nixos-config/machines/chungus/service-paperless.nix

{
  config,
  pkgs,
  lib,
  nixos-artwork,
  factsGenerator,
  ...
}:
{

  services.paperless = {
    enable = true;
    address = "0.0.0.0";
    settings = {
      PAPERLESS_OCR_LANGUAGE = "deu+eng";
      PAPERLESS_APP_TITLE = "paperless.chungus.private";
      PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
        ".DS_STORE/*"
        "desktop.ini"
      ];
      PAPERLESS_EMAIL_TASK_CRON = "0 */8 * * *"; # “At minute 0 past every 8th hour.”

      # https://github.com/paperless-ngx/paperless-ngx/discussions/4047#discussioncomment-7019544
      # https://github.com/paperless-ngx/paperless-ngx/issues/7383
      PAPERLESS_OCR_USER_ARGS = ''{"invalidate_digital_signatures": true}'';
    };
  };

  services.permown."/var/lib/paperless/consume" = {
    owner = "paperless";
    group = "paperless";
    directory-mode = "755";
    file-mode = "640";
  };

  networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ];
  healthchecks.http.paperless = {
    url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/";
    expectedContent = "paperless.chungus.private";
  };
  healthchecks.closed.retiolum.ports.paperless = [ config.services.paperless.port ];

  services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {
    serverAliases = [ "paperless.ingolf-wagner.de" ];
    extraConfig = ''
      allow ${config.tinc.private.subnet};
      allow ${config.wireguard.wg0.subnet};
      deny all;
    '';
    locations."/" = {
      extraConfig = ''
        client_max_body_size 500M;
      '';
      proxyPass = "http://localhost:${toString config.services.paperless.port}";
      proxyWebsockets = true;
    };
  };

  clan.core.facts.services."paperless-ngx.borg" = factsGenerator.password { name = "borgbackup"; };
  clan.core.facts.services."paperless-ngx.ssh" = factsGenerator.ssh { name = "paperless-ngx"; };

  # backup
  services.borgbackup.jobs."paperless-ngx" = {
    paths = [ config.services.paperless.dataDir ];
    repo = "root@orbi.bear:borg-${config.networking.hostName}-paperless";
    compression = "auto,lzma";
    startAt = "daily";
    encryption = {
      mode = "keyfile-blake2";
      passCommand = "cat ${
        toString config.clan.core.facts.services."paperless-ngx.borg".secret."password.borgbackup".path
      }";
    };
    environment = {
      BORG_RSH = "ssh -i ${
        toString
          config.clan.core.facts.services."paperless-ngx.ssh".secret."ssh.paperless-ngx.id_ed25519".path
      }";
      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
    };
    prune.keep = {
      within = "3d"; # Keep all backups in the last 10 days.
      weekly = 2; # Keep 8 additional end of week archives.
      monthly = -1; # Keep end of month archive for every month
    };
    doInit = true;
  };

}
nix fmt 2024-08-29 03:26:04 +02:00			`{`
			`config,`
			`pkgs,`
:white_check_mark: add some more smoke tests. 2024-09-15 04:11:25 +02:00			`lib,`
nix fmt 2024-08-29 03:26:04 +02:00			`nixos-artwork,`
:construction: borgbackup for paperless 2024-10-06 02:40:42 +02:00			`factsGenerator,`
nix fmt 2024-08-29 03:26:04 +02:00			`...`
			`}:`
			`{`
paperless accessible via wireguard 2024-03-06 13:22:22 +01:00
add paperless.nix 2024-03-04 19:05:30 +01:00			`services.paperless = {`
			`enable = true;`
paperless accessible via wireguard 2024-03-09 16:50:33 +01:00			`address = "0.0.0.0";`
nix flake check 2024-05-27 19:10:54 +02:00			`settings = {`
update paperless 2024-03-18 21:00:48 +01:00			`PAPERLESS_OCR_LANGUAGE = "deu+eng";`
			`PAPERLESS_APP_TITLE = "paperless.chungus.private";`
nix fmt 2024-08-29 03:26:04 +02:00			`PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [`
			`".DS_STORE/*"`
			`"desktop.ini"`
			`];`
make loki, promtail better (better indices and so on) 2024-05-15 22:54:12 +02:00			`PAPERLESS_EMAIL_TASK_CRON = "0 /8 * *"; # “At minute 0 past every 8th hour.”`
:construction: fixing paperless error Input PDF has a digital signature. OCR would alter the document, invalidating the signature. 2024-10-23 07:40:23 +02:00
			`# https://github.com/paperless-ngx/paperless-ngx/discussions/4047#discussioncomment-7019544`
			`# https://github.com/paperless-ngx/paperless-ngx/issues/7383`
			`PAPERLESS_OCR_USER_ARGS = ''{"invalidate_digital_signatures": true}'';`
update paperless 2024-03-18 21:00:48 +01:00			`};`
add paperless.nix 2024-03-04 19:05:30 +01:00			`};`
paperless accessible via wireguard 2024-03-06 13:22:22 +01:00
update paperless 2024-05-12 09:32:04 +02:00			`services.permown."/var/lib/paperless/consume" = {`
			`owner = "paperless";`
			`group = "paperless";`
			`directory-mode = "755";`
			`file-mode = "640";`
			`};`

paperless accessible via wireguard 2024-03-06 13:22:22 +01:00			`networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ];`
:heavy_plus_sign: use nixos-healthchecks instead of verify 2024-09-30 05:05:17 +02:00			`healthchecks.http.paperless = {`
:sparkles: create verify.http options 2024-09-16 02:06:03 +02:00			`url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/";`
			`expectedContent = "paperless.chungus.private";`
			`};`
:white_check_mark: add a lot more healthchecks 2024-10-09 14:27:12 +02:00			`healthchecks.closed.retiolum.ports.paperless = [ config.services.paperless.port ];`
paperless accessible via wireguard 2024-03-06 13:22:22 +01:00
add paperless.nix 2024-03-04 19:05:30 +01:00			`services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {`
add paperless to wireguard 2024-05-22 09:28:11 +02:00			`serverAliases = [ "paperless.ingolf-wagner.de" ];`
add paperless.nix 2024-03-04 19:05:30 +01:00			`extraConfig = ''`
			`allow ${config.tinc.private.subnet};`
add paperless to wireguard 2024-05-22 09:28:11 +02:00			`allow ${config.wireguard.wg0.subnet};`
add paperless.nix 2024-03-04 19:05:30 +01:00			`deny all;`
			`'';`
			`locations."/" = {`
update paperless 2024-05-12 09:32:04 +02:00			`extraConfig = ''`
			`client_max_body_size 500M;`
			`'';`
add paperless.nix 2024-03-04 19:05:30 +01:00			`proxyPass = "http://localhost:${toString config.services.paperless.port}";`
			`proxyWebsockets = true;`
			`};`
			`};`
:construction: borgbackup for paperless 2024-10-06 02:40:42 +02:00
			`clan.core.facts.services."paperless-ngx.borg" = factsGenerator.password { name = "borgbackup"; };`
			`clan.core.facts.services."paperless-ngx.ssh" = factsGenerator.ssh { name = "paperless-ngx"; };`

			`# backup`
			`services.borgbackup.jobs."paperless-ngx" = {`
			`paths = [ config.services.paperless.dataDir ];`
:wrench: borgbackup for paperless 2024-10-06 11:15:45 +02:00			`repo = "root@orbi.bear:borg-${config.networking.hostName}-paperless";`
:construction: borgbackup for paperless 2024-10-06 02:40:42 +02:00			`compression = "auto,lzma";`
			`startAt = "daily";`
			`encryption = {`
:wrench: borgbackup for paperless 2024-10-06 11:15:45 +02:00			`mode = "keyfile-blake2";`
:construction: borgbackup for paperless 2024-10-06 02:40:42 +02:00			`passCommand = "cat ${`
			`toString config.clan.core.facts.services."paperless-ngx.borg".secret."password.borgbackup".path`
			`}";`
			`};`
			`environment = {`
			`BORG_RSH = "ssh -i ${`
			`toString`
			`config.clan.core.facts.services."paperless-ngx.ssh".secret."ssh.paperless-ngx.id_ed25519".path`
			`}";`
			`BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";`
			`};`
			`prune.keep = {`
:wrench: borgbackup for paperless 2024-10-06 11:17:42 +02:00			`within = "3d"; # Keep all backups in the last 10 days.`
			`weekly = 2; # Keep 8 additional end of week archives.`
:construction: borgbackup for paperless 2024-10-06 02:40:42 +02:00			`monthly = -1; # Keep end of month archive for every month`
			`};`
			`doInit = true;`
			`};`

add paperless.nix 2024-03-04 19:05:30 +01:00			`}`