fixed paperless

modules/nixos-modules/server/forgejo.nix

@@ -28,6 +28,12 @@ in {
           extraUsers = {
             ${db_user} = {
               isClient = true;
+              createUser = true;
+            };
+          };
+          extraDatabases = {
+            ${db_user} = {
+              name = db_user;
             };
           };
         };

modules/nixos-modules/server/jellyfin.nix

@@ -55,7 +55,7 @@ in {
       }
       (lib.mkIf config.services.fail2ban.enable {
         environment.etc = {
-          "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
+          "fail2ban/filter.d/jellyfin.local".text = (
             pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
               [Definition]
               failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
@@ -65,7 +65,7 @@ in {
 
         services.fail2ban = {
           jails = {
-            jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
+            jellyfin-iptables.settings = {
               enabled = true;
               filter = "jellyfin";
               action = ''iptables-multiport[name=HTTP, port="http,https"]'';

modules/nixos-modules/server/paperless.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }: let
   dataDir = "/var/lib/paperless";
@@ -24,7 +25,7 @@ in {
     {
       host = {
         reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
-          target = "http://${config.services.paperless.address}:${config.services.paperless.port}";
+          target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
 
           websockets.enable = true;
           forwardHeaders.enable = true;
@@ -39,15 +40,20 @@ in {
           extraUsers = {
             ${config.services.paperless.database.user} = {
               isClient = true;
+              createUser = true;
+            };
+          };
+          extraDatabases = {
+            ${config.services.paperless.database.user} = {
+              name = config.services.paperless.database.user;
             };
           };
         };
       };
       services.paperless = {
-        # TODO: configure passwordFile with sops
         configureTika = true;
         settings = {
-          PAPERLESS_URL = "${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
+          PAPERLESS_URL = "https://${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
 
           PAPERLESS_DBENGINE = "postgresql";
           PAPERLESS_DBHOST = "/run/postgresql";
@@ -57,7 +63,31 @@ in {
       };
     }
     (lib.mkIf config.services.fail2ban.enable {
-      # TODO: fail2ban config
+      environment.etc = {
+        "fail2ban/filter.d/paperless.local".text = (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [Definition]
+            failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
+            ignoreregex =
+
+          '')
+        );
+      };
+
+      services.fail2ban = {
+        jails = {
+          paperless.settings = {
+            enabled = true;
+            filter = "paperless";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "${config.services.paperless.dataDir}/log/*.log";
+            backend = "auto";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+        };
+      };
     })
     (lib.mkIf config.host.impermanence.enable {
       assertions = [