From 0517922bf0c5924b4252ffede0efb4d51352bc47 Mon Sep 17 00:00:00 2001
From: Jacob Bachmann <jacob.bachmann@posteo.de>
Date: Tue, 17 Sep 2024 17:58:45 +0200
Subject: [PATCH] feat(APPA): add paperless-ngx

---
 hosts/APPA/services/adguard-home.nix  |  4 ++++
 hosts/APPA/services/default.nix       |  1 +
 hosts/APPA/services/nginx.nix         |  7 +++++++
 hosts/APPA/services/paperless.nix     | 18 ++++++++++++++++++
 hosts/APPA/services/postgresql.nix    |  7 +++++++
 secrets/passwords/paperless/admin.age | 10 ++++++++++
 secrets/secrets.nix                   |  5 +++--
 7 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 hosts/APPA/services/paperless.nix
 create mode 100644 secrets/passwords/paperless/admin.age

diff --git a/hosts/APPA/services/adguard-home.nix b/hosts/APPA/services/adguard-home.nix
index b62fd13..aa509bb 100644
--- a/hosts/APPA/services/adguard-home.nix
+++ b/hosts/APPA/services/adguard-home.nix
@@ -54,6 +54,10 @@
             domain = "vaultwarden.dryb.org";
             answer = "192.168.2.40";
           }
+          {
+            domain = "paperless.dryb.org";
+            answer = "192.168.2.40";
+          }
         ];
       };
       dhcp = {
diff --git a/hosts/APPA/services/default.nix b/hosts/APPA/services/default.nix
index 6438b05..5460eaa 100644
--- a/hosts/APPA/services/default.nix
+++ b/hosts/APPA/services/default.nix
@@ -8,6 +8,7 @@
     ./homepage-dashboard.nix
     ./nextcloud.nix
     ./nginx.nix
+    ./paperless.nix
     ./postgresql.nix
     ./vaultwarden.nix
   ];
diff --git a/hosts/APPA/services/nginx.nix b/hosts/APPA/services/nginx.nix
index 494e49c..5f77ca9 100644
--- a/hosts/APPA/services/nginx.nix
+++ b/hosts/APPA/services/nginx.nix
@@ -43,6 +43,13 @@
         proxyPass = "http://127.0.0.1:8005";
       };
     };
+    virtualHosts."paperless.dryb.org" = {
+      useACMEHost = "dryb.org";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8006";
+      };
+    };
   };
 
   networking.firewall = {
diff --git a/hosts/APPA/services/paperless.nix b/hosts/APPA/services/paperless.nix
new file mode 100644
index 0000000..70e2224
--- /dev/null
+++ b/hosts/APPA/services/paperless.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+
+  age.secrets.passwords-paperless-admin = {
+    file = ../../../secrets/passwords/paperless/admin.age;
+  };
+
+  services.paperless = {
+    enable = true;
+    port = 8006;
+    passwordFile = config.age.secrets.passwords-paperless-admin.path;
+    settings = {
+      PAPERLESS_DBHOST = "/run/postgresql";
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_URL = "https://paperless.dryb.org";
+    };
+  };
+}
diff --git a/hosts/APPA/services/postgresql.nix b/hosts/APPA/services/postgresql.nix
index 456f1ce..907facd 100644
--- a/hosts/APPA/services/postgresql.nix
+++ b/hosts/APPA/services/postgresql.nix
@@ -6,6 +6,7 @@
     ensureDatabases = [
       config.services.gitea.user
       "vaultwarden"
+      config.services.paperless.user
     ];
 
     ensureUsers = [
@@ -13,18 +14,24 @@
         name = "vaultwarden";
         ensureDBOwnership = true;
       }
+      {
+        name = config.services.paperless.user;
+        ensureDBOwnership = true;
+      }
     ];
 
     # type   database     DBuser  auth-method  mapping
     authentication = ''
       local  gitea        all     ident        map=gitea-users
       local  vaultwarden  all     ident        map=vaultwarden-users
+      local  paperless    all     ident        map=paperless-users
     '';
 
     # name               sysuser        dbuser
     identMap = ''
       gitea-users        gitea          gitea
       vaultwarden-users  vaultwarden    vaultwarden
+      paperless-users    paperless      paperless
     '';
   };
 
diff --git a/secrets/passwords/paperless/admin.age b/secrets/passwords/paperless/admin.age
new file mode 100644
index 0000000..7425ee9
--- /dev/null
+++ b/secrets/passwords/paperless/admin.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 OFTJeQ IJMXUFizZd5OgxzxFuuvavSu1Kisvj1RE22dSoge8HU
+aTjv7pWEj8Ra1S/vr4C4QSVb7jW3aJiRqL80dZS5p6E
+-> ssh-ed25519 lfMVeg ijZGWCGpRhwhACBF3n1aBDrMujYw4+K7iXXtO91Pun0
+xl3uI1nBFkBX1qI3KaOc67O7hr9TOVFhru2yL33Y36M
+-> ssh-ed25519 ueRyzQ kitKof5Y86vTKI9+7OM152qU0Ppw0khgzCH7yMozG1s
+2DT9wLMRSap01J5J1v7fmQkZ3NiuQb8LU44VOTKStNQ
+--- a/39g6oCXIp+D5F50+QDrnnkHS9kBIdyISqSeqyyWPY
+ºaeB|–ÈLF8Óò{Û`í±¹4mT"p®
+F2#õq´Ix&$A	ïm¯úÆP—]S®q¸«&U€Î
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 0c58d9a..17f0ff6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -29,8 +29,9 @@ in
   "environments/vaultwarden.age".publicKeys = users ++ [ APPA ];
   "keys/wireguard/dryborg/privatekey.age".publicKeys = [ gandalf ] ++ clients;
   "keys/wireguard/dryborg/presharedkey.age".publicKeys = [ gandalf ] ++ clients;
-  "passwords/gitea/db.age".publicKeys = users ++ [ APPA ];
   "passwords/anki/admin.age".publicKeys = users ++ [ APPA ];
-  "passwords/nextcloud/admin.age".publicKeys = users ++ [ APPA ];
   "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ];
+  "passwords/gitea/db.age".publicKeys = users ++ [ APPA ];
+  "passwords/nextcloud/admin.age".publicKeys = users ++ [ APPA ];
+  "passwords/paperless/admin.age".publicKeys = users ++ [ APPA ];
 }