diff --git a/.sops.yaml b/.sops.yaml index 7504f48..a532506 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -14,6 +14,7 @@ keys: - &server_spotifyd age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps - &server_sound age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745 - &server_sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h + - &server_paperless age1j4y7mwh6hg8kvktgvq5g3xstnmlnaxkdhfrps8lnl029nfpr03dq2nr4cd creation_rules: - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$ key_groups: @@ -71,3 +72,9 @@ creation_rules: - *admin_swarsel age: - *server_sync + - path_regex: secrets/paperless/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *admin_swarsel + age: + - *server_paperless diff --git a/Nix.org b/Nix.org index c335953..4c33233 100644 --- a/Nix.org +++ b/Nix.org @@ -431,6 +431,14 @@ This is where the theme for the whole OS is defined. This noweb-ref section cann ]; }; + paperless = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/paperless/nixos.nix + ]; + }; + #ovm sync = nixpkgs.lib.nixosSystem { specialArgs = {inherit inputs pkgs; }; @@ -1585,6 +1593,20 @@ In the long run, I am thinking about a transition to kubernetes or using just a }; }; + "scan.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.24:28981"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + "screen.swarsel.win" = { enableACME = true; forceSSL = true; @@ -2862,6 +2884,59 @@ Make sure to also do this for doublepuppet.yaml #+end_src +*** Paperless +**** NixOS + +#+begin_src nix :noweb yes :tangle profiles/server1/paperless/nixos.nix + + { config, pkgs, modulesPath, ... }: + + { + <> + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "paperless" + "root" + ]; + }; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + networking.hostName = "paperless"; # Define your hostname. + networking.firewall.enable = false; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.admin = { owner = "paperless";}; + + services.paperless = { + enable = true; + mediaDir = "/media"; + user = "paperless"; + port = 28981; + passwordFile = config.sops.secrets.admin.path; + address = "0.0.0.0"; + extraConfig = { + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + PAPERLESS_URL = "scan.swarsel.win"; + PAPERLESS_OCR_USER_ARGS = builtins.toJSON { + optimize = 1; + pdfa_image_compression = "lossless"; + }; + }; + }; + + } + +#+end_src + * Common NixOS These are system-level settings specific to NixOS machines. All settings that are required on all machines go here. diff --git a/flake.nix b/flake.nix index 0fff8ab..c801952 100644 --- a/flake.nix +++ b/flake.nix @@ -240,6 +240,14 @@ ]; }; + paperless = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs pkgs; }; + modules = [ + sops-nix.nixosModules.sops + ./profiles/server1/paperless/nixos.nix + ]; + }; + #ovm sync = nixpkgs.lib.nixosSystem { specialArgs = {inherit inputs pkgs; }; diff --git a/profiles/server1/nginx/nixos.nix b/profiles/server1/nginx/nixos.nix index 72ed018..743ad23 100644 --- a/profiles/server1/nginx/nixos.nix +++ b/profiles/server1/nginx/nixos.nix @@ -163,6 +163,20 @@ }; }; + "scan.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://192.168.2.24:28981"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + "screen.swarsel.win" = { enableACME = true; forceSSL = true; diff --git a/profiles/server1/paperless/hardware-configuration.nix b/profiles/server1/paperless/hardware-configuration.nix new file mode 100644 index 0000000..fd6c050 --- /dev/null +++ b/profiles/server1/paperless/hardware-configuration.nix @@ -0,0 +1,29 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/mapper/pve-vm--117--disk--0"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/profiles/server1/paperless/nixos.nix b/profiles/server1/paperless/nixos.nix new file mode 100644 index 0000000..4862805 --- /dev/null +++ b/profiles/server1/paperless/nixos.nix @@ -0,0 +1,80 @@ +{ config, pkgs, modulesPath, ... }: + +{ + + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ./hardware-configuration.nix + ]; + + + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + nix.settings.experimental-features = ["nix-command" "flakes"]; + proxmoxLXC.manageNetwork = true; # manage network myself + proxmoxLXC.manageHostName = false; # manage hostname myself + networking.useDHCP = true; + networking.enableIPv6 = false; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + + + users.groups.lxc_shares = { + gid = 10000; + members = [ + "paperless" + "root" + ]; + }; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + ]; + + networking.hostName = "paperless"; # Define your hostname. + networking.firewall.enable = false; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.admin = { owner = "paperless";}; + + services.paperless = { + enable = true; + mediaDir = "/media"; + user = "paperless"; + port = 28981; + passwordFile = config.sops.secrets.admin.path; + address = "0.0.0.0"; + extraConfig = { + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + PAPERLESS_URL = "scan.swarsel.win"; + PAPERLESS_OCR_USER_ARGS = builtins.toJSON { + optimize = 1; + pdfa_image_compression = "lossless"; + }; + }; + }; + +} diff --git a/secrets/paperless/secrets.yaml b/secrets/paperless/secrets.yaml new file mode 100644 index 0000000..d2f19f3 --- /dev/null +++ b/secrets/paperless/secrets.yaml @@ -0,0 +1,52 @@ +admin: ENC[AES256_GCM,data:4ltsTj6tWqw3Rx2Odx7e9OH25yzeBuIRrQ==,iv:uzRdWh9g0iNkjjo5Nrx7lVu8vZlOw2r3WJ1PXPEm/5U=,tag:Xv2Qwq/w+DYRYvXw+Bhnyg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1j4y7mwh6hg8kvktgvq5g3xstnmlnaxkdhfrps8lnl029nfpr03dq2nr4cd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1UWg0RTZEZjdhK01JUHI1 + TDkwSUJwN3RJMFM5WTdBU1Y5NktJdXdrMUQwCkt5Y2hUWkRLeWgwRTh5YVRFWmho + MjNSWWxZajB5YXhoc3J1VFVqNkdPYzQKLS0tIEJRd2R2d2xkNzFLOGE0Nng2OWVh + NVlkWWRDUlQ0Mll2cGFFYWVuYW9VZVEKBHP7b1vFmVQGwAEfI8o/cWECr+qFUB2q + /BNRW7fcyLVrPU9BvqTIo84t4rvUTqfG3K/fdJ60h/0N6OUrCai0EQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-05T13:43:43Z" + mac: ENC[AES256_GCM,data:tHd4ZbDyhBowlztWEdY+ohp2obLOTXDqZ1ROOBYsXO4N6glMEYLiqxKvpZ5+RcKkv/GIrFSvGS3AtSCCfGhAq9YVOsICpx7JJjbpbnPR4d797WIK5IauHpTSeTjoOMjVzA5O32m6Ux7TSk5Y1EPwcgOfvd4Ah0SMrOblHyAi9H0=,iv:oKgwFUC523K/s/05SmWY5uADd8n0Qm2mz8WJB59uA7E=,tag:Kx2NCDWcB82OUUGcbeW21w==,type:str] + pgp: + - created_at: "2024-02-05T13:43:25Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQILAwDh3VI7VctTAQ/3RuSGSlr+pGQIrnWIjZl/i6ZuMwHVolIN1cTshchZ/Pga + j9teHAYZWnQ9d+bym3uxzc9S58U3sNKU13Rpb8zPOrlssa4sLrt0cTAQRzPLIH/b + 66SSWHm4RKzlDaPHrY/iVYDqEy0/zLmIxmKZThfCZIVsj7g5bvP2Y9iNDR3EMQsf + rHuMePsoE0eUvudgNWuyuUSBdRX3JK/lLpe3BfXmkdZgMXWKrFwKuv7XevDquRVu + gZ6SQPShASN3ErptDBLoewasCDJuzV0wmgGB0JqGwADzjRnS+OGiBAYJB7GDjLoj + iWLqy6xhkboFCiVgEyF51u4MfVAgZCWwVRRDrzv8Q8L93Umm4Frp0J3hOb0rC9u7 + UJCt1/VcsQ8VX7wRyEwZWWktIRb07yMIKoYsy7q1J4qU0AjSNVVX2y1sFa6qi9Cs + b2krAzRhzV2qd7V2QsoOSTO+RePE5qD6OTC5GeXaZoPaNoHi8u3SLGqWVug954SX + rNJrcgpl0VkoYlnanuA3s20BiHSpAk/9RiosXCI5kg8XPikp2j0iB/8WuKnMWlc9 + 40EZRRaXQZF0LMxdyE+8QTF9CvUCCTOkSfrslEXd6gpX8GB+KUdWyMvqjIamQ6ov + 7Msuq1gFKtZulzwZJ/pC6TbmSXMt3MgHu5vFqOvOE7UEWwY+FVwp9WZtwX9OQoUC + DAML0VEuZyGBhAEP/iqLYs6MX3U/odqG0IFCayIdbGDoU8+CvIehPnTJKilzW2AW + QpTqPFUI8arz+yPQYmKI8/VwPELp/W/iU1DNTlaWjXSw/nXmQMB0MERu0ZqAbZ6m + Z5n+j8Ggz56I6EX1PpEkAXL4bmSM6iEsDREkecML/ZTNy+OeSodlEq6A0jGYlQF2 + /mmsUnXj+FSoLoyeIlJNtr3HrJNzlikWLczP4ETxeYscqunsQbbgQ6c2xHrgSLrQ + GbVuxOMFbP67B9DyCKnsIQSllps6lFIZUTDeItzUNuiClDpTChFE+GJyTE4iB+Wn + MgcxFadezGhKPVPyEgLviv/gudGQpLxJBUGHdfsv76wAno5IrSWWYt6YdjTpGUE6 + n//fcV2jHV23EhfnUFyPiQkLlo49vrtXwY6AhAUYfOOTlDMyQJ+humXWnpqV+by3 + xFTq2lCqz3PqmcBDSUIgTGxUDNiK94pJVQC9uquQwXbxRYMpXuZLFB/OCumMWDuN + xkqe6XYvx7PR9GW379OPqiAPB3PDyIRcwcOYiiycyFwVOrMYlEW67ujI2Kj/8EFb + 5dncfD/TgiLKCYH3lxFvFk8ddun05WozDk1jfS1aDVh1ZWndd3ByRNe5q6baARoO + KwcVHtKSPjjrURk+CbGWzDvTAgvURSNpxJ5ubGEYea/E7Jb4JwEUURnymRD90l4B + gcRSQrYEI0sAsMaa7WEniMwSiOUJxb2q6crj6aOasEE5NSaPrG+zqs/emfDhfkHS + 25Sx8KwuzctJpCq0ajnH3yYfuZyL9euBFvk/SZ9bqDSDzXSxm6wKYZfWRf71 + =W0a4 + -----END PGP MESSAGE----- + fp: 4BE7925262289B476DBBC17B76FD3810215AE097 + unencrypted_suffix: _unencrypted + version: 3.8.1