...

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-02-14 14:34:33 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-02-14 14:34:33 +0100
commit: 821d99f17c9dd5660e5c450e4435616178ae4c73 (patch)
tree: bd7a6fe19e431d918587ede9c96db6c0196bdab7 /hosts/vidhar
parent: 10b7a66bdf7181026914e753c5260a5adef04214 (diff)
download: nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar
nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar.gz
nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar.bz2
nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar.xz
nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.zip
4 files changed, 54 insertions, 1 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index b0797d8a..9660931d 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 10fd4c51..3ead8fac 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -92,6 +92,7 @@ table inet filter {
  counter tftp-rx {}
  counter pgbackrest-rx {}
  counter immich-rx {}
+  counter paperless-rx {}
  counter established-rx {}
@@ -121,6 +122,7 @@ table inet filter {
  counter tftp-tx {}
  counter pgbackrest-tx {}
  counter immich-tx {}
+  counter paperless-tx {}
  counter tx {}
@@ -197,6 +199,7 @@ table inet filter {
    tcp dport 8432 counter name pgbackrest-rx accept
    iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
+    iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
    ct state { established, related } counter name established-rx accept
@@ -246,6 +249,7 @@ table inet filter {
    tcp sport 8432 counter name pgbackrest-tx accept
    iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
+    iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
    counter name tx
diff --git a/hosts/vidhar/paperless/default.nix b/hosts/vidhar/paperless/default.nix
new file mode 100644
index 00000000..34cd18c4
--- /dev/null
+++ b/hosts/vidhar/paperless/default.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  config = {
+    services.paperless = {
+      enable = true;
+      address = "[2a03:4000:52:ada:4:1::]";
+      passwordFile = config.sops.secrets."paperless-rootpw".path;
+      settings = {
+        PAPERLESS_OCR_LANGUAGE = "deu+eng";
+        PAPERLESS_URL = "https://paperless.yggdrasil.li";
+        PAPERLESS_FILENAME_FORMAT = "{{ created_year }}/{{ document_type }}/{{ correspondent }}/{{ created }}_{{ doc_pk }}_{{ title }}";
+        PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = "true";
+        PAPERLESS_TASK_WORKERS = "3";
+        PAPERLESS_THREADS_PER_WORKER = "4";
+      };
+      database.createLocally = true;
+    };
+    sops.secrets."paperless-rootpw" = {
+      format = "binary";
+      sopsFile = ./rootpw;
+    };
+  };
+}
diff --git a/hosts/vidhar/paperless/rootpw b/hosts/vidhar/paperless/rootpw
new file mode 100644
index 00000000..11f48fcb
--- /dev/null
+++ b/hosts/vidhar/paperless/rootpw
@@ -0,0 +1,24 @@
+{
+        "data": "ENC[AES256_GCM,data:Bsns3bLs7aA++eTf2Vh4g2iAXhmrMRTF,iv:zQ6hgXEvgHAloN6UMW54f2nYCvEhHPXQSBVSihHFiC0=,tag:uiGTEs07dpx12PcAjmbr9Q==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVUJjdEdIZGd6UDJBRXlL\nODFyWDhHOU9oTEVCVlFiUXVXNm9XZmVuampVCkJ0YkFXTlZXVnRldmtlVkJaR3R2\nMFhpaHB5M3pLeDFkUkkzMUFydGNnOFEKLS0tIEJtNWc0V2JaaWYvQlp6TGxVdVZO\neVpzQzB5Um82TUZOeHBHeE50MGlqNWsKj1P54Fc+c5n35+Og9DwBWkvW947hgFsp\ni/G2QcaLHHJMTexTCZYsr1naSVa/cMBAbrZmtjz0HV4Q1kCJtvlrIg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UG1QSWtXcFZoQVRBOC9D\nT2VnTW9pcTRCMForcHdZVld0c1NmNFZpWUNBCkRkMERKUVliYXRqb25saWxyb2JN\nbC9YL2ZQbytRM0ZjNmlQOTlTZTQrV2sKLS0tIFZyUWtRcXNqZUZxMGN5d0tHUng2\nVXNSdFEwMmtIVEdVRVlWeVU1YmJVSkUKRJa42k551QtiC6S0tmMv7eVN7GRqpXWz\nvzNh+BM9TOJNaTMmVesr4vXNDLOSFS3PxYv95xuOBzVg3zOHuai72g==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-02-13T19:20:33Z",
+                "mac": "ENC[AES256_GCM,data:mG6AC3L8MMeZ0Ajr7zV1mzPcHviQw2adtGjSbrbPRw1xqN7siu6svoybv8xkahP2Grq/xKAiyfXFOFo7Uyc3ub5fSovAEolNazqybZYsyam5vHpeC23dXcEkZUJSPJ9/CSB5uI9nX3NPC64QUjCxHZ7qfH5gcXT9D12H8LSqKlQ=,iv:4Skdj8l9jlTX9Unc2xE2hCKVawHBnHR8L4kZA6H8xNw=,tag:zJsJ3S//faAn7AGwLefNoA==,type:str]",
+                "pgp": null,
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.9.4"
+        }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-02-14 14:34:33 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-02-14 14:34:33 +0100
commit	821d99f17c9dd5660e5c450e4435616178ae4c73 (patch)
tree	bd7a6fe19e431d918587ede9c96db6c0196bdab7 /hosts/vidhar
parent	10b7a66bdf7181026914e753c5260a5adef04214 (diff)
download	nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar.gz nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar.bz2 nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.tar.xz nixos-821d99f17c9dd5660e5c450e4435616178ae4c73.zip

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index b0797d8a..9660931d 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
4		4
5	{	5	{
6	imports = with flake.nixosModules.systemProfiles; [	6	imports = with flake.nixosModules.systemProfiles; [
7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix	7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless
8	tmpfs-root zfs	8	tmpfs-root zfs
9	initrd-all-crypto-modules default-locale openssh rebuild-machines	9	initrd-all-crypto-modules default-locale openssh rebuild-machines
10	build-server	10	build-server


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 10fd4c51..3ead8fac 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -92,6 +92,7 @@ table inet filter {
92	counter tftp-rx {}	92	counter tftp-rx {}
93	counter pgbackrest-rx {}	93	counter pgbackrest-rx {}
94	counter immich-rx {}	94	counter immich-rx {}
		95	counter paperless-rx {}
95		96
96	counter established-rx {}	97	counter established-rx {}
97		98
@@ -121,6 +122,7 @@ table inet filter {
121	counter tftp-tx {}	122	counter tftp-tx {}
122	counter pgbackrest-tx {}	123	counter pgbackrest-tx {}
123	counter immich-tx {}	124	counter immich-tx {}
		125	counter paperless-tx {}
124		126
125	counter tx {}	127	counter tx {}
126		128
@@ -197,6 +199,7 @@ table inet filter {
197	tcp dport 8432 counter name pgbackrest-rx accept	199	tcp dport 8432 counter name pgbackrest-rx accept
198		200
199	iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept	201	iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
		202	iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
200		203
201	ct state { established, related } counter name established-rx accept	204	ct state { established, related } counter name established-rx accept
202		205
@@ -246,6 +249,7 @@ table inet filter {
246	tcp sport 8432 counter name pgbackrest-tx accept	249	tcp sport 8432 counter name pgbackrest-tx accept
247		250
248	iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept	251	iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
		252	iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
249		253
250		254
251	counter name tx	255	counter name tx


diff --git a/hosts/vidhar/paperless/default.nix b/hosts/vidhar/paperless/default.nix new file mode 100644 index 00000000..34cd18c4 --- /dev/null +++ b/hosts/vidhar/paperless/default.nix
@@ -0,0 +1,25 @@
		1	{ config, ... }:
		2
		3	{
		4	config = {
		5	services.paperless = {
		6	enable = true;
		7	address = "[2a03:4000:52:ada:4:1::]";
		8	passwordFile = config.sops.secrets."paperless-rootpw".path;
		9	settings = {
		10	PAPERLESS_OCR_LANGUAGE = "deu+eng";
		11	PAPERLESS_URL = "https://paperless.yggdrasil.li";
		12	PAPERLESS_FILENAME_FORMAT = "{{ created_year }}/{{ document_type }}/{{ correspondent }}/{{ created }}_{{ doc_pk }}_{{ title }}";
		13	PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = "true";
		14	PAPERLESS_TASK_WORKERS = "3";
		15	PAPERLESS_THREADS_PER_WORKER = "4";
		16	};
		17	database.createLocally = true;
		18	};
		19
		20	sops.secrets."paperless-rootpw" = {
		21	format = "binary";
		22	sopsFile = ./rootpw;
		23	};
		24	};
		25	}


diff --git a/hosts/vidhar/paperless/rootpw b/hosts/vidhar/paperless/rootpw new file mode 100644 index 00000000..11f48fcb --- /dev/null +++ b/hosts/vidhar/paperless/rootpw
@@ -0,0 +1,24 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:Bsns3bLs7aA++eTf2Vh4g2iAXhmrMRTF,iv:zQ6hgXEvgHAloN6UMW54f2nYCvEhHPXQSBVSihHFiC0=,tag:uiGTEs07dpx12PcAjmbr9Q==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": [
		9	{
		10	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVUJjdEdIZGd6UDJBRXlL\nODFyWDhHOU9oTEVCVlFiUXVXNm9XZmVuampVCkJ0YkFXTlZXVnRldmtlVkJaR3R2\nMFhpaHB5M3pLeDFkUkkzMUFydGNnOFEKLS0tIEJtNWc0V2JaaWYvQlp6TGxVdVZO\neVpzQzB5Um82TUZOeHBHeE50MGlqNWsKj1P54Fc+c5n35+Og9DwBWkvW947hgFsp\ni/G2QcaLHHJMTexTCZYsr1naSVa/cMBAbrZmtjz0HV4Q1kCJtvlrIg==\n-----END AGE ENCRYPTED FILE-----\n"
		12	},
		13	{
		14	"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
		15	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UG1QSWtXcFZoQVRBOC9D\nT2VnTW9pcTRCMForcHdZVld0c1NmNFZpWUNBCkRkMERKUVliYXRqb25saWxyb2JN\nbC9YL2ZQbytRM0ZjNmlQOTlTZTQrV2sKLS0tIFZyUWtRcXNqZUZxMGN5d0tHUng2\nVXNSdFEwMmtIVEdVRVlWeVU1YmJVSkUKRJa42k551QtiC6S0tmMv7eVN7GRqpXWz\nvzNh+BM9TOJNaTMmVesr4vXNDLOSFS3PxYv95xuOBzVg3zOHuai72g==\n-----END AGE ENCRYPTED FILE-----\n"
		16	}
		17	],
		18	"lastmodified": "2025-02-13T19:20:33Z",
		19	"mac": "ENC[AES256_GCM,data:mG6AC3L8MMeZ0Ajr7zV1mzPcHviQw2adtGjSbrbPRw1xqN7siu6svoybv8xkahP2Grq/xKAiyfXFOFo7Uyc3ub5fSovAEolNazqybZYsyam5vHpeC23dXcEkZUJSPJ9/CSB5uI9nX3NPC64QUjCxHZ7qfH5gcXT9D12H8LSqKlQ=,iv:4Skdj8l9jlTX9Unc2xE2hCKVawHBnHR8L4kZA6H8xNw=,tag:zJsJ3S//faAn7AGwLefNoA==,type:str]",
		20	"pgp": null,
		21	"unencrypted_suffix": "_unencrypted",
		22	"version": "3.9.4"
		23	}
		24	} \ No newline at end of file