nixos-config/machines/chungus/service-paperless.nix

{
  config,
  pkgs,
  lib,
  nixos-artwork,
  factsGenerator,
  ...
}:
{

  services.paperless = {
    enable = true;
    address = "0.0.0.0";
    settings = {
      PAPERLESS_OCR_LANGUAGE = "deu+eng";
      PAPERLESS_APP_TITLE = "paperless.chungus.private";
      PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
        ".DS_STORE/*"
        "desktop.ini"
      ];
      PAPERLESS_EMAIL_TASK_CRON = "0 */8 * * *"; # “At minute 0 past every 8th hour.”
      #PAPERLESS_CONSUMER_DELETE_DUPLICATES = false;
    };
  };

  services.permown."/var/lib/paperless/consume" = {
    owner = "paperless";
    group = "paperless";
    directory-mode = "755";
    file-mode = "640";
  };

  networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ];
  healthchecks.http.paperless = {
    url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/";
    expectedContent = "paperless.chungus.private";
  };

  services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = {
    serverAliases = [ "paperless.ingolf-wagner.de" ];
    extraConfig = ''
      allow ${config.tinc.private.subnet};
      allow ${config.wireguard.wg0.subnet};
      deny all;
    '';
    locations."/" = {
      extraConfig = ''
        client_max_body_size 500M;
      '';
      proxyPass = "http://localhost:${toString config.services.paperless.port}";
      proxyWebsockets = true;
    };
  };

  clan.core.facts.services."paperless-ngx.borg" = factsGenerator.password { name = "borgbackup"; };
  clan.core.facts.services."paperless-ngx.ssh" = factsGenerator.ssh { name = "paperless-ngx"; };

  # backup
  services.borgbackup.jobs."paperless-ngx" = {
    paths = [ config.services.paperless.dataDir ];
    repo = "root@orbi.bear:borg-${config.networking.hostName}-paperless";
    compression = "auto,lzma";
    startAt = "daily";
    encryption = {
      mode = "keyfile-blake2";
      passCommand = "cat ${
        toString config.clan.core.facts.services."paperless-ngx.borg".secret."password.borgbackup".path
      }";
    };
    environment = {
      BORG_RSH = "ssh -i ${
        toString
          config.clan.core.facts.services."paperless-ngx.ssh".secret."ssh.paperless-ngx.id_ed25519".path
      }";
      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
    };
    prune.keep = {
      within = "3d"; # Keep all backups in the last 10 days.
      weekly = 2; # Keep 8 additional end of week archives.
      monthly = -1; # Keep end of month archive for every month
    };
    doInit = true;
  };

}