fixed paperless

drafted out paperless config
2025-07-14 19:38:24 -05:00 · 2025-07-14 11:43:45 -05:00
9 changed files with 162 additions and 18 deletions
--- a/configurations/nixos/defiant/configuration.nix
+++ b/configurations/nixos/defiant/configuration.nix
@ -17,6 +17,12 @@
    "services/zfs_smtp_token" = {
      sopsFile = "${inputs.secrets}/defiant-services.yaml";
    };
    "services/paperless_password" = {
      sopsFile = "${inputs.secrets}/defiant-services.yaml";
      mode = "0700";
      owner = "paperless";
      group = "paperless";
    };
  };
  host = {
@ -288,6 +294,12 @@
      };
    };
    paperless = {
      enable = true;
      subdomain = "documents";
      passwordFile = config.sops.secrets."services/paperless_password".path;
    };
    qbittorrent = {
      enable = true;
      mediaDir = "/srv/qbittorent";
--- a/flake.lock
+++ b/flake.lock
@ -28,11 +28,11 @@
      },
      "locked": {
        "dir": "pkgs/firefox-addons",
-        "lastModified": 1752269946,
+        "lastModified": 1752379414,
-        "narHash": "sha256-vL26J2f9uXvwBNkfwYH1v75VwN22ZLhBcyZeenJwnCU=",
+        "narHash": "sha256-0R3slhrjrnzyxR/fAYy5UliZvSgaVS38YCESBdH5RJw=",
        "owner": "rycee",
        "repo": "nur-expressions",
-        "rev": "9885400dbd82f9b2970b30e18f233404416f7cca",
+        "rev": "51e77bb95540b7dd6c60f8fd65a0c472a2c9c3b7",
        "type": "gitlab"
      },
      "original": {
@ -115,11 +115,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752265577,
+        "lastModified": 1752467539,
-        "narHash": "sha256-YhnBM3oknReSFTAuc2SMwekwjl9nDd5PUhcar4DsefM=",
+        "narHash": "sha256-4kaR+xmng9YPASckfvIgl5flF/1nAZOplM+Wp9I5SMI=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "3976e0507edc9a5f332cb2be93fa20e646d22374",
+        "rev": "1e54837569e0b80797c47be4720fab19e0db1616",
        "type": "github"
      },
      "original": {
@ -227,11 +227,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1752200230,
+        "lastModified": 1752459325,
-        "narHash": "sha256-WqqWjRX4qZYqO/cgvU/ZEzJBQqHBi17OEVv2kt05WiU=",
+        "narHash": "sha256-46TgjdxT02a4nFd9HCXCf8kK5ZSH7r9gYROLtc8zVOg=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "3c866dfb70d282247452742098d315b97df713d2",
+        "rev": "61c2e99ebd586f463a6c0ebe3d931e74883b163d",
        "type": "github"
      },
      "original": {
@ -293,11 +293,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1749061163,
+        "lastModified": 1752531440,
-        "narHash": "sha256-WflcbitH7ErNZBFqZCdy1ODUqKF51xbu2zYfqA35+1M=",
+        "narHash": "sha256-04tQ3EUrtmZ7g6fVUkZC4AbAG+Z7lng79qU3jsiqWJY=",
        "ref": "refs/heads/main",
-        "rev": "1c5c059c0c7b6ce691993262fe10a2b63e1c31ba",
+        "rev": "f016767c13aa36dde91503f7a9f01bdd02468045",
-        "revCount": 19,
+        "revCount": 20,
        "type": "git",
        "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
      },
--- a/modules/nixos-modules/server/default.nix
+++ b/modules/nixos-modules/server/default.nix
@ -12,5 +12,6 @@
    ./wyoming.nix
    ./immich.nix
    ./qbittorent.nix
    ./paperless.nix
  ];
 }
--- a/modules/nixos-modules/server/forgejo.nix
+++ b/modules/nixos-modules/server/forgejo.nix
@ -28,6 +28,12 @@ in {
          extraUsers = {
            ${db_user} = {
              isClient = true;
              createUser = true;
            };
          };
          extraDatabases = {
            ${db_user} = {
              name = db_user;
            };
          };
        };
--- a/modules/nixos-modules/server/home-assistant.nix
+++ b/modules/nixos-modules/server/home-assistant.nix
@ -102,8 +102,8 @@ in {
            login_attempts_threshold = 10;
          };
          homeassistant = {
-            external_url = "https://home.jan-leila.com";
+            external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}";
-            internal_url = "http://192.168.1.2:8123";
+            # internal_url = "http://192.168.1.2:8123";
          };
          recorder.db_url = "postgresql://@/${dbUser}";
          "automation manual" = [];
--- a/modules/nixos-modules/server/jellyfin.nix
+++ b/modules/nixos-modules/server/jellyfin.nix
@ -55,7 +55,7 @@ in {
      }
      (lib.mkIf config.services.fail2ban.enable {
        environment.etc = {
-          "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
+          "fail2ban/filter.d/jellyfin.local".text = (
            pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
              [Definition]
              failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
@ -65,7 +65,7 @@ in {
        services.fail2ban = {
          jails = {
-            jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
+            jellyfin-iptables.settings = {
              enabled = true;
              filter = "jellyfin";
              action = ''iptables-multiport[name=HTTP, port="http,https"]'';
--- a/modules/nixos-modules/server/paperless.nix
+++ b/modules/nixos-modules/server/paperless.nix
@ -0,0 +1,110 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  dataDir = "/var/lib/paperless";
 in {
  options.services.paperless = {
    subdomain = lib.mkOption {
      type = lib.types.str;
      description = "subdomain of base domain that paperless will be hosted at";
      default = "paperless";
    };
    database = {
      user = lib.mkOption {
        type = lib.types.str;
        description = "what is the user and database that we are going to use for paperless";
        default = "paperless";
      };
    };
  };
  config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
    {
      host = {
        reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
          target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
          websockets.enable = true;
          forwardHeaders.enable = true;
          extraConfig = ''
            # allow large file uploads
            client_max_body_size 50000M;
          '';
        };
        postgres = {
          enable = true;
          extraUsers = {
            ${config.services.paperless.database.user} = {
              isClient = true;
              createUser = true;
            };
          };
          extraDatabases = {
            ${config.services.paperless.database.user} = {
              name = config.services.paperless.database.user;
            };
          };
        };
      };
      services.paperless = {
        configureTika = true;
        settings = {
          PAPERLESS_URL = "https://${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
          PAPERLESS_DBENGINE = "postgresql";
          PAPERLESS_DBHOST = "/run/postgresql";
          PAPERLESS_DBNAME = config.services.paperless.database.user;
          PAPERLESS_DBUSER = config.services.paperless.database.user;
        };
      };
    }
    (lib.mkIf config.services.fail2ban.enable {
      environment.etc = {
        "fail2ban/filter.d/paperless.local".text = (
          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
            [Definition]
            failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
            ignoreregex =
          '')
        );
      };
      services.fail2ban = {
        jails = {
          paperless.settings = {
            enabled = true;
            filter = "paperless";
            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
            logpath = "${config.services.paperless.dataDir}/log/*.log";
            backend = "auto";
            findtime = 600;
            bantime = 600;
            maxretry = 5;
          };
        };
      };
    })
    (lib.mkIf config.host.impermanence.enable {
      assertions = [
        {
          assertion = config.services.paperless.dataDir == dataDir;
          message = "paperless data location does not match persistence";
        }
      ];
      environment.persistence."/persist/system/root" = {
        directories = [
          {
            directory = dataDir;
            user = "paperless";
            group = "paperless";
          }
        ];
      };
    })
  ]);
 }
--- a/modules/nixos-modules/users.nix
+++ b/modules/nixos-modules/users.nix
@ -24,6 +24,7 @@
    git = 2009;
    immich = 2010;
    qbittorrent = 2011;
    paperless = 2012;
  };
  gids = {
@ -40,6 +41,7 @@
    git = 2009;
    immich = 2010;
    qbittorrent = 2011;
    paperless = 2012;
  };
  users = config.users.users;
@ -169,6 +171,12 @@ in {
            isNormalUser = true;
            group = config.users.users.qbittorrent.name;
          };
          paperless = {
            uid = lib.mkForce uids.paperless;
            isSystemUser = true;
            group = config.users.users.paperless.name;
          };
        };
        groups = {
@ -273,6 +281,13 @@ in {
              leyla
            ];
          };
          paperless = {
            gid = lib.mkForce gids.paperless;
            members = [
              users.paperless.name
            ];
          };
        };
      };
    }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 1c5c059c0c7b6ce691993262fe10a2b63e1c31ba
+Subproject commit f016767c13aa36dde91503f7a9f01bdd02468045
Author	SHA1	Message	Date
Leyla Becker	c8f163ed0c	fixed paperless	2025-07-14 19:38:24 -05:00
Leyla Becker	3a875e0c1f	drafted out paperless config	2025-07-14 11:43:45 -05:00
		`@ -1 +1 @@`
			`Subproject commit 1c5c059c0c7b6ce691993262fe10a2b63e1c31ba`				`Subproject commit f016767c13aa36dde91503f7a9f01bdd02468045`