mirror of
https://github.com/nmasur/dotfiles
synced 2025-07-06 19:00:14 +00:00
move encrypted secrets near relevant files
This commit is contained in:
@ -0,0 +1,17 @@
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBTZG1N
|
||||
ckt3NjgwOThhZXRRanp3UGpvQ0xST0pmenY0Nm5lT05TZ2VkVjBnCnlCODlFeDZE
|
||||
R08xdStEbm1vdmY3dkVVczN4SVE1cE4ra2srdlJEZk5FbjQKLT4gc3NoLWVkMjU1
|
||||
MTkgWXlTVU1RIERlQ0NtU3BhZ0l6NVdtakFkc1V6anFlWTN2cXczSk1WZlFQWTJm
|
||||
UmRKSEEKWU9LeVp6TkRDU1FHNjErM3RVa043ZWk0Q3hRMTB4b2VYNjNUK0IwVnFa
|
||||
dwotPiBzc2gtZWQyNTUxOSBuanZYNUEgU3VkRXJlWWFRS2dvWGo0RFdXd0Zra0J3
|
||||
MnNtNEU0OVNodjlJckdyQnVSbwo5RFR4QnlDSmd1WnBwbExKY0tOVU55WVFPWTFv
|
||||
b3hnaWxHcjVoYzRHaDRBCi0+IHNzaC1lZDI1NTE5IENxSU9VQSAxREZKZklHQ2x1
|
||||
REFHaUtTNFM2aTFsa1Z3TDN0SlU4djVUcW9TY3c2aHlzCkpFWld2Mi9nMFJ0YVpZ
|
||||
NXJreE5zOFVDYVZ0elNESVJCekt0VmlhRDFJV2MKLT4gc3NoLWVkMjU1MTkgejFP
|
||||
Y1p3IEgwTkJyeUh3YlZwYi9hSnJraFBDWWRqVlkySFFmR2hBWVJ1MG52dWpPR2cK
|
||||
YVgyRVU2RzBhQVJ3MTZTOEwwbWk3QzhFRlZMa2hzZ29HeW0rVU5aN0x2MAotLS0g
|
||||
bE43VGhIcjVNenNkVW4xV1N2Zmd0L0JnNUJoOTlya0lWU2NPckNPODdsQQpDcV5M
|
||||
ZQ3ZxOePeO2P5AqZuTEQk9QUZzEKnWt+aB296b8dU4rpjpKL+Btr7e9cPLs1S3ay
|
||||
fpnky8e+TsczGBEEkrcQ
|
||||
-----END AGE ENCRYPTED FILE-----
|
@ -0,0 +1,74 @@
|
||||
# Paperless-ngx is a document scanning and management solution.
|
||||
|
||||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (config.nmasur.settings) hostnames username;
|
||||
cfg = config.nmasur.presets.services.paperless;
|
||||
in
|
||||
{
|
||||
|
||||
options.nmasur.presets.services.paperless.enable =
|
||||
lib.mkEnableOption "Paperless-ngx document manager";
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
services.paperless = {
|
||||
enable = true;
|
||||
mediaDir = "/data/generic/paperless";
|
||||
passwordFile = config.secrets.paperless.dest;
|
||||
settings = {
|
||||
PAPERLESS_OCR_USER_ARGS = builtins.toJSON { invalidate_digital_signatures = true; };
|
||||
|
||||
# Enable if changing the path name in Caddy
|
||||
# PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
|
||||
# PAPERLESS_STATIC_URL = "/paperless/static/";
|
||||
};
|
||||
};
|
||||
|
||||
# Allow Nextcloud and user to see files
|
||||
users.users.nextcloud.extraGroups = lib.mkIf config.services.nextcloud.enable [ "paperless" ];
|
||||
users.users.${username}.extraGroups = [ "paperless" ];
|
||||
|
||||
nmasur.presets.services.caddy.routes = [
|
||||
{
|
||||
match = [
|
||||
{
|
||||
host = [ hostnames.paperless ];
|
||||
# path = [ "/paperless*" ]; # Change path name in Caddy
|
||||
}
|
||||
];
|
||||
handle = [
|
||||
{
|
||||
handler = "reverse_proxy";
|
||||
upstreams = [ { dial = "localhost:${builtins.toString config.services.paperless.port}"; } ];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
# Configure Cloudflare DNS to point to this machine
|
||||
services.cloudflare-dyndns.domains = [ hostnames.paperless ];
|
||||
|
||||
secrets.paperless = {
|
||||
source = ./paperless.age;
|
||||
dest = "${config.secretsDirectory}/paperless";
|
||||
owner = "paperless";
|
||||
group = "paperless";
|
||||
permissions = "0440";
|
||||
};
|
||||
systemd.services.paperless-secret = {
|
||||
requiredBy = [ "paperless.service" ];
|
||||
before = [ "paperless.service" ];
|
||||
};
|
||||
|
||||
# Fix paperless shared permissions
|
||||
systemd.services.paperless-web.serviceConfig.UMask = lib.mkForce "0026";
|
||||
systemd.services.paperless-scheduler.serviceConfig.UMask = lib.mkForce "0026";
|
||||
systemd.services.paperless-task-queue.serviceConfig.UMask = lib.mkForce "0026";
|
||||
|
||||
# Backups
|
||||
services.restic.backups.default.paths = [ "/data/generic/paperless/documents" ];
|
||||
|
||||
};
|
||||
}
|
Reference in New Issue
Block a user