From 821d99f17c9dd5660e5c450e4435616178ae4c73 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 14 Feb 2025 14:34:33 +0100
Subject: ...

---
 hosts/vidhar/default.nix           |  2 +-
 hosts/vidhar/network/ruleset.nft   |  4 ++++
 hosts/vidhar/paperless/default.nix | 25 +++++++++++++++++++++++++
 hosts/vidhar/paperless/rootpw      | 24 ++++++++++++++++++++++++
 4 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 hosts/vidhar/paperless/default.nix
 create mode 100644 hosts/vidhar/paperless/rootpw

(limited to 'hosts/vidhar')

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index b0797d8a..9660931d 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 
 {
   imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless
     tmpfs-root zfs
     initrd-all-crypto-modules default-locale openssh rebuild-machines
     build-server
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 10fd4c51..3ead8fac 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -92,6 +92,7 @@ table inet filter {
   counter tftp-rx {}
   counter pgbackrest-rx {}
   counter immich-rx {}
+  counter paperless-rx {}
 
   counter established-rx {}
 
@@ -121,6 +122,7 @@ table inet filter {
   counter tftp-tx {}
   counter pgbackrest-tx {}
   counter immich-tx {}
+  counter paperless-tx {}
 
   counter tx {}
 
@@ -197,6 +199,7 @@ table inet filter {
     tcp dport 8432 counter name pgbackrest-rx accept
 
     iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
+    iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
 
     ct state { established, related } counter name established-rx accept
 
@@ -246,6 +249,7 @@ table inet filter {
     tcp sport 8432 counter name pgbackrest-tx accept
 
     iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
+    iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
 
 
     counter name tx
diff --git a/hosts/vidhar/paperless/default.nix b/hosts/vidhar/paperless/default.nix
new file mode 100644
index 00000000..34cd18c4
--- /dev/null
+++ b/hosts/vidhar/paperless/default.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+
+{
+  config = {
+    services.paperless = {
+      enable = true;
+      address = "[2a03:4000:52:ada:4:1::]";
+      passwordFile = config.sops.secrets."paperless-rootpw".path;
+      settings = {
+        PAPERLESS_OCR_LANGUAGE = "deu+eng";
+        PAPERLESS_URL = "https://paperless.yggdrasil.li";
+        PAPERLESS_FILENAME_FORMAT = "{{ created_year }}/{{ document_type }}/{{ correspondent }}/{{ created }}_{{ doc_pk }}_{{ title }}";
+        PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = "true";
+        PAPERLESS_TASK_WORKERS = "3";
+        PAPERLESS_THREADS_PER_WORKER = "4";
+      };
+      database.createLocally = true;
+    };
+
+    sops.secrets."paperless-rootpw" = {
+      format = "binary";
+      sopsFile = ./rootpw;
+    };
+  };
+}
diff --git a/hosts/vidhar/paperless/rootpw b/hosts/vidhar/paperless/rootpw
new file mode 100644
index 00000000..11f48fcb
--- /dev/null
+++ b/hosts/vidhar/paperless/rootpw
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:Bsns3bLs7aA++eTf2Vh4g2iAXhmrMRTF,iv:zQ6hgXEvgHAloN6UMW54f2nYCvEhHPXQSBVSihHFiC0=,tag:uiGTEs07dpx12PcAjmbr9Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVUJjdEdIZGd6UDJBRXlL\nODFyWDhHOU9oTEVCVlFiUXVXNm9XZmVuampVCkJ0YkFXTlZXVnRldmtlVkJaR3R2\nMFhpaHB5M3pLeDFkUkkzMUFydGNnOFEKLS0tIEJtNWc0V2JaaWYvQlp6TGxVdVZO\neVpzQzB5Um82TUZOeHBHeE50MGlqNWsKj1P54Fc+c5n35+Og9DwBWkvW947hgFsp\ni/G2QcaLHHJMTexTCZYsr1naSVa/cMBAbrZmtjz0HV4Q1kCJtvlrIg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UG1QSWtXcFZoQVRBOC9D\nT2VnTW9pcTRCMForcHdZVld0c1NmNFZpWUNBCkRkMERKUVliYXRqb25saWxyb2JN\nbC9YL2ZQbytRM0ZjNmlQOTlTZTQrV2sKLS0tIFZyUWtRcXNqZUZxMGN5d0tHUng2\nVXNSdFEwMmtIVEdVRVlWeVU1YmJVSkUKRJa42k551QtiC6S0tmMv7eVN7GRqpXWz\nvzNh+BM9TOJNaTMmVesr4vXNDLOSFS3PxYv95xuOBzVg3zOHuai72g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-13T19:20:33Z",
+		"mac": "ENC[AES256_GCM,data:mG6AC3L8MMeZ0Ajr7zV1mzPcHviQw2adtGjSbrbPRw1xqN7siu6svoybv8xkahP2Grq/xKAiyfXFOFo7Uyc3ub5fSovAEolNazqybZYsyam5vHpeC23dXcEkZUJSPJ9/CSB5uI9nX3NPC64QUjCxHZ7qfH5gcXT9D12H8LSqKlQ=,iv:4Skdj8l9jlTX9Unc2xE2hCKVawHBnHR8L4kZA6H8xNw=,tag:zJsJ3S//faAn7AGwLefNoA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}
\ No newline at end of file
-- 
cgit v1.2.3