feat(jeeves): add paperless module

2024-08-27 23:31:43 +03:00 · 2024-08-27 23:31:43 +03:00 · 655bf048de
commit 655bf048de
parent 9b8f894a1a
4 changed files with 90 additions and 0 deletions
--- a/hosts/nixos/jeeves/configuration.nix
+++ b/hosts/nixos/jeeves/configuration.nix
@ -18,6 +18,7 @@
    # ./photoprism.nix
    # ./immich.nix
    # ./nextcloud.nix
+    ./paperless.nix
  ];

  # services.kanidm = { };
--- a/hosts/nixos/jeeves/paperless.nix
+++ b/hosts/nixos/jeeves/paperless.nix
@ -0,0 +1,73 @@
+{ inputs, lib, pkgs, config, ... }:
+
+let
+  paperlessDomain = "paperless.jeeves.local";
+in
+{
+  age.secrets."paperless.password" = {
+    rekeyFile = "${inputs.self}/secrets/home/jeeves/paperless/password.age";
+    # generator.script = "alnum";
+    mode = "440";
+    # NOTE: `passwordFile` needs to be read by the `paperless-scheduler` service, which is run as the user `config.services.paperless.user`
+    #       See <https://github.com/NixOS/nixpkgs/blob/797f7dc49e0bc7fab4b57c021cdf68f595e47841/nixos/modules/services/misc/paperless.nix#L251-L254>
+    group = config.services.paperless.user;
+  };
+
+  # NOTE: no need, since we're accessing it from `nginx`
+  # networking.firewall.allowedTCPPorts = [
+  #   config.services.paperless.port
+  # ];
+
+  services.paperless = {
+    enable = true;
+    passwordFile = config.age.secrets."paperless.password".path;
+    address = "0.0.0.0";
+    port = 28981;
+    dataDir = "/data/paperless";
+    consumptionDirIsPublic = true;
+    settings = rec {
+      PAPERLESS_ADMIN_USER = "jeeves";
+
+      # TODO: kanidm and https
+      PAPERLESS_URL = "http://${paperlessDomain}";
+      PAPERLESS_ALLOWED_HOSTS = lib.concatStringsSep "," [
+        # For `nginx`
+        "127.0.0.1"
+        paperlessDomain
+      ];
+      PAPERLESS_CORS_ALLOWED_HOSTS = lib.concatStringsSep "," [
+        "http://${paperlessDomain}"
+      ];
+
+      PAPERLESS_CONSUMER_IGNORE_PATTERN = [
+        ".DS_STORE/*"
+        "desktop.ini"
+      ];
+
+      PAPERLESS_OCR_LANGUAGE = lib.concatStringsSep "+" [
+        "bul"
+        "eng"
+      ];
+      # NOTE: `skip` causes "CamScanner" footer to skip actual document `OCR`
+      PAPERLESS_OCR_MODE = "redo";
+      PAPERLESS_OCR_USER_ARGS = {
+        optimize = 1;
+        pdfa_image_compression = "lossless";
+        invalidate_digital_signatures = true;
+      };
+      # HACK: remove
+      PAPERLESS_AUTO_LOGIN_USERNAME = PAPERLESS_ADMIN_USER;
+    };
+  };
+
+  services.nginx = {
+    virtualHosts.${paperlessDomain} = {
+      enableACME = false;
+      forceSSL = false;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
--- a/secrets/home/jeeves/paperless/password.age
+++ b/secrets/home/jeeves/paperless/password.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 4U6AefrNT/r+L3U1EK557PCD3rc9cEUoiwkm8rnZJHk
+1V78DW1IXRG43cZh/gZMTKRIzzDRb8InIcF+CdaajZI
+-> h-grease zTeEr [CaBa\GZ TYbY%Ul
+9qQvpMrm8aRukXHGjvbLWYwvPjuW3TnARjL8CA1GyjIH1DjvnTqNIio8VS4hIylC
+pfihUXvIga5bC2dSroBNmMI8GmDnbENC1wxLi2L+s3oc5TmIz44
+--- GwsnvhclNBuyLdVoFmrr/YrvkaIFOfy4G00rkBeOrJ0
+¿ˆ~9š¥¡ÝÓ·ªåå™®°#Ý•d/ƒ(ÅVx¢‡($ÆÃOEM?S 6
--- a/secrets/rekeyed/jeeves/7f8ef4fa331c25af03940297b52bcb02-paperless.password.age
+++ b/secrets/rekeyed/jeeves/7f8ef4fa331c25af03940297b52bcb02-paperless.password.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 vMnblg vOF1eI8a7a9JPlMmP3pW+VW/wAGsV3IDuDVIo8ALoCo
+b6DOQW0KEXUnV36E3yZ+L1oJZQTlac6qKAnWUwuBuMA
+-> /o8GtEdG-grease Du cJYhpz
+NLYHNamU9VhJkO3jsPSb5mZOAZBFuqfM6pQF6V78NHqW8fHxe37qslezYYT1PFG9
+LCjH+lEiIazzvcBjzEQ
+--- Wz1CJJHBuWJPBsDdOjg48vzzDSMRTIBMODmvjVwT6zM
+i:ÖôÀ–„_]É˜…pYJqè9_xÊV`-/"ê}8¼OØšHí¬×ÿæ×