01:00
systemd.tmpfiles.settings = {
"10-paperless".${paperlessBackupDir}.d = {
inherit (config.services.paperless) user;
mode = "0770";
};
};
age.secrets.resticpasswd = {
generator.script = "alnum";
};
age.secrets.paperlessHetznerSsh = {
generator.script = "ssh-ed25519";
};
services.restic.backups = {
main = {
2024-01-20 21:07:00 +01:00
user = "root";
2024-01-19 22:33:03 +01:00
timerConfig = {
OnCalendar = "06:00";
Persistent = true;
RandomizedDelaySec = "3h";
};
initialize = true;
passwordFile = config.age.secrets.resticpasswd.path;
hetznerStorageBox = {
enable = true;
inherit (config.secrets.secrets.global.hetzner) mainUser;
inherit (config.secrets.secrets.global.hetzner.users.paperless) subUid path;
sshAgeSecret = "paperlessHetznerSsh";
};
paths = [paperlessBackupDir];
pruneOpts = [
"--keep-daily 10"
"--keep-weekly 7"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
};
systemd.services.paperless-backup = let
cfg = config.systemd.services.paperless-consumer;
in {
description = "Paperless document backup";
serviceConfig =
lib.recursiveUpdate
cfg.serviceConfig
{
ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${paperlessBackupDir}";
ReadWritePaths = cfg.serviceConfig.ReadWritePaths ++ [paperlessBackupDir];
Restart = "no";
Type = "oneshot";
};
inherit (cfg) environment;
requiredBy = ["restic-backups-main.service"];
2024-01-20 21:07:00 +01:00
before = ["restic-backups-main.service"];
2024-01-19 22:33:03 +01:00
};
2024-03-14 23:08:42 +01:00
wireguard.elisabeth = {
client.via = "elisabeth";
firewallRuleForNode.elisabeth.allowedTCPPorts = [config.services.paperless.port];
};
2024-03-15 17:57:23 +01:00
2024-01-18 00:39:25 +01:00
age.secrets.paperless-admin-passwd = {
generator.script = "alnum";
mode = "440";
group = "paperless";
};
users.users.paperless.isSystemUser = true;
services.paperless = {
enable = true;
address = "0.0.0.0";
port = 3000;
passwordFile = config.age.secrets.paperless-admin-passwd.path;
consumptionDir = "/paperless/consume";
mediaDir = "/paperless/media";
settings = {
PAPERLESS_URL = "https://${paperlessdomain}";
PAPERLESS_ALLOWED_HOSTS = paperlessdomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessdomain}";
2024-02-10 17:53:16 +01:00
PAPERLESS_TRUSTED_PROXIES = lib.net.cidr.host config.secrets.secrets.global.net.ips.elisabeth config.secrets.secrets.global.net.privateSubnetv4;
2024-01-18 00:39:25 +01:00
2024-03-12 22:49:54 +01:00
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
openid_connect = {
2024-03-13 00:11:18 +01:00
OAUTH_PKCE_ENABLED = "True";
2024-03-12 22:49:54 +01:00
APPS = [
rec {
provider_id = "kanidm";
name = "Kanidm";
client_id = "paperless";
settings.server_url = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/${client_id}/.well-known/openid-configuration";
}
];
};
};
2024-01-18 00:39:25 +01:00
# let nginx do all the compression
PAPERLESS_ENABLE_COMPRESSION = false;
PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING";
PAPERLESS_CONSUMER_RECURSIVE = true;
PAPERLESS_FILENAME_FORMAT = "{owner_username}/{created_year}-{created_month}-{created_day}_{asn}_{title}";
PAPERLESS_NUMBER_OF_SUGESSTED_DATES = 11;
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_TASK_WORKERS = 4;
PAPERLESS_WEBSERVER_WORKERS = 4;
};
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/paperless";
user = "paperless";
group = "paperless";
mode = "0750";
}
];
2024-01-20 21:07:00 +01:00
environment.persistence."/state".directories = [
{
directory = paperlessBackupDir;
user = "paperless";
group = "paperless";
mode = "0770";
}
];
2024-03-12 22:49:54 +01:00
# Mirror the original oauth2 secret
age.secrets.paperless-oauth2-client-secret = {
inherit (nodes.elisabeth-kanidm.config.age.secrets.oauth2-paperless) rekeyFile;
mode = "440";
group = "paperless";
};
systemd.services.paperless-web.script = lib.mkBefore ''
paperlessClientSecret=$(< ${config.age.secrets.paperless-oauth2-client-secret.path})
export PAPERLESS_SOCIALACCOUNT_PROVIDERS="$( <<< $PAPERLESS_SOCIALACCOUNT_PROVIDERS ${pkgs.jq}/bin/jq -c --arg paperlessClientSecret "$paperlessClientSecret" '.openid_connect.APPS.[0].secret = $paperlessClientSecret')"
'';
2024-01-18 00:39:25 +01:00
}