nixos-config/machines/fuuko/services/paperless.nix

108 lines
3 KiB
Nix
Raw Normal View History

2024-09-22 12:54:23 +02:00
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
2024-09-19 21:51:56 +02:00
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, ... }:
{
services.postgresql = {
enable = true;
ensureDatabases = [ "paperless" ];
ensureUsers = lib.singleton {
name = "paperless";
ensureDBOwnership = true;
};
};
services.paperless = {
enable = true;
settings = {
PAPERLESS_DBHOST = "/run/postgresql";
PAPERLESS_URL = "https://paperless.sbruder.de";
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_TASK_WORKERS = 4;
PAPERLESS_TIME_ZONE = "Europe/Berlin";
PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}";
2024-09-22 12:54:23 +02:00
PAPERLESS_CONSUMER_RECURSIVE = true;
2024-09-19 21:51:56 +02:00
};
};
2024-09-22 12:54:23 +02:00
systemd.services.paperless-task-queue.serviceConfig = {
ReadWritePaths = [ "/var/lib/scans/paperless" ];
};
2024-09-19 21:51:56 +02:00
services.nginx = {
enable = true;
virtualHosts."paperless.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = with config.services.paperless; "http://${address}:${toString port}";
proxyWebsockets = true;
};
"/static".root = "${config.services.paperless.package}/lib/paperless-ngx";
};
};
2024-09-22 12:54:23 +02:00
virtualHosts."fuuko.lan.shinonome-lab.de" = {
enableACME = true;
forceSSL = true;
};
};
users.users.scan = {
home = "/var/lib/scans";
isSystemUser = true;
group = "scan";
hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3";
};
users.groups.scan = { };
systemd.tmpfiles.rules = [
"d /var/lib/scans 0555 scan root -"
"d /var/lib/scans/paperless 0775 scan paperless -"
"L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless"
];
sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ];
services.vsftpd = {
enable = true;
writeEnable = true;
localUsers = true;
chrootlocalUser = true;
userlist = [ "scan" ];
rsaCertFile = "${config.security.acme.certs."fuuko.lan.shinonome-lab.de".directory}/full.pem";
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
ssl_tlsv1 = false; # only allow TLS 1.2+
extraConfig = ''
listen_ipv6=YES
# users shell is nologin
check_shell=NO
# scans should be readable
local_umask=022
pasv_min_port=30000
pasv_max_port=30009
# generated 2024-09-22, Mozilla Guideline v5.7, adapted, OpenSSL 3.0.14, intermediate configuration
# https://ssl-config.mozilla.org
ssl_enable=YES
ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
'';
};
networking.firewall = {
allowedTCPPorts = [ 21 ];
allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
2024-09-19 21:51:56 +02:00
};
}