enable paperless-ngx document management

flake.nix

@@ -206,6 +206,7 @@
           git = "git.${baseName}";
           metrics = "metrics.${baseName}";
           prometheus = "prom.${baseName}";
+          paperless = "paper.${baseName}";
           secrets = "vault.${baseName}";
           stream = "stream.${baseName}";
           content = "cloud.${baseName}";

hosts/swan/default.nix

@@ -79,6 +79,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.prometheus.enable = false;
       services.vmagent.enable = true;
       services.samba.enable = true;
+      services.paperless.enable = true;
 
       # Allows private remote access over the internet
       cloudflareTunnel = {

modules/common/default.nix

@@ -75,6 +75,10 @@
         type = lib.types.str;
         description = "Hostname for metrics server.";
       };
+      paperless = lib.mkOption {
+        type = lib.types.str;
+        description = "Hostname for document server (paperless-ngx).";
+      };
       prometheus = lib.mkOption {
         type = lib.types.str;
         description = "Hostname for Prometheus server.";

modules/nixos/services/default.nix

@@ -19,6 +19,7 @@
     ./n8n.nix
     ./netdata.nix
     ./nextcloud.nix
+    ./paperless.nix
     ./prometheus.nix
     ./samba.nix
     ./secrets.nix

modules/nixos/services/paperless.nix

@@ -0,0 +1,48 @@
+{ config, lib, ... }: {
+
+  config = lib.mkIf config.services.paperless.enable {
+
+    services.paperless = {
+      mediaDir = "/data/generic/paperless";
+      passwordFile = config.secrets.paperless.dest;
+      extraConfig = {
+        PAPERLESS_OCR_USER_ARGS =
+          builtins.toJSON { invalidate_digital_signatures = true; };
+
+        # Enable if changing the path name in Caddy
+        # PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
+        # PAPERLESS_STATIC_URL = "/paperless/static/";
+      };
+    };
+
+    users.users.paperless.extraGroups = [ "generic" ];
+
+    caddy.routes = [{
+      match = [{
+        host = [ config.hostnames.paperless ];
+        # path = [ "/paperless*" ]; # Change path name in Caddy
+      }];
+      handle = [{
+        handler = "reverse_proxy";
+        upstreams = [{
+          dial =
+            "localhost:${builtins.toString config.services.paperless.port}";
+        }];
+      }];
+    }];
+
+    secrets.paperless = {
+      source = ../../../private/prometheus.age;
+      dest = "${config.secretsDirectory}/paperless";
+      owner = "paperless";
+      group = "paperless";
+      permissions = "0440";
+    };
+    systemd.services.paperless-secret = {
+      requiredBy = [ "paperless.service" ];
+      before = [ "paperless.service" ];
+    };
+
+  };
+
+}

private/paperless.age

@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBWY3N0
+VkY0Y2tLQnNhZWdRVzFxU0plWThveUthK2NjZWNhZDd5ZGtXVVZ3CjVPc3YxbnBM
+MmozZFlORVppQmJrQ2ovWEFVVm81ZlBpRCtQQmRiNnBCaVUKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIEtvRFJEQXJLNjlyRldpM2pMdXNxWVZmVFl2NVJjRUtuQzNtbmJq
+UTBDR2cKQ1J4cHVkWHJZU1M4dnFIekx2ejlua0NjUUtET0EwN24rY2NPcGQ5eEp1
+TQotPiBzc2gtZWQyNTUxOSBuanZYNUEgVnBQOHV5VUk0N2lyU2NkdXovQmJYVGhL
+dnUwTG9oZkZKOUxFWTNiZkhBbwo2WjgyNHBhaGtFREJGVDk5TzJhZjRzKytaLzZR
+TDQxeU9pY24zQnJBYmN3Ci0+IHNzaC1lZDI1NTE5IENxSU9VQSBQQ3I2YnNNZVlX
+TEhNbWhRSjJRbk9DYnJIRUFieDBMRUtBRVhxZ1RQcVNNClNzU0VPMnh5bUFGVTZm
+ekJLSzFjT3dHVVdoQ3A5ZStCUk83Qk5rcWZmN3MKLS0tIFdvRG1mYzdUenhndkY2
+amo0ZGpjQkdabUdNRUJwV29CRXByVk8ySEZzTzAKsDY+DVJqZb/jCn6Xa/OqNheR
+uNlV5vVKUaZu5F+MTZqZaRYdn66TJVXgz5GydbgwQGs3l0K67ikPiTOoln0FapnB
+TQ==
+-----END AGE ENCRYPTED FILE-----