# SPDX-FileCopyrightText: 2021-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later { config, lib, ... }: { services.postgresql = { enable = true; ensureDatabases = [ "paperless" ]; ensureUsers = lib.singleton { name = "paperless"; ensureDBOwnership = true; }; }; services.paperless = { enable = true; settings = { PAPERLESS_DBHOST = "/run/postgresql"; PAPERLESS_URL = "https://paperless.sbruder.de"; PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_TASK_WORKERS = 4; PAPERLESS_TIME_ZONE = "Europe/Berlin"; PAPERLESS_FILENAME_FORMAT = "{correspondent}/{document_type}/{created}_{title}_{doc_pk}"; PAPERLESS_CONSUMER_RECURSIVE = true; PAPERLESS_OCR_USER_ARGS = builtins.toJSON { invalidate_digital_signatures = true; }; }; }; systemd.services.paperless-task-queue.serviceConfig = { ReadWritePaths = [ "/var/lib/scans/paperless" ]; }; services.nginx = { enable = true; virtualHosts."paperless.sbruder.de" = { enableACME = true; forceSSL = true; locations = { "/" = { proxyPass = with config.services.paperless; "http://${address}:${toString port}"; proxyWebsockets = true; extraConfig = '' client_max_body_size 500M; ''; }; "/static".root = "${config.services.paperless.package}/lib/paperless-ngx"; }; }; virtualHosts."fuuko.lan.shinonome-lab.de" = { enableACME = true; forceSSL = true; }; }; users.users.scan = { home = "/var/lib/scans"; isSystemUser = true; group = "scan"; hashedPassword = "$y$jCT$5kP87kZLYQs4SRtB5oDYT0$TbcyiO.HuFZ.5e9LPu4vqGAjGXbmfOTJefPvTlsVzm3"; }; users.groups.scan = { }; systemd.tmpfiles.rules = [ "d /var/lib/scans 0555 scan root -" "d /var/lib/scans/paperless 0775 scan paperless -" "L /var/lib/paperless/consume/ftp - - - - /var/lib/scans/paperless" ]; sbruder.restic.backups.system.extraExcludes = [ "/var/lib/scans" ]; services.vsftpd = { enable = true; writeEnable = true; localUsers = true; chrootlocalUser = true; userlist = [ "scan" ]; rsaCertFile = "${config.security.acme.certs."fuuko.lan.shinonome-lab.de".directory}/full.pem"; forceLocalLoginsSSL = true; forceLocalDataSSL = true; ssl_tlsv1 = false; # only allow TLS 1.2+ extraConfig = '' listen_ipv6=YES # user’s shell is nologin check_shell=NO # scans should be readable local_umask=022 pasv_min_port=30000 pasv_max_port=30009 # generated 2024-09-22, Mozilla Guideline v5.7, adapted, OpenSSL 3.0.14, intermediate configuration # https://ssl-config.mozilla.org ssl_enable=YES ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 ''; }; networking.firewall = { allowedTCPPorts = [ 21 ]; allowedTCPPortRanges = [{ from = 30000; to = 30009; }]; }; }