From 655bf048de8420efe9c1ce8608380b4e8f990e0f Mon Sep 17 00:00:00 2001 From: reo101 Date: Tue, 27 Aug 2024 23:31:43 +0300 Subject: [PATCH] feat(jeeves): add `paperless` module --- hosts/nixos/jeeves/configuration.nix | 1 + hosts/nixos/jeeves/paperless.nix | 73 +++++++++++++++++++ secrets/home/jeeves/paperless/password.age | 8 ++ ...5af03940297b52bcb02-paperless.password.age | 8 ++ 4 files changed, 90 insertions(+) create mode 100644 hosts/nixos/jeeves/paperless.nix create mode 100644 secrets/home/jeeves/paperless/password.age create mode 100644 secrets/rekeyed/jeeves/7f8ef4fa331c25af03940297b52bcb02-paperless.password.age diff --git a/hosts/nixos/jeeves/configuration.nix b/hosts/nixos/jeeves/configuration.nix index 90350d4..18185eb 100644 --- a/hosts/nixos/jeeves/configuration.nix +++ b/hosts/nixos/jeeves/configuration.nix @@ -18,6 +18,7 @@ # ./photoprism.nix # ./immich.nix # ./nextcloud.nix + ./paperless.nix ]; # services.kanidm = { }; diff --git a/hosts/nixos/jeeves/paperless.nix b/hosts/nixos/jeeves/paperless.nix new file mode 100644 index 0000000..f82d930 --- /dev/null +++ b/hosts/nixos/jeeves/paperless.nix @@ -0,0 +1,73 @@ +{ inputs, lib, pkgs, config, ... }: + +let + paperlessDomain = "paperless.jeeves.local"; +in +{ + age.secrets."paperless.password" = { + rekeyFile = "${inputs.self}/secrets/home/jeeves/paperless/password.age"; + # generator.script = "alnum"; + mode = "440"; + # NOTE: `passwordFile` needs to be read by the `paperless-scheduler` service, which is run as the user `config.services.paperless.user` + # See + group = config.services.paperless.user; + }; + + # NOTE: no need, since we're accessing it from `nginx` + # networking.firewall.allowedTCPPorts = [ + # config.services.paperless.port + # ]; + + services.paperless = { + enable = true; + passwordFile = config.age.secrets."paperless.password".path; + address = "0.0.0.0"; + port = 28981; + dataDir = "/data/paperless"; + consumptionDirIsPublic = true; + settings = rec { + PAPERLESS_ADMIN_USER = "jeeves"; + + # TODO: kanidm and https + PAPERLESS_URL = "http://${paperlessDomain}"; + PAPERLESS_ALLOWED_HOSTS = lib.concatStringsSep "," [ + # For `nginx` + "127.0.0.1" + paperlessDomain + ]; + PAPERLESS_CORS_ALLOWED_HOSTS = lib.concatStringsSep "," [ + "http://${paperlessDomain}" + ]; + + PAPERLESS_CONSUMER_IGNORE_PATTERN = [ + ".DS_STORE/*" + "desktop.ini" + ]; + + PAPERLESS_OCR_LANGUAGE = lib.concatStringsSep "+" [ + "bul" + "eng" + ]; + # NOTE: `skip` causes "CamScanner" footer to skip actual document `OCR` + PAPERLESS_OCR_MODE = "redo"; + PAPERLESS_OCR_USER_ARGS = { + optimize = 1; + pdfa_image_compression = "lossless"; + invalidate_digital_signatures = true; + }; + # HACK: remove + PAPERLESS_AUTO_LOGIN_USERNAME = PAPERLESS_ADMIN_USER; + }; + }; + + services.nginx = { + virtualHosts.${paperlessDomain} = { + enableACME = false; + forceSSL = false; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/secrets/home/jeeves/paperless/password.age b/secrets/home/jeeves/paperless/password.age new file mode 100644 index 0000000..f6e47ae --- /dev/null +++ b/secrets/home/jeeves/paperless/password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> X25519 4U6AefrNT/r+L3U1EK557PCD3rc9cEUoiwkm8rnZJHk +1V78DW1IXRG43cZh/gZMTKRIzzDRb8InIcF+CdaajZI +-> h-grease zTeEr [CaBa\GZ TYbY%Ul +9qQvpMrm8aRukXHGjvbLWYwvPjuW3TnARjL8CA1GyjIH1DjvnTqNIio8VS4hIylC +pfihUXvIga5bC2dSroBNmMI8GmDnbENC1wxLi2L+s3oc5TmIz44 +--- GwsnvhclNBuyLdVoFmrr/YrvkaIFOfy4G00rkBeOrJ0 +¿ˆ~9š¥¡ÝÓ·ªåå™®°#Ý•d/ƒ(ÅVx¢‡($ÆÃOEM?S 6 \ No newline at end of file diff --git a/secrets/rekeyed/jeeves/7f8ef4fa331c25af03940297b52bcb02-paperless.password.age b/secrets/rekeyed/jeeves/7f8ef4fa331c25af03940297b52bcb02-paperless.password.age new file mode 100644 index 0000000..8aa5a00 --- /dev/null +++ b/secrets/rekeyed/jeeves/7f8ef4fa331c25af03940297b52bcb02-paperless.password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 vMnblg vOF1eI8a7a9JPlMmP3pW+VW/wAGsV3IDuDVIo8ALoCo +b6DOQW0KEXUnV36E3yZ+L1oJZQTlac6qKAnWUwuBuMA +-> /o8GtEdG-grease Du cJYhpz +NLYHNamU9VhJkO3jsPSb5mZOAZBFuqfM6pQF6V78NHqW8fHxe37qslezYYT1PFG9 +LCjH+lEiIazzvcBjzEQ +--- Wz1CJJHBuWJPBsDdOjg48vzzDSMRTIBMODmvjVwT6zM +i:ÖôÀ–„_]ɘ…pYJqè9_xÊV`-/"ê}8¼ OØšHí¬×ÿæ× \ No newline at end of file