From 821d99f17c9dd5660e5c450e4435616178ae4c73 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 14 Feb 2025 14:34:33 +0100
Subject: ...

---
 hosts/surtr/paperless.nix | 66 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 hosts/surtr/paperless.nix

(limited to 'hosts/surtr/paperless.nix')

diff --git a/hosts/surtr/paperless.nix b/hosts/surtr/paperless.nix
new file mode 100644
index 00000000..7bc4397c
--- /dev/null
+++ b/hosts/surtr/paperless.nix
@@ -0,0 +1,66 @@
+{ config, ... }:
+
+{
+  config = {
+    security.acme.rfc2136Domains = {
+      "paperless.yggdrasil.li" = {
+        restartUnits = ["nginx.service"];
+      };
+    };
+
+    services.nginx = {
+      upstreams."paperless" = {
+        servers = {
+          "[2a03:4000:52:ada:4:1::]:28981" = {};
+        };
+        extraConfig = ''
+          keepalive 8;
+        '';
+      };
+      virtualHosts = {
+        "paperless.yggdrasil.li" = {
+          kTLS = true;
+          http3 = true;
+          forceSSL = true;
+          sslCertificate = "/run/credentials/nginx.service/paperless.yggdrasil.li.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/paperless.yggdrasil.li.key.pem";
+          sslTrustedCertificate = "/run/credentials/nginx.service/paperless.yggdrasil.li.chain.pem";
+          extraConfig = ''
+            charset utf-8;
+          '';
+
+          locations = {
+            "/".extraConfig = ''
+              proxy_pass http://paperless;
+
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+
+              proxy_redirect off;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Host $server_name;
+              proxy_set_header X-Forwarded-Proto $scheme;
+
+              client_max_body_size 0;
+              proxy_request_buffering off;
+              proxy_buffering off;
+            '';
+          };
+        };
+      };
+    };
+
+    systemd.services.nginx = {
+      serviceConfig = {
+        LoadCredential = [
+          "paperless.yggdrasil.li.key.pem:${config.security.acme.certs."paperless.yggdrasil.li".directory}/key.pem"
+          "paperless.yggdrasil.li.pem:${config.security.acme.certs."paperless.yggdrasil.li".directory}/fullchain.pem"
+          "paperless.yggdrasil.li.chain.pem:${config.security.acme.certs."paperless.yggdrasil.li".directory}/chain.pem"
+        ];
+      };
+    };
+  };
+}
-- 
cgit v1.2.3