From 3a875e0c1f6587530aa4844c84b7939a2c194cae Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Mon, 14 Jul 2025 11:43:45 -0500
Subject: [PATCH] drafted out paperless config

---
 .../nixos/defiant/configuration.nix           |  5 ++
 modules/nixos-modules/server/default.nix      |  1 +
 .../nixos-modules/server/home-assistant.nix   |  4 +-
 modules/nixos-modules/server/paperless.nix    | 80 +++++++++++++++++++
 modules/nixos-modules/users.nix               | 15 ++++
 5 files changed, 103 insertions(+), 2 deletions(-)
 create mode 100644 modules/nixos-modules/server/paperless.nix

diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix
index 3ab557d..0d6173c 100644
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@@ -288,6 +288,11 @@
       };
     };
 
+    paperless = {
+      enable = false;
+      subdomain = "documents";
+    };
+
     qbittorrent = {
       enable = true;
       mediaDir = "/srv/qbittorent";
diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix
index 00e506d..95c7096 100644
--- a/modules/nixos-modules/server/default.nix
+++ b/modules/nixos-modules/server/default.nix
@@ -12,5 +12,6 @@
     ./wyoming.nix
     ./immich.nix
     ./qbittorent.nix
+    ./paperless.nix
   ];
 }
diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix
index f91e02e..57bedc1 100644
--- a/modules/nixos-modules/server/home-assistant.nix
+++ b/modules/nixos-modules/server/home-assistant.nix
@@ -102,8 +102,8 @@ in {
             login_attempts_threshold = 10;
           };
           homeassistant = {
-            external_url = "https://home.jan-leila.com";
-            internal_url = "http://192.168.1.2:8123";
+            external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}";
+            # internal_url = "http://192.168.1.2:8123";
           };
           recorder.db_url = "postgresql://@/${dbUser}";
           "automation manual" = [];
diff --git a/modules/nixos-modules/server/paperless.nix b/modules/nixos-modules/server/paperless.nix
new file mode 100644
index 0000000..e49249d
--- /dev/null
+++ b/modules/nixos-modules/server/paperless.nix
@@ -0,0 +1,80 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  dataDir = "/var/lib/paperless";
+in {
+  options.services.paperless = {
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+      description = "subdomain of base domain that paperless will be hosted at";
+      default = "paperless";
+    };
+    database = {
+      user = lib.mkOption {
+        type = lib.types.str;
+        description = "what is the user and database that we are going to use for paperless";
+        default = "paperless";
+      };
+    };
+  };
+
+  config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
+    {
+      host = {
+        reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
+          target = "http://${config.services.paperless.address}:${config.services.paperless.port}";
+
+          websockets.enable = true;
+          forwardHeaders.enable = true;
+
+          extraConfig = ''
+            # allow large file uploads
+            client_max_body_size 50000M;
+          '';
+        };
+        postgres = {
+          enable = true;
+          extraUsers = {
+            ${config.services.paperless.database.user} = {
+              isClient = true;
+            };
+          };
+        };
+      };
+      services.paperless = {
+        # TODO: configure passwordFile with sops
+        configureTika = true;
+        settings = {
+          PAPERLESS_URL = "${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
+
+          PAPERLESS_DBENGINE = "postgresql";
+          PAPERLESS_DBHOST = "/run/postgresql";
+          PAPERLESS_DBNAME = config.services.paperless.database.user;
+          PAPERLESS_DBUSER = config.services.paperless.database.user;
+        };
+      };
+    }
+    (lib.mkIf config.services.fail2ban.enable {
+      # TODO: fail2ban config
+    })
+    (lib.mkIf config.host.impermanence.enable {
+      assertions = [
+        {
+          assertion = config.services.paperless.dataDir == dataDir;
+          message = "paperless data location does not match persistence";
+        }
+      ];
+      environment.persistence."/persist/system/root" = {
+        directories = [
+          {
+            directory = dataDir;
+            user = "paperless";
+            group = "paperless";
+          }
+        ];
+      };
+    })
+  ]);
+}
diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix
index 68bd78b..a774e44 100644
--- a/modules/nixos-modules/users.nix
+++ b/modules/nixos-modules/users.nix
@@ -24,6 +24,7 @@
     git = 2009;
     immich = 2010;
     qbittorrent = 2011;
+    paperless = 2012;
   };
 
   gids = {
@@ -40,6 +41,7 @@
     git = 2009;
     immich = 2010;
     qbittorrent = 2011;
+    paperless = 2012;
   };
 
   users = config.users.users;
@@ -169,6 +171,12 @@ in {
             isNormalUser = true;
             group = config.users.users.qbittorrent.name;
           };
+
+          paperless = {
+            uid = lib.mkForce uids.paperless;
+            isSystemUser = true;
+            group = config.users.users.paperless.name;
+          };
         };
 
         groups = {
@@ -273,6 +281,13 @@ in {
               leyla
             ];
           };
+
+          paperless = {
+            gid = lib.mkForce gids.paperless;
+            members = [
+              users.paperless.name
+            ];
+          };
         };
       };
     }