dotfiles/modules/nixos/services/paperless.nix
Noah Masur 05deb5b979 fix paperless permissions with umask
instead of running a systemd service timer
2024-02-10 01:40:04 +00:00

61 lines
1.8 KiB
Nix

# Paperless-ngx is a document scanning and management solution.
{ config, lib, ... }: {
config = lib.mkIf config.services.paperless.enable {
services.paperless = {
mediaDir = "/data/generic/paperless";
passwordFile = config.secrets.paperless.dest;
settings = {
PAPERLESS_OCR_USER_ARGS =
builtins.toJSON { invalidate_digital_signatures = true; };
# Enable if changing the path name in Caddy
# PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
# PAPERLESS_STATIC_URL = "/paperless/static/";
};
};
# Allow Nextcloud and user to see files
users.users.nextcloud.extraGroups =
lib.mkIf config.services.nextcloud.enable [ "paperless" ];
users.users.${config.user}.extraGroups = [ "paperless" ];
caddy.routes = [{
match = [{
host = [ config.hostnames.paperless ];
# path = [ "/paperless*" ]; # Change path name in Caddy
}];
handle = [{
handler = "reverse_proxy";
upstreams = [{
dial =
"localhost:${builtins.toString config.services.paperless.port}";
}];
}];
}];
secrets.paperless = {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/paperless";
owner = "paperless";
group = "paperless";
permissions = "0440";
};
systemd.services.paperless-secret = {
requiredBy = [ "paperless.service" ];
before = [ "paperless.service" ];
};
# Fix paperless shared permissions
systemd.services.paperless-web.serviceConfig.UMask = lib.mkForce "0026";
systemd.services.paperless-scheduler.serviceConfig.UMask =
lib.mkForce "0026";
systemd.services.paperless-task-queue.serviceConfig.UMask =
lib.mkForce "0026";
};
}