move encrypted secrets near relevant files

This commit is contained in:
Noah Masur
2025-03-09 17:09:33 +00:00
parent f59ac536a2
commit 37d1d7724a
60 changed files with 27 additions and 94 deletions

View File

@ -0,0 +1,17 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBTZG1N
ckt3NjgwOThhZXRRanp3UGpvQ0xST0pmenY0Nm5lT05TZ2VkVjBnCnlCODlFeDZE
R08xdStEbm1vdmY3dkVVczN4SVE1cE4ra2srdlJEZk5FbjQKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIERlQ0NtU3BhZ0l6NVdtakFkc1V6anFlWTN2cXczSk1WZlFQWTJm
UmRKSEEKWU9LeVp6TkRDU1FHNjErM3RVa043ZWk0Q3hRMTB4b2VYNjNUK0IwVnFa
dwotPiBzc2gtZWQyNTUxOSBuanZYNUEgU3VkRXJlWWFRS2dvWGo0RFdXd0Zra0J3
MnNtNEU0OVNodjlJckdyQnVSbwo5RFR4QnlDSmd1WnBwbExKY0tOVU55WVFPWTFv
b3hnaWxHcjVoYzRHaDRBCi0+IHNzaC1lZDI1NTE5IENxSU9VQSAxREZKZklHQ2x1
REFHaUtTNFM2aTFsa1Z3TDN0SlU4djVUcW9TY3c2aHlzCkpFWld2Mi9nMFJ0YVpZ
NXJreE5zOFVDYVZ0elNESVJCekt0VmlhRDFJV2MKLT4gc3NoLWVkMjU1MTkgejFP
Y1p3IEgwTkJyeUh3YlZwYi9hSnJraFBDWWRqVlkySFFmR2hBWVJ1MG52dWpPR2cK
YVgyRVU2RzBhQVJ3MTZTOEwwbWk3QzhFRlZMa2hzZ29HeW0rVU5aN0x2MAotLS0g
bE43VGhIcjVNenNkVW4xV1N2Zmd0L0JnNUJoOTlya0lWU2NPckNPODdsQQpDcV5M
ZQ3ZxOePeO2P5AqZuTEQk9QUZzEKnWt+aB296b8dU4rpjpKL+Btr7e9cPLs1S3ay
fpnky8e+TsczGBEEkrcQ
-----END AGE ENCRYPTED FILE-----

View File

@ -0,0 +1,74 @@
# Paperless-ngx is a document scanning and management solution.
{ config, lib, ... }:
let
inherit (config.nmasur.settings) hostnames username;
cfg = config.nmasur.presets.services.paperless;
in
{
options.nmasur.presets.services.paperless.enable =
lib.mkEnableOption "Paperless-ngx document manager";
config = lib.mkIf cfg.enable {
services.paperless = {
enable = true;
mediaDir = "/data/generic/paperless";
passwordFile = config.secrets.paperless.dest;
settings = {
PAPERLESS_OCR_USER_ARGS = builtins.toJSON { invalidate_digital_signatures = true; };
# Enable if changing the path name in Caddy
# PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
# PAPERLESS_STATIC_URL = "/paperless/static/";
};
};
# Allow Nextcloud and user to see files
users.users.nextcloud.extraGroups = lib.mkIf config.services.nextcloud.enable [ "paperless" ];
users.users.${username}.extraGroups = [ "paperless" ];
nmasur.presets.services.caddy.routes = [
{
match = [
{
host = [ hostnames.paperless ];
# path = [ "/paperless*" ]; # Change path name in Caddy
}
];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.paperless.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ hostnames.paperless ];
secrets.paperless = {
source = ./paperless.age;
dest = "${config.secretsDirectory}/paperless";
owner = "paperless";
group = "paperless";
permissions = "0440";
};
systemd.services.paperless-secret = {
requiredBy = [ "paperless.service" ];
before = [ "paperless.service" ];
};
# Fix paperless shared permissions
systemd.services.paperless-web.serviceConfig.UMask = lib.mkForce "0026";
systemd.services.paperless-scheduler.serviceConfig.UMask = lib.mkForce "0026";
systemd.services.paperless-task-queue.serviceConfig.UMask = lib.mkForce "0026";
# Backups
services.restic.backups.default.paths = [ "/data/generic/paperless/documents" ];
};
}