services: paperless: switch from docker to nixos
This commit is contained in:
parent
ed7cacb3b4
commit
516cbd4ae7
|
@ -17,6 +17,7 @@ with lib;
|
||||||
gandiKey = lib.fileContents ./gandi-api-key.secret;
|
gandiKey = lib.fileContents ./gandi-api-key.secret;
|
||||||
|
|
||||||
borg-backup = import ./borg-backup { inherit lib; };
|
borg-backup = import ./borg-backup { inherit lib; };
|
||||||
|
paperless = import ./paperless { inherit lib; };
|
||||||
restic-backup = import ./restic-backup { inherit lib; };
|
restic-backup = import ./restic-backup { inherit lib; };
|
||||||
|
|
||||||
matrixEmailConfig = import ./matrix-email-config.nix;
|
matrixEmailConfig = import ./matrix-email-config.nix;
|
||||||
|
|
BIN
secrets/paperless/admin-password.secret
Normal file
BIN
secrets/paperless/admin-password.secret
Normal file
Binary file not shown.
5
secrets/paperless/default.nix
Normal file
5
secrets/paperless/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{ lib }:
|
||||||
|
{
|
||||||
|
secretKey = lib.fileContents ./secret-key-file.secret;
|
||||||
|
adminPassword = lib.fileContents ./admin-password.secret;
|
||||||
|
}
|
BIN
secrets/paperless/secret-key-file.secret
Normal file
BIN
secrets/paperless/secret-key-file.secret
Normal file
Binary file not shown.
|
@ -6,6 +6,8 @@ let
|
||||||
cfg = config.my.services.paperless;
|
cfg = config.my.services.paperless;
|
||||||
my = config.my;
|
my = config.my;
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
|
paperlessDomain = "paperless.${domain}";
|
||||||
|
secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.services.paperless = {
|
options.my.services.paperless = {
|
||||||
|
@ -20,16 +22,59 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
# HACK: see https://github.com/NixOS/nixpkgs/issues/111852
|
services.paperless-ng = {
|
||||||
networking.firewall.extraCommands = ''
|
enable = true;
|
||||||
iptables -N DOCKER-USER || true
|
port = cfg.port;
|
||||||
iptables -F DOCKER-USER
|
passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword;
|
||||||
iptables -A DOCKER-USER -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
extraConfig = {
|
||||||
iptables -A DOCKER-USER -i eno1 -j DROP
|
# Postgres settings
|
||||||
'';
|
PAPERLESS_DBHOST = "/run/postgresql";
|
||||||
|
PAPERLESS_DBUSER = "paperless";
|
||||||
|
PAPERLESS_DBNAME = "paperless";
|
||||||
|
|
||||||
|
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
|
||||||
|
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
|
||||||
|
|
||||||
|
PAPERLESS_OCR_LANGUAGE = "fra+eng";
|
||||||
|
|
||||||
|
PAPERLESS_TIME_ZONE = config.time.timeZone;
|
||||||
|
|
||||||
|
PAPERLESS_ADMIN_USER = "alarsyo";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
paperless-ng-server.serviceConfig = {
|
||||||
|
EnvironmentFile = secretKeyFile;
|
||||||
|
};
|
||||||
|
|
||||||
|
paperless-ng-consumer.serviceConfig = {
|
||||||
|
EnvironmentFile = secretKeyFile;
|
||||||
|
};
|
||||||
|
|
||||||
|
paperless-ng-web.serviceConfig = {
|
||||||
|
EnvironmentFile = secretKeyFile;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "paperless" ];
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "paperless";
|
||||||
|
ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.paperless-ng-server = {
|
||||||
|
# Make sure the DB is available
|
||||||
|
after = [ "postgresql.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"paperless.${domain}" = {
|
"${paperlessDomain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = domain;
|
useACMEHost = domain;
|
||||||
|
|
||||||
|
@ -56,9 +101,8 @@ in
|
||||||
|
|
||||||
my.services.restic-backup = mkIf cfg.enable {
|
my.services.restic-backup = mkIf cfg.enable {
|
||||||
paths = [
|
paths = [
|
||||||
"/var/lib/docker/volumes/paperless_data"
|
config.services.paperless-ng.dataDir
|
||||||
"/var/lib/docker/volumes/paperless_media"
|
config.services.paperless-ng.mediaDir
|
||||||
"/home/alarsyo/paperless-ng/backups"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue