services: paperless: switch from docker to nixos

secrets/default.nix

@@ -17,6 +17,7 @@ with lib;
     gandiKey = lib.fileContents ./gandi-api-key.secret;
 
     borg-backup = import ./borg-backup { inherit lib; };
+    paperless = import ./paperless { inherit lib; };
     restic-backup = import ./restic-backup { inherit lib; };
 
     matrixEmailConfig = import ./matrix-email-config.nix;

secrets/paperless/default.nix

@@ -0,0 +1,5 @@
+{ lib }:
+{
+  secretKey = lib.fileContents ./secret-key-file.secret;
+  adminPassword = lib.fileContents ./admin-password.secret;
+}

services/paperless.nix

@@ -6,6 +6,8 @@ let
   cfg = config.my.services.paperless;
   my = config.my;
   domain = config.networking.domain;
+  paperlessDomain = "paperless.${domain}";
+  secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
 in
 {
   options.my.services.paperless = {
@@ -20,16 +22,59 @@ in
   };
 
   config = mkIf cfg.enable {
-    # HACK: see https://github.com/NixOS/nixpkgs/issues/111852
-    networking.firewall.extraCommands = ''
-      iptables -N DOCKER-USER || true
-      iptables -F DOCKER-USER
-      iptables -A DOCKER-USER -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-      iptables -A DOCKER-USER -i eno1 -j DROP
-    '';
+    services.paperless-ng = {
+      enable = true;
+      port = cfg.port;
+      passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword;
+      extraConfig = {
+        # Postgres settings
+        PAPERLESS_DBHOST = "/run/postgresql";
+        PAPERLESS_DBUSER = "paperless";
+        PAPERLESS_DBNAME = "paperless";
+
+        PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
+        PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
+
+        PAPERLESS_OCR_LANGUAGE = "fra+eng";
+
+        PAPERLESS_TIME_ZONE = config.time.timeZone;
+
+        PAPERLESS_ADMIN_USER = "alarsyo";
+      };
+    };
+
+    systemd.services = {
+      paperless-ng-server.serviceConfig = {
+        EnvironmentFile = secretKeyFile;
+      };
+
+      paperless-ng-consumer.serviceConfig = {
+        EnvironmentFile = secretKeyFile;
+      };
+
+      paperless-ng-web.serviceConfig = {
+        EnvironmentFile = secretKeyFile;
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "paperless" ];
+      ensureUsers = [
+        {
+          name = "paperless";
+          ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    systemd.services.paperless-ng-server = {
+      # Make sure the DB is available
+      after = [ "postgresql.service" ];
+    };
 
     services.nginx.virtualHosts = {
-      "paperless.${domain}" = {
+      "${paperlessDomain}" = {
         forceSSL = true;
         useACMEHost = domain;
 
@@ -56,9 +101,8 @@ in
 
     my.services.restic-backup = mkIf cfg.enable {
       paths = [
-        "/var/lib/docker/volumes/paperless_data"
-        "/var/lib/docker/volumes/paperless_media"
-        "/home/alarsyo/paperless-ng/backups"
+        config.services.paperless-ng.dataDir
+        config.services.paperless-ng.mediaDir
       ];
     };
   };