services: paperless: switch from docker to nixos

This commit is contained in:
Antoine Martin 2021-12-22 19:17:16 +01:00
parent ed7cacb3b4
commit 516cbd4ae7
5 changed files with 61 additions and 11 deletions

View file

@ -17,6 +17,7 @@ with lib;
gandiKey = lib.fileContents ./gandi-api-key.secret; gandiKey = lib.fileContents ./gandi-api-key.secret;
borg-backup = import ./borg-backup { inherit lib; }; borg-backup = import ./borg-backup { inherit lib; };
paperless = import ./paperless { inherit lib; };
restic-backup = import ./restic-backup { inherit lib; }; restic-backup = import ./restic-backup { inherit lib; };
matrixEmailConfig = import ./matrix-email-config.nix; matrixEmailConfig = import ./matrix-email-config.nix;

Binary file not shown.

View file

@ -0,0 +1,5 @@
{ lib }:
{
secretKey = lib.fileContents ./secret-key-file.secret;
adminPassword = lib.fileContents ./admin-password.secret;
}

Binary file not shown.

View file

@ -6,6 +6,8 @@ let
cfg = config.my.services.paperless; cfg = config.my.services.paperless;
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
paperlessDomain = "paperless.${domain}";
secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
in in
{ {
options.my.services.paperless = { options.my.services.paperless = {
@ -20,16 +22,59 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# HACK: see https://github.com/NixOS/nixpkgs/issues/111852 services.paperless-ng = {
networking.firewall.extraCommands = '' enable = true;
iptables -N DOCKER-USER || true port = cfg.port;
iptables -F DOCKER-USER passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword;
iptables -A DOCKER-USER -i eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT extraConfig = {
iptables -A DOCKER-USER -i eno1 -j DROP # Postgres settings
''; PAPERLESS_DBHOST = "/run/postgresql";
PAPERLESS_DBUSER = "paperless";
PAPERLESS_DBNAME = "paperless";
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
PAPERLESS_OCR_LANGUAGE = "fra+eng";
PAPERLESS_TIME_ZONE = config.time.timeZone;
PAPERLESS_ADMIN_USER = "alarsyo";
};
};
systemd.services = {
paperless-ng-server.serviceConfig = {
EnvironmentFile = secretKeyFile;
};
paperless-ng-consumer.serviceConfig = {
EnvironmentFile = secretKeyFile;
};
paperless-ng-web.serviceConfig = {
EnvironmentFile = secretKeyFile;
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "paperless" ];
ensureUsers = [
{
name = "paperless";
ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES";
}
];
};
systemd.services.paperless-ng-server = {
# Make sure the DB is available
after = [ "postgresql.service" ];
};
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"paperless.${domain}" = { "${paperlessDomain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = domain; useACMEHost = domain;
@ -56,9 +101,8 @@ in
my.services.restic-backup = mkIf cfg.enable { my.services.restic-backup = mkIf cfg.enable {
paths = [ paths = [
"/var/lib/docker/volumes/paperless_data" config.services.paperless-ng.dataDir
"/var/lib/docker/volumes/paperless_media" config.services.paperless-ng.mediaDir
"/home/alarsyo/paperless-ng/backups"
]; ];
}; };
}; };