drafted out paperless config

configurations/nixos/defiant/configuration.nix

@@ -288,6 +288,11 @@
       };
     };
 
+    paperless = {
+      enable = false;
+      subdomain = "documents";
+    };
+
     qbittorrent = {
       enable = true;
       mediaDir = "/srv/qbittorent";

modules/nixos-modules/server/default.nix

@@ -12,5 +12,6 @@
     ./wyoming.nix
     ./immich.nix
     ./qbittorent.nix
+    ./paperless.nix
   ];
 }

modules/nixos-modules/server/home-assistant.nix

@@ -102,8 +102,8 @@ in {
             login_attempts_threshold = 10;
           };
           homeassistant = {
-            external_url = "https://home.jan-leila.com";
+            external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}";
-            internal_url = "http://192.168.1.2:8123";
+            # internal_url = "http://192.168.1.2:8123";
           };
           recorder.db_url = "postgresql://@/${dbUser}";
           "automation manual" = [];

modules/nixos-modules/server/paperless.nix

@@ -0,0 +1,80 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  dataDir = "/var/lib/paperless";
+in {
+  options.services.paperless = {
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+      description = "subdomain of base domain that paperless will be hosted at";
+      default = "paperless";
+    };
+    database = {
+      user = lib.mkOption {
+        type = lib.types.str;
+        description = "what is the user and database that we are going to use for paperless";
+        default = "paperless";
+      };
+    };
+  };
+
+  config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
+    {
+      host = {
+        reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
+          target = "http://${config.services.paperless.address}:${config.services.paperless.port}";
+
+          websockets.enable = true;
+          forwardHeaders.enable = true;
+
+          extraConfig = ''
+            # allow large file uploads
+            client_max_body_size 50000M;
+          '';
+        };
+        postgres = {
+          enable = true;
+          extraUsers = {
+            ${config.services.paperless.database.user} = {
+              isClient = true;
+            };
+          };
+        };
+      };
+      services.paperless = {
+        # TODO: configure passwordFile with sops
+        configureTika = true;
+        settings = {
+          PAPERLESS_URL = "${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
+
+          PAPERLESS_DBENGINE = "postgresql";
+          PAPERLESS_DBHOST = "/run/postgresql";
+          PAPERLESS_DBNAME = config.services.paperless.database.user;
+          PAPERLESS_DBUSER = config.services.paperless.database.user;
+        };
+      };
+    }
+    (lib.mkIf config.services.fail2ban.enable {
+      # TODO: fail2ban config
+    })
+    (lib.mkIf config.host.impermanence.enable {
+      assertions = [
+        {
+          assertion = config.services.paperless.dataDir == dataDir;
+          message = "paperless data location does not match persistence";
+        }
+      ];
+      environment.persistence."/persist/system/root" = {
+        directories = [
+          {
+            directory = dataDir;
+            user = "paperless";
+            group = "paperless";
+          }
+        ];
+      };
+    })
+  ]);
+}

modules/nixos-modules/users.nix

@@ -24,6 +24,7 @@
     git = 2009;
     immich = 2010;
     qbittorrent = 2011;
+    paperless = 2012;
   };
 
   gids = {
@@ -40,6 +41,7 @@
     git = 2009;
     immich = 2010;
     qbittorrent = 2011;
+    paperless = 2012;
   };
 
   users = config.users.users;
@@ -169,6 +171,12 @@ in {
             isNormalUser = true;
             group = config.users.users.qbittorrent.name;
           };
+
+          paperless = {
+            uid = lib.mkForce uids.paperless;
+            isSystemUser = true;
+            group = config.users.users.paperless.name;
+          };
         };
 
         groups = {
@@ -273,6 +281,13 @@ in {
               leyla
             ];
           };
+
+          paperless = {
+            gid = lib.mkForce gids.paperless;
+            members = [
+              users.paperless.name
+            ];
+          };
         };
       };
     }