Add Paperless config

.sops.yaml

@@ -14,6 +14,7 @@ keys:
   - &server_spotifyd age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps
   - &server_sound age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745
   - &server_sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
+  - &server_paperless age1j4y7mwh6hg8kvktgvq5g3xstnmlnaxkdhfrps8lnl029nfpr03dq2nr4cd
 creation_rules:
   - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
     key_groups:
@@ -71,3 +72,9 @@ creation_rules:
       - *admin_swarsel
       age:
       - *server_sync
+  - path_regex: secrets/paperless/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *admin_swarsel
+      age:
+      - *server_paperless

Nix.org

@@ -431,6 +431,14 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann
     ];
   };
 
+  paperless = nixpkgs.lib.nixosSystem {
+    specialArgs = {inherit inputs pkgs; };
+    modules = [
+      sops-nix.nixosModules.sops
+      ./profiles/server1/paperless/nixos.nix
+    ];
+  };
+
   #ovm
   sync = nixpkgs.lib.nixosSystem {
     specialArgs = {inherit inputs pkgs; };
@@ -1585,6 +1593,20 @@ In the long run, I am thinking about a transition to kubernetes or using just a
             };
           };
 
+          "scan.swarsel.win" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            locations = {
+              "/" = {
+                proxyPass = "http://192.168.2.24:28981";
+                extraConfig = ''
+                  client_max_body_size 0;
+                '';
+              };
+            };
+          };
+
           "screen.swarsel.win" = {
             enableACME = true;
             forceSSL = true;
@@ -2862,6 +2884,59 @@ Make sure to also do this for doublepuppet.yaml
 
 #+end_src
 
+*** Paperless
+**** NixOS
+
+#+begin_src nix :noweb yes :tangle profiles/server1/paperless/nixos.nix
+
+  { config, pkgs, modulesPath, ... }:
+
+  {
+    <<vminit>>
+
+    users.groups.lxc_shares = {
+      gid = 10000;
+      members = [
+        "paperless"
+        "root"
+      ];
+    };
+
+    environment.systemPackages = with pkgs; [
+      git
+      gnupg
+      ssh-to-age
+    ];
+
+    networking.hostName = "paperless"; # Define your hostname.
+    networking.firewall.enable = false;
+
+    sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    sops.defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml";
+    sops.validateSopsFiles = false;
+    sops.secrets.admin = { owner = "paperless";};
+
+    services.paperless = {
+      enable = true;
+      mediaDir = "/media";
+      user = "paperless";
+      port = 28981;
+      passwordFile = config.sops.secrets.admin.path;
+      address = "0.0.0.0";
+      extraConfig = {
+        PAPERLESS_OCR_LANGUAGE = "deu+eng";
+        PAPERLESS_URL = "scan.swarsel.win";
+        PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
+          optimize = 1;
+          pdfa_image_compression = "lossless";
+        };
+      };
+    };
+
+  }
+
+#+end_src
+
 * Common NixOS
 
 These are system-level settings specific to NixOS machines. All settings that are required on all machines go here.

flake.nix

@@ -240,6 +240,14 @@
         ];
       };
       
+      paperless = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs pkgs; };
+        modules = [
+          sops-nix.nixosModules.sops
+          ./profiles/server1/paperless/nixos.nix
+        ];
+      };
+      
       #ovm
       sync = nixpkgs.lib.nixosSystem {
         specialArgs = {inherit inputs pkgs; };

profiles/server1/nginx/nixos.nix

@@ -163,6 +163,20 @@
           };
         };
 
+        "scan.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "http://192.168.2.24:28981";
+              extraConfig = ''
+                client_max_body_size 0;
+              '';
+            };
+          };
+        };
+
         "screen.swarsel.win" = {
           enableACME = true;
           forceSSL = true;

profiles/server1/paperless/hardware-configuration.nix

@@ -0,0 +1,29 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/mapper/pve-vm--117--disk--0";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

profiles/server1/paperless/nixos.nix

@@ -0,0 +1,80 @@
+{ config, pkgs, modulesPath, ... }:
+
+{
+  
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    ./hardware-configuration.nix
+  ];
+  
+  
+  
+  services.xserver = {
+    layout = "us";
+    xkbVariant = "altgr-intl";
+  };
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+  proxmoxLXC.manageNetwork = true; # manage network myself
+  proxmoxLXC.manageHostName = false; # manage hostname myself
+  networking.useDHCP = true;
+  networking.enableIPv6 = false;
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+    listenAddresses = [{
+      port = 22;
+      addr = "0.0.0.0";
+    }];
+  };
+  users.users.root.openssh.authorizedKeys.keyFiles = [
+    ../../../secrets/keys/authorized_keys
+  ];
+  
+  system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
+  
+  environment.shellAliases = {
+    nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
+  };
+  
+  
+
+  users.groups.lxc_shares = {
+    gid = 10000;
+    members = [
+      "paperless"
+      "root"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    gnupg
+    ssh-to-age
+  ];
+
+  networking.hostName = "paperless"; # Define your hostname.
+  networking.firewall.enable = false;
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
+  sops.defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml";
+  sops.validateSopsFiles = false;
+  sops.secrets.admin = { owner = "paperless";};
+
+  services.paperless = {
+    enable = true;
+    mediaDir = "/media";
+    user = "paperless";
+    port = 28981;
+    passwordFile = config.sops.secrets.admin.path;
+    address = "0.0.0.0";
+    extraConfig = {
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_URL = "scan.swarsel.win";
+      PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
+        optimize = 1;
+        pdfa_image_compression = "lossless";
+      };
+    };
+  };
+
+}

secrets/paperless/secrets.yaml

@@ -0,0 +1,52 @@
+admin: ENC[AES256_GCM,data:4ltsTj6tWqw3Rx2Odx7e9OH25yzeBuIRrQ==,iv:uzRdWh9g0iNkjjo5Nrx7lVu8vZlOw2r3WJ1PXPEm/5U=,tag:Xv2Qwq/w+DYRYvXw+Bhnyg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1j4y7mwh6hg8kvktgvq5g3xstnmlnaxkdhfrps8lnl029nfpr03dq2nr4cd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UWg0RTZEZjdhK01JUHI1
+            TDkwSUJwN3RJMFM5WTdBU1Y5NktJdXdrMUQwCkt5Y2hUWkRLeWgwRTh5YVRFWmho
+            MjNSWWxZajB5YXhoc3J1VFVqNkdPYzQKLS0tIEJRd2R2d2xkNzFLOGE0Nng2OWVh
+            NVlkWWRDUlQ0Mll2cGFFYWVuYW9VZVEKBHP7b1vFmVQGwAEfI8o/cWECr+qFUB2q
+            /BNRW7fcyLVrPU9BvqTIo84t4rvUTqfG3K/fdJ60h/0N6OUrCai0EQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-05T13:43:43Z"
+    mac: ENC[AES256_GCM,data:tHd4ZbDyhBowlztWEdY+ohp2obLOTXDqZ1ROOBYsXO4N6glMEYLiqxKvpZ5+RcKkv/GIrFSvGS3AtSCCfGhAq9YVOsICpx7JJjbpbnPR4d797WIK5IauHpTSeTjoOMjVzA5O32m6Ux7TSk5Y1EPwcgOfvd4Ah0SMrOblHyAi9H0=,iv:oKgwFUC523K/s/05SmWY5uADd8n0Qm2mz8WJB59uA7E=,tag:Kx2NCDWcB82OUUGcbeW21w==,type:str]
+    pgp:
+        - created_at: "2024-02-05T13:43:25Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQILAwDh3VI7VctTAQ/3RuSGSlr+pGQIrnWIjZl/i6ZuMwHVolIN1cTshchZ/Pga
+            j9teHAYZWnQ9d+bym3uxzc9S58U3sNKU13Rpb8zPOrlssa4sLrt0cTAQRzPLIH/b
+            66SSWHm4RKzlDaPHrY/iVYDqEy0/zLmIxmKZThfCZIVsj7g5bvP2Y9iNDR3EMQsf
+            rHuMePsoE0eUvudgNWuyuUSBdRX3JK/lLpe3BfXmkdZgMXWKrFwKuv7XevDquRVu
+            gZ6SQPShASN3ErptDBLoewasCDJuzV0wmgGB0JqGwADzjRnS+OGiBAYJB7GDjLoj
+            iWLqy6xhkboFCiVgEyF51u4MfVAgZCWwVRRDrzv8Q8L93Umm4Frp0J3hOb0rC9u7
+            UJCt1/VcsQ8VX7wRyEwZWWktIRb07yMIKoYsy7q1J4qU0AjSNVVX2y1sFa6qi9Cs
+            b2krAzRhzV2qd7V2QsoOSTO+RePE5qD6OTC5GeXaZoPaNoHi8u3SLGqWVug954SX
+            rNJrcgpl0VkoYlnanuA3s20BiHSpAk/9RiosXCI5kg8XPikp2j0iB/8WuKnMWlc9
+            40EZRRaXQZF0LMxdyE+8QTF9CvUCCTOkSfrslEXd6gpX8GB+KUdWyMvqjIamQ6ov
+            7Msuq1gFKtZulzwZJ/pC6TbmSXMt3MgHu5vFqOvOE7UEWwY+FVwp9WZtwX9OQoUC
+            DAML0VEuZyGBhAEP/iqLYs6MX3U/odqG0IFCayIdbGDoU8+CvIehPnTJKilzW2AW
+            QpTqPFUI8arz+yPQYmKI8/VwPELp/W/iU1DNTlaWjXSw/nXmQMB0MERu0ZqAbZ6m
+            Z5n+j8Ggz56I6EX1PpEkAXL4bmSM6iEsDREkecML/ZTNy+OeSodlEq6A0jGYlQF2
+            /mmsUnXj+FSoLoyeIlJNtr3HrJNzlikWLczP4ETxeYscqunsQbbgQ6c2xHrgSLrQ
+            GbVuxOMFbP67B9DyCKnsIQSllps6lFIZUTDeItzUNuiClDpTChFE+GJyTE4iB+Wn
+            MgcxFadezGhKPVPyEgLviv/gudGQpLxJBUGHdfsv76wAno5IrSWWYt6YdjTpGUE6
+            n//fcV2jHV23EhfnUFyPiQkLlo49vrtXwY6AhAUYfOOTlDMyQJ+humXWnpqV+by3
+            xFTq2lCqz3PqmcBDSUIgTGxUDNiK94pJVQC9uquQwXbxRYMpXuZLFB/OCumMWDuN
+            xkqe6XYvx7PR9GW379OPqiAPB3PDyIRcwcOYiiycyFwVOrMYlEW67ujI2Kj/8EFb
+            5dncfD/TgiLKCYH3lxFvFk8ddun05WozDk1jfS1aDVh1ZWndd3ByRNe5q6baARoO
+            KwcVHtKSPjjrURk+CbGWzDvTAgvURSNpxJ5ubGEYea/E7Jb4JwEUURnymRD90l4B
+            gcRSQrYEI0sAsMaa7WEniMwSiOUJxb2q6crj6aOasEE5NSaPrG+zqs/emfDhfkHS
+            25Sx8KwuzctJpCq0ajnH3yYfuZyL9euBFvk/SZ9bqDSDzXSxm6wKYZfWRf71
+            =W0a4
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1