🚧 run paperless in podman

can't create a network for systemd services rootless, but can create rootless systemd services, but than can't connect to each other.
2025-05-01 05:34:23 +02:00 · 2025-05-01 05:34:23 +02:00 · c99acde2cf
commit c99acde2cf
parent b788b4c7d1
2 changed files with 96 additions and 17 deletions
--- a/machines/chungus/service-paperless-tika.nix
+++ b/machines/chungus/service-paperless-tika.nix
@ -5,33 +5,113 @@
  ...
 }:
 {
-
-  services.paperless = {
-    settings = {
-      PAPERLESS_TIKA_ENABLED = true;
-      PAPERLESS_TIKA_ENDPOINT = "http://127.0.0.1:${toString config.services.tika.port}";
-      PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://127.0.0.1:${toString config.services.gotenberg.port}";
-    };
-  };
-
  # to make podman run rootless as paperless user
+  users.users.paperless.isSystemUser = true;
  users.users.paperless.autoSubUidGidRange = true;
+  users.users.paperless.group = "paperless";
+  users.users.paperless.linger = true;
+  users.users.paperless.home = "/var/lib/podman-paperless";
+  users.groups.paperless = { };
+
+  systemd.services.paperless-tika.serviceConfig.Type = "simple";
+  systemd.services.paperless-redis.serviceConfig.Type = "simple";

  imports = [
    {
+      virtualisation.podman.defaultNetwork.settings = {
+        dns_enabled = true;
+      };
      virtualisation.oci-containers.backend = "podman";
+      systemd.tmpfiles.rules = [
+        "d /var/lib/podman-paperless 0755 paperless paperless -"
+        "d /var/lib/podman-paperless/redis 0755 paperless paperless -"
+        "d /var/lib/podman-paperless/paperless-data 0755 paperless paperless -"
+        "d /var/lib/podman-paperless/paperless-media 0755 paperless paperless -"
+        "d /var/lib/podman-paperless/paperless-export 0755 paperless paperless -"
+        "d /var/lib/podman-paperless/paperless-consume 0755 paperless paperless -"
+      ];
+    }
+
+    # webserver
+    {
+
+      virtualisation.oci-containers = {
+        containers.paperless-webserver = {
+
+          image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
+          ports = [ "127.0.0.1:${toString config.services.paperless.port}:8000" ];
+          volumes = [
+            "/var/lib/podman-paperless/paperless-data:/usr/src/paperless/data"
+            "/var/lib/podman-paperless/paperless-media:/usr/src/paperless/media"
+            "/var/lib/podman-paperless/paperless-export:/usr/src/paperless/export"
+            "/var/lib/podman-paperless/paperless-consume:/usr/src/paperless/consume"
+          ];
+          dependsOn = [
+            "paperless-redis"
+            "paperless-gotenberg"
+            "paperless-tika"
+          ];
+          environment = {
+            PAPERLESS_OCR_LANGUAGE = "deu+eng";
+            PAPERLESS_APP_TITLE = "paperless.ingolf-wagner.de";
+            PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
+              ".DS_STORE/*"
+              "desktop.ini"
+            ];
+
+            PAPERLESS_EMAIL_TASK_CRON = "0 */8 * * *"; # “At minute 0 past every 8th hour.”
+
+            # https://github.com/paperless-ngx/paperless-ngx/discussions/4047#discussioncomment-7019544
+            # https://github.com/paperless-ngx/paperless-ngx/issues/7383
+            PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
+              "invalidate_digital_signatures" = true;
+            };
+
+            PAPERLESS_TIKA_ENABLED = lib.boolToString true;
+            PAPERLESS_TIKA_ENDPOINT = "http://paperless-tika:9998";
+            PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://paperless-gotenberg:3000";
+
+            PAPERLESS_REDIS = "redis://paperless-redis:6379";
+
+          };
+          podman = {
+            user = "paperless";
+            sdnotify = "container";
+          };
+        };
+      };
+
+      services.permown."/var/lib/podman-paperless/paperless-consume" = {
+        owner = "paperless";
+        group = "paperless";
+        directory-mode = "755";
+        file-mode = "640";
+      };
+
+    }
+
+    # redis
+    {
+      virtualisation.oci-containers = {
+        containers.paperless-redis = {
+          image = "docker.io/library/redis:7";
+          volumes = [ "/var/lib/podman-paperless/redis:/data" ];
+          podman = {
+            user = "paperless";
+            sdnotify = "container";
+          };
+        };
+      };
    }

    # tika
    {
-      services.tika.port = 9998;
      virtualisation.oci-containers = {
-        backend = "podman";
-        containers.tika = {
+        containers.paperless-tika = {
          image = "apache/tika:latest"; # Warning: if the tag does not change, the image will not be updated
-          ports = [ "127.0.0.1:${toString config.services.tika.port}:9998" ];
          podman = {
            user = "paperless";
+            sdnotify = "container";
          };
        };
      };
@ -39,11 +119,9 @@

    # gotenberg
    {
-      services.gotenberg.port = 3214;
      virtualisation.oci-containers = {
-        containers.gotenberg = {
+        containers.paperless-gotenberg = {
          image = "gotenberg/gotenberg:8.20"; # Warning: if the tag does not change, the image will not be updated
-          ports = [ "127.0.0.1:${toString config.services.gotenberg.port}:3000" ];
          cmd = [
            "gotenberg"
            "--chromium-disable-javascript=true"
@ -51,6 +129,7 @@
          ];
          podman = {
            user = "paperless";
+            sdnotify = "container";
          };
        };
      };
--- a/machines/chungus/service-paperless.nix
+++ b/machines/chungus/service-paperless.nix
@ -8,7 +8,7 @@
 {

  services.paperless = {
-    enable = true;
+    enable = false;
    address = "[::]";
    port = 28981;
    package = pkgs.paperless-ngx;