From e17752dec49679df301665780ea4752993bd46be Mon Sep 17 00:00:00 2001 From: Timo Boomers Date: Wed, 30 Apr 2025 14:16:44 +0200 Subject: [PATCH] Paperless added and fixes for old services --- hosts/v-th-ctr-01/default.nix | 1 + hosts/v-th-ctr-01/home.nix | 1 + modules/home/containers/caddy.nix | 7 +- modules/home/containers/homepage.nix | 18 +++++ modules/home/containers/paperless-ngx.nix | 97 +++++++++++++++++++++++ modules/home/containers/pingvin-share.nix | 4 + modules/home/containers/vaultwarden.nix | 1 + modules/home/default.nix | 1 + modules/home/services/sops.nix | 6 +- secrets/deploy.yaml | 28 +++++++ secrets/secrets.yaml | 24 ------ 11 files changed, 158 insertions(+), 30 deletions(-) create mode 100644 modules/home/containers/paperless-ngx.nix create mode 100644 secrets/deploy.yaml delete mode 100644 secrets/secrets.yaml diff --git a/hosts/v-th-ctr-01/default.nix b/hosts/v-th-ctr-01/default.nix index 40b58f9..c571632 100644 --- a/hosts/v-th-ctr-01/default.nix +++ b/hosts/v-th-ctr-01/default.nix @@ -68,6 +68,7 @@ isNormalUser = true; description = "Deploy"; extraGroups = [ "networkmanager" "wheel" "dialout" ]; + linger = true; }; nix.settings.trusted-users = [ "root" "deploy" ]; diff --git a/hosts/v-th-ctr-01/home.nix b/hosts/v-th-ctr-01/home.nix index 727121b..fb88fe8 100644 --- a/hosts/v-th-ctr-01/home.nix +++ b/hosts/v-th-ctr-01/home.nix @@ -48,6 +48,7 @@ uptime-kuma.enable = true; pingvin-share.enable = true; vaultwarden.enable = true; + paperless-ngx.enable = true; }; }; diff --git a/modules/home/containers/caddy.nix b/modules/home/containers/caddy.nix index a86310e..c08041b 100644 --- a/modules/home/containers/caddy.nix +++ b/modules/home/containers/caddy.nix @@ -79,10 +79,15 @@ in { resolvers 1.1.1.1 } - @vaultwarden + @vaultwarden host vault.local.tbmrs.nl handle @vaultwarden { reverse_proxy vaultwarden:80 } + + @paperless-ngx host paperless.local.tbmrs.nl + handle @paperless-ngx { + reverse_proxy paperless-ngx:8000 + } } ''; }; diff --git a/modules/home/containers/homepage.nix b/modules/home/containers/homepage.nix index 17a0dac..bfb2d65 100644 --- a/modules/home/containers/homepage.nix +++ b/modules/home/containers/homepage.nix @@ -90,6 +90,24 @@ in { container = "pingvin-share"; }; } + { + "Vaultwarden" = { + href = "https://vault.local.tbmrs.nl"; + description = "Password management"; + icon = "vaultwarden"; + server = "podman"; + container = "vaultwarden"; + }; + } + { + "Paperless" = { + href = "https://paperless.local.tbmrs.nl"; + description = "Documents management"; + icon = "paperless-ngx"; + server = "podman"; + container = "paperless-ngx"; + }; + } ]; } ]; diff --git a/modules/home/containers/paperless-ngx.nix b/modules/home/containers/paperless-ngx.nix new file mode 100644 index 0000000..6831ae2 --- /dev/null +++ b/modules/home/containers/paperless-ngx.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.settings.containers.paperless-ngx; +in { + options = { + settings.containers.paperless-ngx.enable = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Paperless NGX container + ''; + }; + }; + + config = mkIf cfg.enable { + settings.services.sops.enable = true; + + services.podman.containers.paperless-ngx = { + image = "ghcr.io/paperless-ngx/paperless-ngx:latest"; + network = "proxy"; + volumes = [ + "%h/containers/paperless-ngx/data:/usr/src/paperless/data" + "%h/containers/paperless-ngx/media:/usr/src/paperless/media" + "%h/containers/paperless-ngx/export:/usr/src/paperless/export" + "%h/containers/paperless-ngx/consume:/usr/src/paperless/consume" + + "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" + "${config.sops.secrets."containers/paperless-ngx/secret".path}:/run/secrets/secret" + "${config.sops.secrets."containers/paperless-ngx/openid-providers".path}:/run/secrets/openid-providers" + ]; + environment = { + PAPERLESS_REDIS = "redis://paperless-ngx-broker:6379"; + PAPERLESS_DBHOST = "paperless-ngx-db"; + PAPERLESS_URL = "https://paperless.local.tbmrs.nl"; + PAPERLESS_DBPASS_FILE = "/run/secrets/db-password"; + PAPERLESS_SECRET_KEY_FILE = "/run/secrets/secret"; + + PAPERLESS_DISABLE_REGULAR_LOGIN = false; + PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; + PAPERLESS_SOCIALACCOUNT_PROVIDERS_FILE = "/run/secrets/openid-providers"; + PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS = true; + }; + extraConfig = { + Unit = { + After = [ + "sops-nix.service" + "podman-paperless-ngx-db.service" + "podman-paperless-ngx-broker.service" + ]; + Requires = [ + "podman-paperless-ngx-db.service" + "podman-paperless-ngx-broker.service" + ]; + }; + }; + }; + + services.podman.containers.paperless-ngx-db = { + image = "docker.io/library/postgres:17"; + network = "proxy"; + volumes = [ + "%h/containers/paperless-ngx/db-data:/var/lib/postgresql/data" + + "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" + ]; + environment = { + POSTGRES_DB = "paperless"; + POSTGRES_USER = "paperless"; + POSTGRES_PASSWORD_FILE = "/run/secrets/db-password"; + }; + extraConfig = { + Unit = { + After = [ + "sops-nix.service" + ]; + }; + }; + }; + + services.podman.containers.paperless-ngx-broker = { + image = "docker.io/library/redis:7"; + network = "proxy"; + volumes = [ + "%h/containers/paperless-ngx/redis-data:/data" + ]; + }; + + sops.secrets = { + "containers/paperless-ngx/db-password" = { }; + "containers/paperless-ngx/secret" = { }; + "containers/paperless-ngx/openid-providers" = { }; + }; + }; +} diff --git a/modules/home/containers/pingvin-share.nix b/modules/home/containers/pingvin-share.nix index d34e836..3a6c4f3 100644 --- a/modules/home/containers/pingvin-share.nix +++ b/modules/home/containers/pingvin-share.nix @@ -65,5 +65,9 @@ in { ''; }; }; + + sops.secrets = { + "containers/pingvin-share/oidc-secret" = { }; + }; }; } diff --git a/modules/home/containers/vaultwarden.nix b/modules/home/containers/vaultwarden.nix index 8eeb548..a3d42cb 100644 --- a/modules/home/containers/vaultwarden.nix +++ b/modules/home/containers/vaultwarden.nix @@ -24,6 +24,7 @@ in { ]; environment = { DOMAIN = "https://vault.local.tbmrs.nl"; + SIGNUPS_ALLOWED = true; }; }; }; diff --git a/modules/home/default.nix b/modules/home/default.nix index 4adb436..caf6c8a 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -34,5 +34,6 @@ ./containers/uptime-kuma.nix ./containers/pingvin-share.nix ./containers/vaultwarden.nix + ./containers/paperless-ngx.nix ]; } diff --git a/modules/home/services/sops.nix b/modules/home/services/sops.nix index 8060f37..2bc2ecd 100644 --- a/modules/home/services/sops.nix +++ b/modules/home/services/sops.nix @@ -28,11 +28,7 @@ in { sops = { age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password! - defaultSopsFile = ../../../secrets/secrets.yaml; - - secrets = { - "containers/pingvin-share/oidc-secret" = { }; - }; + defaultSopsFile = ../../../secrets/deploy.yaml; }; }; } diff --git a/secrets/deploy.yaml b/secrets/deploy.yaml new file mode 100644 index 0000000..1096fe0 --- /dev/null +++ b/secrets/deploy.yaml @@ -0,0 +1,28 @@ +example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str] +containers: + pingvin-share: + oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str] + paperless-ngx: + db-password: ENC[AES256_GCM,data:H21HVshmFuWJ5qNIrjm0VMGHEsT7cCvScgamU+CAaNZ6j5ux/r4xiF9zP7Qh40sKTOvyoWGTcHGPHE5ClpGuQA==,iv:tDIRfThBOfHr+gGRqywlHAk/x4MkhHRFsJEp5nnlGPA=,tag:XbYKD90l3u93Ur4VOqOn6w==,type:str] + secret: ENC[AES256_GCM,data:+1hriBiSbt+zUjEkBTEM90PFNlxfNwRAmz8wHyeyOnq6ThI+PtlDu83sunBFL2FUYJX0N4h3R4FvJBUkrPr0NQ==,iv:zzhFaoLnskspp1S291KABLZITgcof63cjShnsZrlAmw=,tag:+aafTLgZVBWeclQLQvVlQg==,type:str] + openid-providers: ENC[AES256_GCM,data:bpUnVFvvMUTkjApqkWi8gcVXgvaM8d/bcuoiQgco/UJZBQqbSEQys8BSb9yaSx8HAIZEcWjpb4N5FEb3P1uH8de4Nq7nlAg+GdDuS4WjInF5KOWQY9p0T4HfnMJyfx7zIiWW7nPSaxPNtMNZxQiXnW8oJr1fmz/O49T4egw1tdxWj6CO4d+T6aRKBsS26Ie1HYJ6BTT1B6qiIgiBpAvXh558nduk3tIz1blTCeV9XpnZgKlj45mS+g6+Eqqj0ATI7CC5y5CEVaMs1rC0NzlVm7/rEV4dBpVlmHtN5KE4aRMiH3YUYnJ5Nbo7EVfPQ7xkEPRmIOtXzXut8Hpml3QkFhdvHH5ZbworFrwL+LHm4GpHbUyCGc6OkWZ9+/mILos3o4BaI0qLQRchoGddvx5dOJyn5lJj3AfRgLB8zu9JSXZDre/LHovcJwpzmOip09mmjk7CGjea2f8wDnnX2HRXlM9alUbwlvXU69+MhTJBmqWe4kCBB8riz5gHRg2lQRMnMg64roPv7C7B1VoHANISDA3LHG4hocXknO69rBnjTjIYJNblDEtTztSTJdQvYb2102gFrxg4Grxu6/gQcXTbe4DScqUmIhebk98Nc7xlca9l+FGzmFB8cbznFFiaLE3wRK3G7g540+GOPoyXXxTGp3l5cOi6VE8cDd+HK5KDBnlgFecR/5QCRw40e9qvmCSttaxDCme+YrFHW248jgVwWvsNiFT5bBR4phS5c0VjrHdcy+1zY3R6GsnmXMfonIYHcq8apMhqVCdqHAzV2Qij4/RIyqCQoOeX86fi/pdDCvtMEbYt2nVqITmmxgOFRk4GSbLcjkbKG0SPVQWjGGXNkB/MfhUsvHG7E00IrAt1DgFEzqSar4Ildd7D4MzURJZxWNqoES0IhyVcxOgweCTakXM9QHqt,iv:ba2bri2F/B6Sp3HfpXVWZ/WMVFOPF4+DyAtdS56yNqQ=,tag:1uW6iDXiZm0vXUjmJPBchw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV + aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4 + NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF + bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE + ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-04-30T09:15:42Z" + mac: ENC[AES256_GCM,data:Mxq3LnXRpnVv/U7QEGL5I3gF3y8W8IfsdTvinIsn5Qi6m04JinyJ0Vgr4JbMstB/8gh259MsAO2na7/vZ8brLuol0X8vZeIlgIoX8DazuI6dpNr284zPWsiRNr8gzBViYDRb4GVf+GF11iXcw3UlJE8uB+N4z4Y4sUbobOt402c=,iv:G86XwJp6ZRB8ioDbNDGKxLPNIcAmcusH/blT/8FKFlk=,tag:emMQZ7TAJGy7yqSpD7+1Cg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml deleted file mode 100644 index efde024..0000000 --- a/secrets/secrets.yaml +++ /dev/null @@ -1,24 +0,0 @@ -example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str] -containers: - pingvin-share: - oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV - aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4 - NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF - bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE - ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-28T10:30:25Z" - mac: ENC[AES256_GCM,data:+0xSa0mD9hLgJ1bihW1v/j6HyLgOWQFBcbuv74yORHoa7gNWNAA8JtlrpWAMfWJPP9zXgUicw3hj9Z9ZGDSbEIpaDRDxcrc8HNFQEq7iOhJJCoBmeXzB5XOkeh6Xf33rR713xjL+FssMhXxCKZfEKYrC/G23JdxlLoVoT/M7lH8=,iv:s7G5jB6dHJNsPiz9TVkjNLrnX4FbS+PbbQeNC3JBg2M=,tag:gSPq6099NJqf7TSPNUxPFg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4