Paperless added and fixes for old services

2025-04-30 14:16:44 +02:00
parent 40a5f794ea
commit e17752dec4
11 changed files with 158 additions and 30 deletions
--- a/modules/home/containers/caddy.nix
+++ b/modules/home/containers/caddy.nix
@@ -79,10 +79,15 @@ in {
          resolvers 1.1.1.1
        }

-        @vaultwarden
+        @vaultwarden host vault.local.tbmrs.nl
        handle @vaultwarden {
          reverse_proxy vaultwarden:80
        }
+
+        @paperless-ngx host paperless.local.tbmrs.nl
+        handle @paperless-ngx {
+          reverse_proxy paperless-ngx:8000
+        }
      }
    '';
  };
--- a/modules/home/containers/homepage.nix
+++ b/modules/home/containers/homepage.nix
@@ -90,6 +90,24 @@ in {
              container = "pingvin-share";
            };    
          }
+          {
+            "Vaultwarden" = {
+              href = "https://vault.local.tbmrs.nl";
+              description = "Password management";
+              icon = "vaultwarden";
+              server = "podman";
+              container = "vaultwarden";
+            };    
+          }
+          {
+            "Paperless" = {
+              href = "https://paperless.local.tbmrs.nl";
+              description = "Documents management";
+              icon = "paperless-ngx";
+              server = "podman";
+              container = "paperless-ngx";
+            };    
+          }
        ];
      }
    ];
--- a/modules/home/containers/paperless-ngx.nix
+++ b/modules/home/containers/paperless-ngx.nix
@@ -0,0 +1,97 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.settings.containers.paperless-ngx;
+in {
+  options = {
+    settings.containers.paperless-ngx.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Enable Paperless NGX container
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    settings.services.sops.enable = true;
+  
+    services.podman.containers.paperless-ngx = {
+      image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
+      network = "proxy";
+      volumes = [
+        "%h/containers/paperless-ngx/data:/usr/src/paperless/data" 
+        "%h/containers/paperless-ngx/media:/usr/src/paperless/media" 
+        "%h/containers/paperless-ngx/export:/usr/src/paperless/export" 
+        "%h/containers/paperless-ngx/consume:/usr/src/paperless/consume" 
+
+        "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" 
+        "${config.sops.secrets."containers/paperless-ngx/secret".path}:/run/secrets/secret" 
+        "${config.sops.secrets."containers/paperless-ngx/openid-providers".path}:/run/secrets/openid-providers" 
+      ];
+      environment = {
+        PAPERLESS_REDIS = "redis://paperless-ngx-broker:6379";
+        PAPERLESS_DBHOST = "paperless-ngx-db";
+        PAPERLESS_URL = "https://paperless.local.tbmrs.nl";
+        PAPERLESS_DBPASS_FILE = "/run/secrets/db-password";
+        PAPERLESS_SECRET_KEY_FILE = "/run/secrets/secret";
+
+        PAPERLESS_DISABLE_REGULAR_LOGIN = false;
+        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+        PAPERLESS_SOCIALACCOUNT_PROVIDERS_FILE = "/run/secrets/openid-providers";
+        PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS = true;
+      };
+      extraConfig = {
+        Unit = {
+          After = [
+            "sops-nix.service"
+            "podman-paperless-ngx-db.service"
+            "podman-paperless-ngx-broker.service"
+          ];
+          Requires = [
+            "podman-paperless-ngx-db.service"
+            "podman-paperless-ngx-broker.service"
+          ];
+        };
+      };
+    };
+
+    services.podman.containers.paperless-ngx-db = {
+      image = "docker.io/library/postgres:17";
+      network = "proxy";
+      volumes = [
+        "%h/containers/paperless-ngx/db-data:/var/lib/postgresql/data" 
+
+        "${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password" 
+      ];
+      environment = {
+        POSTGRES_DB = "paperless";
+        POSTGRES_USER = "paperless";
+        POSTGRES_PASSWORD_FILE = "/run/secrets/db-password";
+      };
+      extraConfig = {
+        Unit = {
+          After = [
+            "sops-nix.service"
+          ];
+        };
+      };
+    };
+
+    services.podman.containers.paperless-ngx-broker = {
+      image = "docker.io/library/redis:7";
+      network = "proxy";
+      volumes = [
+        "%h/containers/paperless-ngx/redis-data:/data" 
+      ];
+    };
+
+    sops.secrets = {
+      "containers/paperless-ngx/db-password" = { };
+      "containers/paperless-ngx/secret" = { };
+      "containers/paperless-ngx/openid-providers" = { };
+    };
+  };
+}
--- a/modules/home/containers/pingvin-share.nix
+++ b/modules/home/containers/pingvin-share.nix
@@ -65,5 +65,9 @@ in {
        '';
      };
    };
+
+    sops.secrets = {
+      "containers/pingvin-share/oidc-secret" = { };
+    };
  };
 }
--- a/modules/home/containers/vaultwarden.nix
+++ b/modules/home/containers/vaultwarden.nix
@@ -24,6 +24,7 @@ in {
      ];
      environment = {
        DOMAIN = "https://vault.local.tbmrs.nl";
+        SIGNUPS_ALLOWED = true;
      };
    };
  };
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@@ -34,5 +34,6 @@
    ./containers/uptime-kuma.nix
    ./containers/pingvin-share.nix
    ./containers/vaultwarden.nix
+    ./containers/paperless-ngx.nix
  ];
 }
--- a/modules/home/services/sops.nix
+++ b/modules/home/services/sops.nix
@@ -28,11 +28,7 @@ in {
    sops = {
      age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password!

-      defaultSopsFile = ../../../secrets/secrets.yaml;
-
-      secrets = {
-        "containers/pingvin-share/oidc-secret" = { };
-      };
+      defaultSopsFile = ../../../secrets/deploy.yaml;
    };
  };
 }