mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2026-04-15 05:39:11 +02:00
wip: migrate client modules
This commit is contained in:
Leon Schwarzäugl
parent
f6d2ff1544
commit
7ce27d5d2f
GPG key ID:
26A54C31F2A4FD84
245 changed files with 20254 additions and 188 deletions
144
modules-clone/nixos/server/paperless.nix
Normal file
144
modules-clone/nixos/server/paperless.nix
Normal file
|
|
@ -0,0 +1,144 @@
|
|||
{ lib, pkgs, config, dns, globals, confLib, ... }:
|
||||
let
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
tikaPort = 9998;
|
||||
gotenbergPort = 3002;
|
||||
kanidmDomain = globals.services.kanidm.domain;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
users = {
|
||||
persistentIds = {
|
||||
redis-paperless = confLib.mkIds 975;
|
||||
};
|
||||
users.${serviceUser} = {
|
||||
extraGroups = [ "users" ];
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
|
||||
kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
|
||||
};
|
||||
|
||||
# networking.firewall.allowedTCPPorts = [ servicePort ];
|
||||
|
||||
globals = {
|
||||
networks = {
|
||||
${webProxyIf}.hosts = lib.mkIf isProxied {
|
||||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
domain = serviceDomain;
|
||||
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
|
||||
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
|
||||
directories = [
|
||||
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
|
||||
{ directory = "/var/lib/redis-${serviceName}"; user = "redis-${serviceUser}"; group = "redis-${serviceGroup}"; }
|
||||
{ directory = "/var/lib/private/tika"; }
|
||||
{ directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; }
|
||||
{ directory = "/var/cache/private/tika"; }
|
||||
];
|
||||
};
|
||||
|
||||
services = {
|
||||
${serviceName} = {
|
||||
enable = true;
|
||||
mediaDir = "/storage/Documents/${serviceName}";
|
||||
dataDir = "/var/lib/${serviceName}";
|
||||
user = serviceUser;
|
||||
port = servicePort;
|
||||
passwordFile = config.sops.secrets.paperless-admin-pw.path;
|
||||
address = "0.0.0.0";
|
||||
settings = {
|
||||
PAPERLESS_OCR_LANGUAGE = "deu+eng";
|
||||
PAPERLESS_URL = "https://${serviceDomain}";
|
||||
PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
|
||||
optimize = 1;
|
||||
invalidate_digital_signatures = true;
|
||||
pdfa_image_compression = "lossless";
|
||||
};
|
||||
PAPERLESS_TIKA_ENABLED = "true";
|
||||
PAPERLESS_TIKA_ENDPOINT = "http://localhost:${builtins.toString tikaPort}";
|
||||
PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${builtins.toString gotenbergPort}";
|
||||
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
|
||||
PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
|
||||
openid_connect = {
|
||||
OAUTH_PKCE_ENABLED = "True";
|
||||
APPS = [
|
||||
rec {
|
||||
provider_id = "kanidm";
|
||||
name = "Kanidm";
|
||||
client_id = "paperless";
|
||||
# secret will be added by paperless-web.service (see below)
|
||||
#secret = "";
|
||||
settings.server_url = "https://${kanidmDomain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
tika = {
|
||||
enable = true;
|
||||
port = tikaPort;
|
||||
openFirewall = false;
|
||||
listenAddress = "127.0.0.1";
|
||||
enableOcr = true;
|
||||
};
|
||||
|
||||
gotenberg = {
|
||||
enable = true;
|
||||
package = pkgs.gotenberg;
|
||||
libreoffice.package = pkgs.libreoffice;
|
||||
port = gotenbergPort;
|
||||
bindIP = "127.0.0.1";
|
||||
timeout = "600s";
|
||||
chromium.package = pkgs.chromium;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
# Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
|
||||
systemd.services.paperless-web.script = lib.mkBefore ''
|
||||
oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
|
||||
export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
|
||||
${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
|
||||
--compact-output \
|
||||
--arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
|
||||
)
|
||||
'';
|
||||
|
||||
nodes =
|
||||
let
|
||||
extraConfigLoc = ''
|
||||
proxy_connect_timeout 300;
|
||||
proxy_send_timeout 300;
|
||||
proxy_read_timeout 300;
|
||||
send_timeout 300;
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue