{ config, lib, ... }: let dataDir = "/var/lib/paperless"; in { options.services.paperless = { subdomain = lib.mkOption { type = lib.types.str; description = "subdomain of base domain that paperless will be hosted at"; default = "paperless"; }; database = { user = lib.mkOption { type = lib.types.str; description = "what is the user and database that we are going to use for paperless"; default = "paperless"; }; }; }; config = lib.mkIf config.services.paperless.enable (lib.mkMerge [ { host = { reverse_proxy.subdomains.${config.services.paperless.subdomain} = { target = "http://${config.services.paperless.address}:${config.services.paperless.port}"; websockets.enable = true; forwardHeaders.enable = true; extraConfig = '' # allow large file uploads client_max_body_size 50000M; ''; }; postgres = { enable = true; extraUsers = { ${config.services.paperless.database.user} = { isClient = true; }; }; }; }; services.paperless = { # TODO: configure passwordFile with sops configureTika = true; settings = { PAPERLESS_URL = "${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}"; PAPERLESS_DBENGINE = "postgresql"; PAPERLESS_DBHOST = "/run/postgresql"; PAPERLESS_DBNAME = config.services.paperless.database.user; PAPERLESS_DBUSER = config.services.paperless.database.user; }; }; } (lib.mkIf config.services.fail2ban.enable { # TODO: fail2ban config }) (lib.mkIf config.host.impermanence.enable { assertions = [ { assertion = config.services.paperless.dataDir == dataDir; message = "paperless data location does not match persistence"; } ]; environment.persistence."/persist/system/root" = { directories = [ { directory = dataDir; user = "paperless"; group = "paperless"; } ]; }; }) ]); }