diff --git a/secrets/default.nix b/secrets/default.nix index 59df0a1..4b7baca 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -17,6 +17,7 @@ with lib; gandiKey = lib.fileContents ./gandi-api-key.secret; borg-backup = import ./borg-backup { inherit lib; }; + paperless = import ./paperless { inherit lib; }; restic-backup = import ./restic-backup { inherit lib; }; matrixEmailConfig = import ./matrix-email-config.nix; diff --git a/secrets/paperless/admin-password.secret b/secrets/paperless/admin-password.secret new file mode 100644 index 0000000..e8111fc Binary files /dev/null and b/secrets/paperless/admin-password.secret differ diff --git a/secrets/paperless/default.nix b/secrets/paperless/default.nix new file mode 100644 index 0000000..968404d --- /dev/null +++ b/secrets/paperless/default.nix @@ -0,0 +1,5 @@ +{ lib }: +{ + secretKey = lib.fileContents ./secret-key-file.secret; + adminPassword = lib.fileContents ./admin-password.secret; +} diff --git a/secrets/paperless/secret-key-file.secret b/secrets/paperless/secret-key-file.secret new file mode 100644 index 0000000..1f447d4 Binary files /dev/null and b/secrets/paperless/secret-key-file.secret differ diff --git a/services/paperless.nix b/services/paperless.nix index 5a970b4..d358a6a 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -6,6 +6,8 @@ let cfg = config.my.services.paperless; my = config.my; domain = config.networking.domain; + paperlessDomain = "paperless.${domain}"; + secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey; in { options.my.services.paperless = { @@ -20,16 +22,59 @@ in }; config = mkIf cfg.enable { - # HACK: see https://github.com/NixOS/nixpkgs/issues/111852 - networking.firewall.extraCommands = '' - iptables -N DOCKER-USER || true - iptables -F DOCKER-USER - iptables -A DOCKER-USER -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A DOCKER-USER -i eno1 -j DROP - ''; + services.paperless-ng = { + enable = true; + port = cfg.port; + passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword; + extraConfig = { + # Postgres settings + PAPERLESS_DBHOST = "/run/postgresql"; + PAPERLESS_DBUSER = "paperless"; + PAPERLESS_DBNAME = "paperless"; + + PAPERLESS_ALLOWED_HOSTS = paperlessDomain; + PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; + + PAPERLESS_OCR_LANGUAGE = "fra+eng"; + + PAPERLESS_TIME_ZONE = config.time.timeZone; + + PAPERLESS_ADMIN_USER = "alarsyo"; + }; + }; + + systemd.services = { + paperless-ng-server.serviceConfig = { + EnvironmentFile = secretKeyFile; + }; + + paperless-ng-consumer.serviceConfig = { + EnvironmentFile = secretKeyFile; + }; + + paperless-ng-web.serviceConfig = { + EnvironmentFile = secretKeyFile; + }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ "paperless" ]; + ensureUsers = [ + { + name = "paperless"; + ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES"; + } + ]; + }; + + systemd.services.paperless-ng-server = { + # Make sure the DB is available + after = [ "postgresql.service" ]; + }; services.nginx.virtualHosts = { - "paperless.${domain}" = { + "${paperlessDomain}" = { forceSSL = true; useACMEHost = domain; @@ -56,9 +101,8 @@ in my.services.restic-backup = mkIf cfg.enable { paths = [ - "/var/lib/docker/volumes/paperless_data" - "/var/lib/docker/volumes/paperless_media" - "/home/alarsyo/paperless-ng/backups" + config.services.paperless-ng.dataDir + config.services.paperless-ng.mediaDir ]; }; };