From c8f163ed0c1950ea5f0cd25bef96d3a912f13526 Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Mon, 14 Jul 2025 19:38:24 -0500
Subject: [PATCH] fixed paperless

---
 .../nixos/defiant/configuration.nix           |  9 ++++-
 flake.lock                                    | 26 ++++++-------
 modules/nixos-modules/server/forgejo.nix      |  6 +++
 modules/nixos-modules/server/jellyfin.nix     |  4 +-
 modules/nixos-modules/server/paperless.nix    | 38 +++++++++++++++++--
 nix-config-secrets                            |  2 +-
 6 files changed, 64 insertions(+), 21 deletions(-)

diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix
index 0d6173c..960e90b 100644
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@@ -17,6 +17,12 @@
     "services/zfs_smtp_token" = {
       sopsFile = "${inputs.secrets}/defiant-services.yaml";
     };
+    "services/paperless_password" = {
+      sopsFile = "${inputs.secrets}/defiant-services.yaml";
+      mode = "0700";
+      owner = "paperless";
+      group = "paperless";
+    };
   };
 
   host = {
@@ -289,8 +295,9 @@
     };
 
     paperless = {
-      enable = false;
+      enable = true;
       subdomain = "documents";
+      passwordFile = config.sops.secrets."services/paperless_password".path;
     };
 
     qbittorrent = {
diff --git a/flake.lock b/flake.lock
index a60584d..a32ae84 100644
--- a/flake.lock
+++ b/flake.lock
@@ -28,11 +28,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1752269946,
-        "narHash": "sha256-vL26J2f9uXvwBNkfwYH1v75VwN22ZLhBcyZeenJwnCU=",
+        "lastModified": 1752379414,
+        "narHash": "sha256-0R3slhrjrnzyxR/fAYy5UliZvSgaVS38YCESBdH5RJw=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "9885400dbd82f9b2970b30e18f233404416f7cca",
+        "rev": "51e77bb95540b7dd6c60f8fd65a0c472a2c9c3b7",
         "type": "gitlab"
       },
       "original": {
@@ -115,11 +115,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752265577,
-        "narHash": "sha256-YhnBM3oknReSFTAuc2SMwekwjl9nDd5PUhcar4DsefM=",
+        "lastModified": 1752467539,
+        "narHash": "sha256-4kaR+xmng9YPASckfvIgl5flF/1nAZOplM+Wp9I5SMI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3976e0507edc9a5f332cb2be93fa20e646d22374",
+        "rev": "1e54837569e0b80797c47be4720fab19e0db1616",
         "type": "github"
       },
       "original": {
@@ -227,11 +227,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752200230,
-        "narHash": "sha256-WqqWjRX4qZYqO/cgvU/ZEzJBQqHBi17OEVv2kt05WiU=",
+        "lastModified": 1752459325,
+        "narHash": "sha256-46TgjdxT02a4nFd9HCXCf8kK5ZSH7r9gYROLtc8zVOg=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "3c866dfb70d282247452742098d315b97df713d2",
+        "rev": "61c2e99ebd586f463a6c0ebe3d931e74883b163d",
         "type": "github"
       },
       "original": {
@@ -293,11 +293,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1749061163,
-        "narHash": "sha256-WflcbitH7ErNZBFqZCdy1ODUqKF51xbu2zYfqA35+1M=",
+        "lastModified": 1752531440,
+        "narHash": "sha256-04tQ3EUrtmZ7g6fVUkZC4AbAG+Z7lng79qU3jsiqWJY=",
         "ref": "refs/heads/main",
-        "rev": "1c5c059c0c7b6ce691993262fe10a2b63e1c31ba",
-        "revCount": 19,
+        "rev": "f016767c13aa36dde91503f7a9f01bdd02468045",
+        "revCount": 20,
         "type": "git",
         "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
       },
diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix
index 40a5303..7898daa 100644
--- a/modules/nixos-modules/server/forgejo.nix
+++ b/modules/nixos-modules/server/forgejo.nix
@@ -28,6 +28,12 @@ in {
           extraUsers = {
             ${db_user} = {
               isClient = true;
+              createUser = true;
+            };
+          };
+          extraDatabases = {
+            ${db_user} = {
+              name = db_user;
             };
           };
         };
diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix
index a8bbe71..bad04c9 100644
--- a/modules/nixos-modules/server/jellyfin.nix
+++ b/modules/nixos-modules/server/jellyfin.nix
@@ -55,7 +55,7 @@ in {
       }
       (lib.mkIf config.services.fail2ban.enable {
         environment.etc = {
-          "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
+          "fail2ban/filter.d/jellyfin.local".text = (
             pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
               [Definition]
               failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
@@ -65,7 +65,7 @@ in {
 
         services.fail2ban = {
           jails = {
-            jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
+            jellyfin-iptables.settings = {
               enabled = true;
               filter = "jellyfin";
               action = ''iptables-multiport[name=HTTP, port="http,https"]'';
diff --git a/modules/nixos-modules/server/paperless.nix b/modules/nixos-modules/server/paperless.nix
index e49249d..0243d53 100644
--- a/modules/nixos-modules/server/paperless.nix
+++ b/modules/nixos-modules/server/paperless.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
   dataDir = "/var/lib/paperless";
@@ -24,7 +25,7 @@ in {
     {
       host = {
         reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
-          target = "http://${config.services.paperless.address}:${config.services.paperless.port}";
+          target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
 
           websockets.enable = true;
           forwardHeaders.enable = true;
@@ -39,15 +40,20 @@ in {
           extraUsers = {
             ${config.services.paperless.database.user} = {
               isClient = true;
+              createUser = true;
+            };
+          };
+          extraDatabases = {
+            ${config.services.paperless.database.user} = {
+              name = config.services.paperless.database.user;
             };
           };
         };
       };
       services.paperless = {
-        # TODO: configure passwordFile with sops
         configureTika = true;
         settings = {
-          PAPERLESS_URL = "${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
+          PAPERLESS_URL = "https://${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
 
           PAPERLESS_DBENGINE = "postgresql";
           PAPERLESS_DBHOST = "/run/postgresql";
@@ -57,7 +63,31 @@ in {
       };
     }
     (lib.mkIf config.services.fail2ban.enable {
-      # TODO: fail2ban config
+      environment.etc = {
+        "fail2ban/filter.d/paperless.local".text = (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [Definition]
+            failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
+            ignoreregex =
+
+          '')
+        );
+      };
+
+      services.fail2ban = {
+        jails = {
+          paperless.settings = {
+            enabled = true;
+            filter = "paperless";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.paperless.dataDir}/log/*.log";
+            backend = "auto";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+        };
+      };
     })
     (lib.mkIf config.host.impermanence.enable {
       assertions = [
diff --git a/nix-config-secrets b/nix-config-secrets
index 1c5c059..f016767 160000
--- a/nix-config-secrets
+++ b/nix-config-secrets
@@ -1 +1 @@
-Subproject commit 1c5c059c0c7b6ce691993262fe10a2b63e1c31ba
+Subproject commit f016767c13aa36dde91503f7a9f01bdd02468045