diff --git a/flake.nix b/flake.nix index bb9c39e..f61d052 100644 --- a/flake.nix +++ b/flake.nix @@ -206,6 +206,7 @@ git = "git.${baseName}"; metrics = "metrics.${baseName}"; prometheus = "prom.${baseName}"; + paperless = "paper.${baseName}"; secrets = "vault.${baseName}"; stream = "stream.${baseName}"; content = "cloud.${baseName}"; diff --git a/hosts/swan/default.nix b/hosts/swan/default.nix index 0c28309..05cb851 100644 --- a/hosts/swan/default.nix +++ b/hosts/swan/default.nix @@ -79,6 +79,7 @@ inputs.nixpkgs.lib.nixosSystem { services.prometheus.enable = false; services.vmagent.enable = true; services.samba.enable = true; + services.paperless.enable = true; # Allows private remote access over the internet cloudflareTunnel = { diff --git a/modules/common/default.nix b/modules/common/default.nix index ad578e8..9086c2c 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -75,6 +75,10 @@ type = lib.types.str; description = "Hostname for metrics server."; }; + paperless = lib.mkOption { + type = lib.types.str; + description = "Hostname for document server (paperless-ngx)."; + }; prometheus = lib.mkOption { type = lib.types.str; description = "Hostname for Prometheus server."; diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index 0fba069..f42ae39 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -19,6 +19,7 @@ ./n8n.nix ./netdata.nix ./nextcloud.nix + ./paperless.nix ./prometheus.nix ./samba.nix ./secrets.nix diff --git a/modules/nixos/services/paperless.nix b/modules/nixos/services/paperless.nix new file mode 100644 index 0000000..17b5243 --- /dev/null +++ b/modules/nixos/services/paperless.nix @@ -0,0 +1,48 @@ +{ config, lib, ... }: { + + config = lib.mkIf config.services.paperless.enable { + + services.paperless = { + mediaDir = "/data/generic/paperless"; + passwordFile = config.secrets.paperless.dest; + extraConfig = { + PAPERLESS_OCR_USER_ARGS = + builtins.toJSON { invalidate_digital_signatures = true; }; + + # Enable if changing the path name in Caddy + # PAPERLESS_FORCE_SCRIPT_NAME = "/paperless"; + # PAPERLESS_STATIC_URL = "/paperless/static/"; + }; + }; + + users.users.paperless.extraGroups = [ "generic" ]; + + caddy.routes = [{ + match = [{ + host = [ config.hostnames.paperless ]; + # path = [ "/paperless*" ]; # Change path name in Caddy + }]; + handle = [{ + handler = "reverse_proxy"; + upstreams = [{ + dial = + "localhost:${builtins.toString config.services.paperless.port}"; + }]; + }]; + }]; + + secrets.paperless = { + source = ../../../private/prometheus.age; + dest = "${config.secretsDirectory}/paperless"; + owner = "paperless"; + group = "paperless"; + permissions = "0440"; + }; + systemd.services.paperless-secret = { + requiredBy = [ "paperless.service" ]; + before = [ "paperless.service" ]; + }; + + }; + +} diff --git a/private/paperless.age b/private/paperless.age new file mode 100644 index 0000000..50ea542 --- /dev/null +++ b/private/paperless.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBWY3N0 +VkY0Y2tLQnNhZWdRVzFxU0plWThveUthK2NjZWNhZDd5ZGtXVVZ3CjVPc3YxbnBM +MmozZFlORVppQmJrQ2ovWEFVVm81ZlBpRCtQQmRiNnBCaVUKLT4gc3NoLWVkMjU1 +MTkgWXlTVU1RIEtvRFJEQXJLNjlyRldpM2pMdXNxWVZmVFl2NVJjRUtuQzNtbmJq +UTBDR2cKQ1J4cHVkWHJZU1M4dnFIekx2ejlua0NjUUtET0EwN24rY2NPcGQ5eEp1 +TQotPiBzc2gtZWQyNTUxOSBuanZYNUEgVnBQOHV5VUk0N2lyU2NkdXovQmJYVGhL +dnUwTG9oZkZKOUxFWTNiZkhBbwo2WjgyNHBhaGtFREJGVDk5TzJhZjRzKytaLzZR +TDQxeU9pY24zQnJBYmN3Ci0+IHNzaC1lZDI1NTE5IENxSU9VQSBQQ3I2YnNNZVlX +TEhNbWhRSjJRbk9DYnJIRUFieDBMRUtBRVhxZ1RQcVNNClNzU0VPMnh5bUFGVTZm +ekJLSzFjT3dHVVdoQ3A5ZStCUk83Qk5rcWZmN3MKLS0tIFdvRG1mYzdUenhndkY2 +amo0ZGpjQkdabUdNRUJwV29CRXByVk8ySEZzTzAKsDY+DVJqZb/jCn6Xa/OqNheR +uNlV5vVKUaZu5F+MTZqZaRYdn66TJVXgz5GydbgwQGs3l0K67ikPiTOoln0FapnB +TQ== +-----END AGE ENCRYPTED FILE-----