nixos-config/machines/fuuko/services/paperless.nix

# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, lib, ... }:

{
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "paperless" ];
    ensureUsers = lib.singleton {
      name = "paperless";
      ensureDBOwnership = true;
    };
  };

  services.paperless = {
    enable = true;
    settings = {
      PAPERLESS_DBHOST = "/run/postgresql";
      PAPERLESS_URL = "https://paperless.sbruder.de";
      PAPERLESS_OCR_LANGUAGE = "deu+eng";
      PAPERLESS_TASK_WORKERS = 4;
      PAPERLESS_TIME_ZONE = "Europe/Berlin";
      PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}";
      PAPERLESS_CONSUMER_RECURSIVE = true;
      PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
      PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
      PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED = true;
      PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
        invalidate_digital_signatures = true;
      };
    };
  };

  systemd.services.paperless-task-queue.serviceConfig = {
    ReadWritePaths = [ "/var/lib/scans/paperless" ];
  };

  services.nginx = {
    enable = true;

    virtualHosts."paperless.sbruder.de" = {
      enableACME = true;
      forceSSL = true;

      locations = {
        "/" = {
          proxyPass = with config.services.paperless; "http://${address}:${toString port}";
          proxyWebsockets = true;
          extraConfig = ''
            client_max_body_size 500M;
          '';
        };
        "/static".root = "${config.services.paperless.package}/lib/paperless-ngx";
        "/manual-scan/" = {
          alias = "/var/lib/scans/manual/";

          extraConfig = ''
            autoindex on;

            allow 10.80.1.0/24;
            allow 2001:470:73b9:1::/64;
            deny all;
          '';
        };
      };
    };

    virtualHosts."fuuko.lan.shinonome-lab.de" = {
      enableACME = true;
      forceSSL = true;
    };
  };

  users.users.scan = {
    home = "/var/lib/scans";
    isSystemUser = true;
    group = "scan";
    hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3";
  };
  users.groups.scan = { };

  systemd.tmpfiles.rules = [
    "d /var/lib/scans 0555 scan root -"
    "d /var/lib/scans/paperless 0770 scan paperless -"
    "d /var/lib/scans/paperless/double-sided 0770 scan paperless -"
    "d /var/lib/scans/manual 0750 scan nginx 7d"
    "L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless"
  ];

  sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ];

  services.vsftpd = {
    enable = true;
    writeEnable = true;
    localUsers = true;
    chrootlocalUser = true;
    userlist = [ "scan" ];

    extraConfig = ''
      listen_ipv6=YES

      # user’s shell is nologin
      check_shell=NO

      # scans should be readable
      local_umask=022

      pasv_min_port=30000
      pasv_max_port=30009
    '';
  };

  networking.firewall = {
    allowedTCPPorts = [ 21 ];
    allowedTCPPortRanges = [{ from = 30000; to = 30009; }];
  };
}