feat: add paperless

2025-10-10 14:50:40 +02:00 · 2023-08-03 00:35:20 +02:00 · 2023-08-03 00:35:20 +02:00 · 8be9646d1a
commit 8be9646d1a
parent d577fb1d1a
12 changed files with 149 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -136,11 +136,9 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \


 ```bash
-# Recover admin account (server must not be running)
-systemctl stop kanidm
-kanidmd recover-account -c server.toml admin
+# Recover admin account
+kanidmd recover-account admin
 > AhNeQgKkwwEHZ85dxj1GPjx58vWsBU8QsvKSyYwUL7bz57bp
-systemctl start kanidm
 # Login with recovered root account
 kanidm login --name admin
 # Generate new credentials for idm_admin account
@ -166,6 +164,15 @@ kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid em
 kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
 kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb
 kanidm system oauth2 show-basic-secret web-sentinel
+# Generate new oauth2 app for forgejo
+kanidm group create forgejo-access
+kanidm group create forgejo-admins
+kanidm system oauth2 create forgejo "Forgejo" https://git.${personalDomain}
+kanidm system oauth2 update-scope-map forgejo forgejo-access openid email profile
+kanidm system oauth2 update-sup-scope-map forgejo forgejo-server-admins server_admin
+kanidm system oauth2 update-sup-scope-map forgejo forgejo-admins admin
+kanidm system oauth2 update-sup-scope-map forgejo forgejo-editors editor
+kanidm system oauth2 show-basic-secret forgejo
 # Add new user
 kanidm login --name idm_admin
 kanidm person create myuser "My User"
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -59,8 +59,16 @@
      ];
    };
  in
-    lib.genAttrs
-    ["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb" "forgejo"]
+    lib.genAttrs [
+      "adguardhome"
+      "forgejo"
+      "grafana"
+      "influxdb"
+      "kanidm"
+      "loki"
+      "paperless"
+      "vaultwarden"
+    ]
    defaultConfig;

  #ddclient = defineVm;
--- a/hosts/ward/microvms/paperless.nix
+++ b/hosts/ward/microvms/paperless.nix
@ -0,0 +1,73 @@
+{
+  config,
+  lib,
+  nodes,
+  utils,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
+  microvm.mem = 1024 * 12;
+  # XXX: increase once real hardware is used
+  microvm.vcpu = 4;
+
+  meta.wireguard-proxy.sentinel.allowedTCPPorts = [
+    config.services.paperless.port
+  ];
+
+  age.secrets.paperless-admin-password = {
+    rekeyFile = config.node.secretsDir + "/paperless-admin-password.age";
+    generator.script = "alnum";
+    mode = "440";
+    group = "paperless";
+  };
+
+  nodes.sentinel = {
+    networking.providedDomains.paperless = paperlessDomain;
+
+    services.nginx = {
+      upstreams.paperless = {
+        servers."${config.services.paperless.address}:${toString config.services.paperless.port}" = {};
+        extraConfig = ''
+          zone paperless 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${paperlessDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        extraConfig = ''
+          client_max_body_size 512M;
+        '';
+        locations."/" = {
+          proxyPass = "http://paperless";
+          proxyWebsockets = true;
+          X-Frame-Options = "SAMEORIGIN";
+        };
+      };
+    };
+  };
+
+  services.paperless = {
+    enable = true;
+    address = config.meta.wireguard.proxy-sentinel.ipv4;
+    passwordFile = config.age.secrets.paperless-admin-password.path;
+    extraConfig = {
+      PAPERLESS_URL = "https://${paperlessDomain}";
+      PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
+      PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}";
+      #PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates;
+      PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_TASK_WORKERS = 4;
+      PAPERLESS_WEBSERVER_WORKERS = 4;
+    };
+  };
+
+  #systemd.services.paperless = {
+  #  after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  #  serviceConfig.StateDirectory = lib.mkForce "paperless";
+  #  serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+  #};
+}
--- a/hosts/ward/secrets/paperless/host.pub
+++ b/hosts/ward/secrets/paperless/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCpvF0FjDWj1a2fE+3VuMV9naHIJIAufxYEScxM7s0B
--- a/hosts/ward/secrets/paperless/paperless-admin-password.age
+++ b/hosts/ward/secrets/paperless/paperless-admin-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 T+p8DC+r5eXbafinXz0AuqaDgyTXzVEk75YCzbzPORg
+AocHJ7AtX2NWN7PeLjc6tbaYKW6p793vajC+eBAtA2k
+-> piv-p256 xqSe8Q A5oLMFDESd7+zHU0i/DXaiFC/G8OWgW2y8boYRR5NUQ1
+qcIQJlkPhS/ARwzV6ajvnefELmxI4/a6kXnJyjryq5I
+-> +8Z-grease o*-Th)vX %TAq
+nQRpWbLvit6lC0NV/sZk
+--- p4feRTSXzE66RtPi9F/vxSxJv1tlcnYa7OFnt0FyDeI
+vh³	ºa«ç9/YýU¹¶œþã¼S}üZ&'Yõ7Y´=K†L,»HWç‹tÂŸ¨…�¤ïé1º„h¦æf'£š±M÷ðßpÿ{E×£,«d™4
--- a/hosts/ward/secrets/paperless/telegraf-influxdb-token.age
+++ b/hosts/ward/secrets/paperless/telegraf-influxdb-token.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4
+KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU
+-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o
+SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk
+-> e\9`z-grease
+PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa
+RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF
+6g
+--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE
+¶ßÌÚÝp 6SD´…˜W(¶YRÜ3ƒs_Ûª/2g}ÄÜ¶§W?ub
+)‘¯/û,{÷&ƒFÿ-ŒØ5£ß/u.�p¬	\%ÊÉŸæ—üï4qÓ‰�ðÛ˜yKQk4W™3÷ËŒ
+§Óˆ[Áþ°t‡__4y× ±q�¬^/F×©*
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -24,5 +24,6 @@
    telegraf = uidGid 985;
    rtkit = uidGid 984;
    gitea = uidGid 983;
+    redis-paperless = uidGid 982;
  };
 }
--- a/secrets/generated/sentinel/loki-basic-auth-hashes.age
+++ b/secrets/generated/sentinel/loki-basic-auth-hashes.age
--- a/secrets/generated/ward-paperless/promtail-loki-basic-auth-password.age
+++ b/secrets/generated/ward-paperless/promtail-loki-basic-auth-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 MFMlVVVbu3eYcmxKOR15d8Y1OLKuFGPwpbIpTwaIHX8
+J2IOsGRqErwce89aB7T1rja3SW/017lxm0dirFplG68
+-> piv-p256 xqSe8Q A74Ivea0NjcFql+TgRh3826EDJYwG1s1GHVPclTPsTta
+1JjTAroG6lkJKSxhDVm57Jz5lbugDl9UGrnkeRXof3U
+-> qBL8W-grease V p MWH1` 3!#Aut=c
+q1Q0
+--- 2HAreXSGFKj8uWhpQcmhFFLFhx1KvVIDEkFKI/sfowo
+¥C|7§>í•§‡Lƒ£�ZÉÝ|ókj‘íÙ²PD•‘Æ�Ë=9©„zá ÏS9ýí £øfóÚS‚[rÊûoáª)ÚgyýæÉßc
--- a/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 rUkrb/IJCEqIurde8bsrG1/Ut8GvCrcTkQ+92/dTcTw
+DkezFKaJCftcqgmbuPS9MaePqAwp77FtCwzwhbQGDqk
+-> piv-p256 xqSe8Q AmL9y2iktPhe13jamhHQ+PiSduEay6yz8GUtJBtb7PJC
+FCfyLD4PGk7HXcvMrUtlZIMIVEk3//pCi11l/AW2r6s
+-> u-grease 0& y3;s< zMl MG
+phIk2ihy5iMBEhI7y0rYbm0+LCcrZSfdQSmdG5TfczSHCGsMtkvgk4N2e5k/lQMO
+KSu9qp2A6bxm54IGUKUhQ
+--- iag+JUxptmLfr1nTBuFfqE7cgb9z71c3yLqepf1C8AA
+k"ÌÂ[ô»£þÛq½P„@†BR» ”�UÕ©‡÷€,ª9
+»À�}j¹ÀS€>G%•‰�D5^JÿË%W’d`)î¬ˆÙg3A
--- a/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub
+++ b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub
@ -0,0 +1 @@
+bPwKLfoXJUZP04BxbfacyUPp/NLgSqsvA/10Q05onhw=
--- a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age
+++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 7ZQ55YhLawpfz23LAOUqRDbmLUhr7dL2/ZkUgDD6mBg
+Nzh7u4SF5pLg7g9u717hl+wPzXINi+6BroQ2Jqeqb5o
+-> piv-p256 xqSe8Q Age9jnlRoiyfCxIXn5vVhiwO7a1HiTZnz9/a+V7qS0YI
+fJzHUFYUkGto1WfNcUD8UQsScNPt8d3qRF+sqFGjTts
+-> HI@6(W-grease O<2e |P>^1C1 '
+9OgaVkrKDXDkP9BYSzR3/ryEcsFftsHwXMZ8N5H+BVRkIJWjCW190xRilQwX25s
+--- yxHWX2gZaxD1Plx6u31Sr4nce1/sHmRcGRghAwbbQfo
+;ŚIăY†Ď6`ôźe%B¨8;,tě¤ľByY
+�—Ä‚bä˘{{ˇ	ĽB-"˙ľl6¸đöüĚôÄSţÜ‚ú„“®HĄüpę·í5
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCpvF0FjDWj1a2fE+3VuMV9naHIJIAufxYEScxM7s0B`
				`@ -0,0 +1 @@`
				`bPwKLfoXJUZP04BxbfacyUPp/NLgSqsvA/10Q05onhw=`