refactor: moved nixos modules to dendrite pattern

2026-04-07 15:39:45 -05:00 · 2026-04-07 15:39:45 -05:00 · 0ea11e0236
commit 0ea11e0236
parent df8dd110ad
219 changed files with 4802 additions and 4820 deletions
--- a/modules/nixos/programs/paperless/database.nix
+++ b/modules/nixos/programs/paperless/database.nix
@ -0,0 +1,32 @@
+{...}: {
+  flake.nixosModules.paperless-database = {
+    config,
+    lib,
+    ...
+  }: {
+    config = lib.mkIf config.services.paperless.enable {
+      assertions = [
+        {
+          assertion = !config.services.paperless.database.createLocally || config.services.postgresql.enable;
+          message = "PostgreSQL must be enabled when using local postgres database for Paperless";
+        }
+        {
+          assertion = !config.services.paperless.database.createLocally || (builtins.any (db: db == "paperless") config.services.postgresql.ensureDatabases);
+          message = "Paperless built-in database creation failed - expected 'paperless' in ensureDatabases but got: ${builtins.toString config.services.postgresql.ensureDatabases}";
+        }
+        {
+          assertion = !config.services.paperless.database.createLocally || (builtins.any (user: user.name == "paperless") config.services.postgresql.ensureUsers);
+          message = "Paperless built-in user creation failed - expected user 'paperless' in ensureUsers but got: ${builtins.toString (builtins.map (u: u.name) config.services.postgresql.ensureUsers)}";
+        }
+      ];
+
+      services.paperless.database.createLocally = lib.mkDefault true;
+
+      systemd.services.paperless-scheduler = lib.mkIf config.services.paperless.database.createLocally {
+        requires = [
+          config.systemd.services.postgresql.name
+        ];
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/paperless/default.nix
+++ b/modules/nixos/programs/paperless/default.nix
@ -0,0 +1,13 @@
+{config, ...}: let
+  mod = config.flake.nixosModules;
+in {
+  flake.nixosModules.paperless = {
+    imports = [
+      mod.paperless-service
+      mod.paperless-database
+      mod.paperless-proxy
+      mod.paperless-fail2ban
+      mod.paperless-storage
+    ];
+  };
+}
--- a/modules/nixos/programs/paperless/fail2ban.nix
+++ b/modules/nixos/programs/paperless/fail2ban.nix
@ -0,0 +1,36 @@
+{...}: {
+  flake.nixosModules.paperless-fail2ban = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }: {
+    config = lib.mkIf (config.services.paperless.enable && config.services.fail2ban.enable) {
+      environment.etc = {
+        "fail2ban/filter.d/paperless.local".text = (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [Definition]
+            failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
+            ignoreregex =
+
+          '')
+        );
+      };
+
+      services.fail2ban = {
+        jails = {
+          paperless.settings = {
+            enabled = true;
+            filter = "paperless";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.paperless.dataDir}/log/*.log";
+            backend = "auto";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/paperless/paperless.nix
+++ b/modules/nixos/programs/paperless/paperless.nix
@ -0,0 +1,29 @@
+{...}: {
+  flake.nixosModules.paperless-service = {
+    config,
+    lib,
+    ...
+  }: {
+    options.services.paperless = {
+      database = {
+        user = lib.mkOption {
+          type = lib.types.str;
+          description = "what is the user and database that we are going to use for paperless";
+          default = "paperless";
+        };
+      };
+    };
+
+    config = lib.mkIf config.services.paperless.enable {
+      services.paperless = {
+        configureTika = true;
+        settings = {
+          PAPERLESS_DBENGINE = "postgresql";
+          PAPERLESS_DBHOST = "/run/postgresql";
+          PAPERLESS_DBNAME = config.services.paperless.database.user;
+          PAPERLESS_DBUSER = config.services.paperless.database.user;
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/paperless/proxy.nix
+++ b/modules/nixos/programs/paperless/proxy.nix
@ -0,0 +1,35 @@
+{...}: {
+  flake.nixosModules.paperless-proxy = {
+    config,
+    lib,
+    ...
+  }: {
+    options.services.paperless = {
+      extraDomains = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "extra domains that should be configured for paperless";
+        default = [];
+      };
+      reverseProxy = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = config.services.paperless.enable && config.services.reverseProxy.enable;
+        };
+      };
+    };
+
+    config = lib.mkIf config.services.paperless.reverseProxy.enable {
+      services.reverseProxy.services.paperless = {
+        target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
+        domain = config.services.paperless.domain;
+        extraDomains = config.services.paperless.extraDomains;
+
+        settings = {
+          proxyWebsockets.enable = true;
+          forwardHeaders.enable = true;
+          maxBodySize = 50000;
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/paperless/storage.nix
+++ b/modules/nixos/programs/paperless/storage.nix
@ -0,0 +1,23 @@
+{...}: {
+  flake.nixosModules.paperless-storage = {
+    config,
+    lib,
+    ...
+  }: let
+    dataDir = "/var/lib/paperless";
+  in {
+    options.services.paperless.impermanence.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = config.services.paperless.enable && config.storage.impermanence.enable;
+    };
+
+    config = lib.mkIf config.services.paperless.enable {
+      storage.datasets.replicate."system/root" = {
+        directories."${dataDir}" = lib.mkIf config.services.paperless.impermanence.enable {
+          owner.name = "paperless";
+          group.name = "paperless";
+        };
+      };
+    };
+  };
+}