services: paperless: switch from docker to nixos

This commit is contained in:
Antoine Martin 2021-12-22 19:17:16 +01:00
parent ed7cacb3b4
commit 516cbd4ae7
5 changed files with 61 additions and 11 deletions

View file

@ -17,6 +17,7 @@ with lib;
gandiKey = lib.fileContents ./gandi-api-key.secret;
borg-backup = import ./borg-backup { inherit lib; };
paperless = import ./paperless { inherit lib; };
restic-backup = import ./restic-backup { inherit lib; };
matrixEmailConfig = import ./matrix-email-config.nix;

Binary file not shown.

View file

@ -0,0 +1,5 @@
{ lib }:
{
secretKey = lib.fileContents ./secret-key-file.secret;
adminPassword = lib.fileContents ./admin-password.secret;
}

Binary file not shown.

View file

@ -6,6 +6,8 @@ let
cfg = config.my.services.paperless;
my = config.my;
domain = config.networking.domain;
paperlessDomain = "paperless.${domain}";
secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
in
{
options.my.services.paperless = {
@ -20,16 +22,59 @@ in
};
config = mkIf cfg.enable {
# HACK: see https://github.com/NixOS/nixpkgs/issues/111852
networking.firewall.extraCommands = ''
iptables -N DOCKER-USER || true
iptables -F DOCKER-USER
iptables -A DOCKER-USER -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A DOCKER-USER -i eno1 -j DROP
'';
services.paperless-ng = {
enable = true;
port = cfg.port;
passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword;
extraConfig = {
# Postgres settings
PAPERLESS_DBHOST = "/run/postgresql";
PAPERLESS_DBUSER = "paperless";
PAPERLESS_DBNAME = "paperless";
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
PAPERLESS_OCR_LANGUAGE = "fra+eng";
PAPERLESS_TIME_ZONE = config.time.timeZone;
PAPERLESS_ADMIN_USER = "alarsyo";
};
};
systemd.services = {
paperless-ng-server.serviceConfig = {
EnvironmentFile = secretKeyFile;
};
paperless-ng-consumer.serviceConfig = {
EnvironmentFile = secretKeyFile;
};
paperless-ng-web.serviceConfig = {
EnvironmentFile = secretKeyFile;
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "paperless" ];
ensureUsers = [
{
name = "paperless";
ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES";
}
];
};
systemd.services.paperless-ng-server = {
# Make sure the DB is available
after = [ "postgresql.service" ];
};
services.nginx.virtualHosts = {
"paperless.${domain}" = {
"${paperlessDomain}" = {
forceSSL = true;
useACMEHost = domain;
@ -56,9 +101,8 @@ in
my.services.restic-backup = mkIf cfg.enable {
paths = [
"/var/lib/docker/volumes/paperless_data"
"/var/lib/docker/volumes/paperless_media"
"/home/alarsyo/paperless-ng/backups"
config.services.paperless-ng.dataDir
config.services.paperless-ng.mediaDir
];
};
};