xeovalyte/nix
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Paperless added and fixes for old services

Browse Source
This commit is contained in:
Timo Boomers 2025-04-30 14:16:44 +02:00
parent 40a5f794ea
commit e17752dec4
11 changed files with 158 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/v-th-ctr-01/default.nix
View File

@ -68,6 +68,7 @@
isNormalUser = true; isNormalUser = true;
description = "Deploy"; description = "Deploy";
extraGroups = [ "networkmanager" "wheel" "dialout" ]; extraGroups = [ "networkmanager" "wheel" "dialout" ];
linger = true;
}; };
nix.settings.trusted-users = [ "root" "deploy" ]; nix.settings.trusted-users = [ "root" "deploy" ];

1
hosts/v-th-ctr-01/home.nix
View File

@ -48,6 +48,7 @@
uptime-kuma.enable = true; uptime-kuma.enable = true;
pingvin-share.enable = true; pingvin-share.enable = true;
vaultwarden.enable = true; vaultwarden.enable = true;
paperless-ngx.enable = true;
}; };
}; };

7
modules/home/containers/caddy.nix
View File

@ -79,10 +79,15 @@ in {
resolvers 1.1.1.1 resolvers 1.1.1.1
} }
@vaultwarden @vaultwarden host vault.local.tbmrs.nl
handle @vaultwarden { handle @vaultwarden {
reverse_proxy vaultwarden:80 reverse_proxy vaultwarden:80
} }
@paperless-ngx host paperless.local.tbmrs.nl
handle @paperless-ngx {
reverse_proxy paperless-ngx:8000
}
} }
''; '';
}; };

18
modules/home/containers/homepage.nix
View File

@ -90,6 +90,24 @@ in {
container = "pingvin-share"; container = "pingvin-share";
}; };
} }
{
"Vaultwarden" = {
href = "https://vault.local.tbmrs.nl";
description = "Password management";
icon = "vaultwarden";
server = "podman";
container = "vaultwarden";
};
}
{
"Paperless" = {
href = "https://paperless.local.tbmrs.nl";
description = "Documents management";
icon = "paperless-ngx";
server = "podman";
container = "paperless-ngx";
};
}
]; ];
} }
]; ];

97
modules/home/containers/paperless-ngx.nix Normal file
View File

@ -0,0 +1,97 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.settings.containers.paperless-ngx;
in {
options = {
settings.containers.paperless-ngx.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Paperless NGX container
'';
};
};
config = mkIf cfg.enable {
settings.services.sops.enable = true;
services.podman.containers.paperless-ngx = {
image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
network = "proxy";
volumes = [
"%h/containers/paperless-ngx/data:/usr/src/paperless/data"
"%h/containers/paperless-ngx/media:/usr/src/paperless/media"
"%h/containers/paperless-ngx/export:/usr/src/paperless/export"
"%h/containers/paperless-ngx/consume:/usr/src/paperless/consume"
"${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password"
"${config.sops.secrets."containers/paperless-ngx/secret".path}:/run/secrets/secret"
"${config.sops.secrets."containers/paperless-ngx/openid-providers".path}:/run/secrets/openid-providers"
];
environment = {
PAPERLESS_REDIS = "redis://paperless-ngx-broker:6379";
PAPERLESS_DBHOST = "paperless-ngx-db";
PAPERLESS_URL = "https://paperless.local.tbmrs.nl";
PAPERLESS_DBPASS_FILE = "/run/secrets/db-password";
PAPERLESS_SECRET_KEY_FILE = "/run/secrets/secret";
PAPERLESS_DISABLE_REGULAR_LOGIN = false;
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS_FILE = "/run/secrets/openid-providers";
PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS = true;
};
extraConfig = {
Unit = {
After = [
"sops-nix.service"
"podman-paperless-ngx-db.service"
"podman-paperless-ngx-broker.service"
];
Requires = [
"podman-paperless-ngx-db.service"
"podman-paperless-ngx-broker.service"
];
};
};
};
services.podman.containers.paperless-ngx-db = {
image = "docker.io/library/postgres:17";
network = "proxy";
volumes = [
"%h/containers/paperless-ngx/db-data:/var/lib/postgresql/data"
"${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password"
];
environment = {
POSTGRES_DB = "paperless";
POSTGRES_USER = "paperless";
POSTGRES_PASSWORD_FILE = "/run/secrets/db-password";
};
extraConfig = {
Unit = {
After = [
"sops-nix.service"
];
};
};
};
services.podman.containers.paperless-ngx-broker = {
image = "docker.io/library/redis:7";
network = "proxy";
volumes = [
"%h/containers/paperless-ngx/redis-data:/data"
];
};
sops.secrets = {
"containers/paperless-ngx/db-password" = { };
"containers/paperless-ngx/secret" = { };
"containers/paperless-ngx/openid-providers" = { };
};
};
}

4
modules/home/containers/pingvin-share.nix
View File

@ -65,5 +65,9 @@ in {
''; '';
}; };
}; };
sops.secrets = {
"containers/pingvin-share/oidc-secret" = { };
};
}; };
} }

1
modules/home/containers/vaultwarden.nix
View File

@ -24,6 +24,7 @@ in {
]; ];
environment = { environment = {
DOMAIN = "https://vault.local.tbmrs.nl"; DOMAIN = "https://vault.local.tbmrs.nl";
SIGNUPS_ALLOWED = true;
}; };
}; };
}; };

1
modules/home/default.nix
View File

@ -34,5 +34,6 @@
./containers/uptime-kuma.nix ./containers/uptime-kuma.nix
./containers/pingvin-share.nix ./containers/pingvin-share.nix
./containers/vaultwarden.nix ./containers/vaultwarden.nix
./containers/paperless-ngx.nix
]; ];
} }

6
modules/home/services/sops.nix
View File

@ -28,11 +28,7 @@ in {
sops = { sops = {
age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password! age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password!
defaultSopsFile = ../../../secrets/secrets.yaml; defaultSopsFile = ../../../secrets/deploy.yaml;
secrets = {
"containers/pingvin-share/oidc-secret" = { };
};
}; };
}; };
} }

28
secrets/deploy.yaml Normal file
View File

@ -0,0 +1,28 @@
example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str]
containers:
pingvin-share:
oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str]
paperless-ngx:
db-password: ENC[AES256_GCM,data:H21HVshmFuWJ5qNIrjm0VMGHEsT7cCvScgamU+CAaNZ6j5ux/r4xiF9zP7Qh40sKTOvyoWGTcHGPHE5ClpGuQA==,iv:tDIRfThBOfHr+gGRqywlHAk/x4MkhHRFsJEp5nnlGPA=,tag:XbYKD90l3u93Ur4VOqOn6w==,type:str]
secret: ENC[AES256_GCM,data:+1hriBiSbt+zUjEkBTEM90PFNlxfNwRAmz8wHyeyOnq6ThI+PtlDu83sunBFL2FUYJX0N4h3R4FvJBUkrPr0NQ==,iv:zzhFaoLnskspp1S291KABLZITgcof63cjShnsZrlAmw=,tag:+aafTLgZVBWeclQLQvVlQg==,type:str]
openid-providers: ENC[AES256_GCM,data:bpUnVFvvMUTkjApqkWi8gcVXgvaM8d/bcuoiQgco/UJZBQqbSEQys8BSb9yaSx8HAIZEcWjpb4N5FEb3P1uH8de4Nq7nlAg+GdDuS4WjInF5KOWQY9p0T4HfnMJyfx7zIiWW7nPSaxPNtMNZxQiXnW8oJr1fmz/O49T4egw1tdxWj6CO4d+T6aRKBsS26Ie1HYJ6BTT1B6qiIgiBpAvXh558nduk3tIz1blTCeV9XpnZgKlj45mS+g6+Eqqj0ATI7CC5y5CEVaMs1rC0NzlVm7/rEV4dBpVlmHtN5KE4aRMiH3YUYnJ5Nbo7EVfPQ7xkEPRmIOtXzXut8Hpml3QkFhdvHH5ZbworFrwL+LHm4GpHbUyCGc6OkWZ9+/mILos3o4BaI0qLQRchoGddvx5dOJyn5lJj3AfRgLB8zu9JSXZDre/LHovcJwpzmOip09mmjk7CGjea2f8wDnnX2HRXlM9alUbwlvXU69+MhTJBmqWe4kCBB8riz5gHRg2lQRMnMg64roPv7C7B1VoHANISDA3LHG4hocXknO69rBnjTjIYJNblDEtTztSTJdQvYb2102gFrxg4Grxu6/gQcXTbe4DScqUmIhebk98Nc7xlca9l+FGzmFB8cbznFFiaLE3wRK3G7g540+GOPoyXXxTGp3l5cOi6VE8cDd+HK5KDBnlgFecR/5QCRw40e9qvmCSttaxDCme+YrFHW248jgVwWvsNiFT5bBR4phS5c0VjrHdcy+1zY3R6GsnmXMfonIYHcq8apMhqVCdqHAzV2Qij4/RIyqCQoOeX86fi/pdDCvtMEbYt2nVqITmmxgOFRk4GSbLcjkbKG0SPVQWjGGXNkB/MfhUsvHG7E00IrAt1DgFEzqSar4Ildd7D4MzURJZxWNqoES0IhyVcxOgweCTakXM9QHqt,iv:ba2bri2F/B6Sp3HfpXVWZ/WMVFOPF4+DyAtdS56yNqQ=,tag:1uW6iDXiZm0vXUjmJPBchw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV
aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4
NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF
bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE
ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-30T09:15:42Z"
mac: ENC[AES256_GCM,data:Mxq3LnXRpnVv/U7QEGL5I3gF3y8W8IfsdTvinIsn5Qi6m04JinyJ0Vgr4JbMstB/8gh259MsAO2na7/vZ8brLuol0X8vZeIlgIoX8DazuI6dpNr284zPWsiRNr8gzBViYDRb4GVf+GF11iXcw3UlJE8uB+N4z4Y4sUbobOt402c=,iv:G86XwJp6ZRB8ioDbNDGKxLPNIcAmcusH/blT/8FKFlk=,tag:emMQZ7TAJGy7yqSpD7+1Cg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

24
secrets/secrets.yaml
View File

@ -1,24 +0,0 @@
example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str]
containers:
pingvin-share:
oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV
aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4
NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF
bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE
ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-28T10:30:25Z"
mac: ENC[AES256_GCM,data:+0xSa0mD9hLgJ1bihW1v/j6HyLgOWQFBcbuv74yORHoa7gNWNAA8JtlrpWAMfWJPP9zXgUicw3hj9Z9ZGDSbEIpaDRDxcrc8HNFQEq7iOhJJCoBmeXzB5XOkeh6Xf33rR713xjL+FssMhXxCKZfEKYrC/G23JdxlLoVoT/M7lH8=,iv:s7G5jB6dHJNsPiz9TVkjNLrnX4FbS+PbbQeNC3JBg2M=,tag:gSPq6099NJqf7TSPNUxPFg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4