From 8be9646d1a28d23fafa5abb57b176d30ad5464ab Mon Sep 17 00:00:00 2001 From: oddlama Date: Thu, 3 Aug 2023 00:35:20 +0200 Subject: [PATCH] feat: add paperless --- README.md | 15 +++- hosts/ward/default.nix | 12 ++- hosts/ward/microvms/paperless.nix | 73 ++++++++++++++++++ hosts/ward/secrets/paperless/host.pub | 1 + .../paperless/paperless-admin-password.age | 9 +++ .../paperless/telegraf-influxdb-token.age | 13 ++++ modules/config/users.nix | 1 + .../sentinel/loki-basic-auth-hashes.age | Bin 1537 -> 1705 bytes .../promtail-loki-basic-auth-password.age | 9 +++ .../proxy-sentinel/keys/ward-paperless.age | 11 +++ .../proxy-sentinel/keys/ward-paperless.pub | 1 + .../psks/sentinel+ward-paperless.age | 10 +++ 12 files changed, 149 insertions(+), 6 deletions(-) create mode 100644 hosts/ward/microvms/paperless.nix create mode 100644 hosts/ward/secrets/paperless/host.pub create mode 100644 hosts/ward/secrets/paperless/paperless-admin-password.age create mode 100644 hosts/ward/secrets/paperless/telegraf-influxdb-token.age create mode 100644 secrets/generated/ward-paperless/promtail-loki-basic-auth-password.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-paperless.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age diff --git a/README.md b/README.md index 26d8da0..1325811 100644 --- a/README.md +++ b/README.md @@ -136,11 +136,9 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ ```bash -# Recover admin account (server must not be running) -systemctl stop kanidm -kanidmd recover-account -c server.toml admin +# Recover admin account +kanidmd recover-account admin > AhNeQgKkwwEHZ85dxj1GPjx58vWsBU8QsvKSyYwUL7bz57bp -systemctl start kanidm # Login with recovered root account kanidm login --name admin # Generate new credentials for idm_admin account @@ -166,6 +164,15 @@ kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid em kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb kanidm system oauth2 show-basic-secret web-sentinel +# Generate new oauth2 app for forgejo +kanidm group create forgejo-access +kanidm group create forgejo-admins +kanidm system oauth2 create forgejo "Forgejo" https://git.${personalDomain} +kanidm system oauth2 update-scope-map forgejo forgejo-access openid email profile +kanidm system oauth2 update-sup-scope-map forgejo forgejo-server-admins server_admin +kanidm system oauth2 update-sup-scope-map forgejo forgejo-admins admin +kanidm system oauth2 update-sup-scope-map forgejo forgejo-editors editor +kanidm system oauth2 show-basic-secret forgejo # Add new user kanidm login --name idm_admin kanidm person create myuser "My User" diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 96b6b8f..ca4c016 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -59,8 +59,16 @@ ]; }; in - lib.genAttrs - ["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb" "forgejo"] + lib.genAttrs [ + "adguardhome" + "forgejo" + "grafana" + "influxdb" + "kanidm" + "loki" + "paperless" + "vaultwarden" + ] defaultConfig; #ddclient = defineVm; diff --git a/hosts/ward/microvms/paperless.nix b/hosts/ward/microvms/paperless.nix new file mode 100644 index 0000000..4d33984 --- /dev/null +++ b/hosts/ward/microvms/paperless.nix @@ -0,0 +1,73 @@ +{ + config, + lib, + nodes, + utils, + ... +}: let + sentinelCfg = nodes.sentinel.config; + paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}"; +in { + microvm.mem = 1024 * 12; + # XXX: increase once real hardware is used + microvm.vcpu = 4; + + meta.wireguard-proxy.sentinel.allowedTCPPorts = [ + config.services.paperless.port + ]; + + age.secrets.paperless-admin-password = { + rekeyFile = config.node.secretsDir + "/paperless-admin-password.age"; + generator.script = "alnum"; + mode = "440"; + group = "paperless"; + }; + + nodes.sentinel = { + networking.providedDomains.paperless = paperlessDomain; + + services.nginx = { + upstreams.paperless = { + servers."${config.services.paperless.address}:${toString config.services.paperless.port}" = {}; + extraConfig = '' + zone paperless 64k; + keepalive 2; + ''; + }; + virtualHosts.${paperlessDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/" = { + proxyPass = "http://paperless"; + proxyWebsockets = true; + X-Frame-Options = "SAMEORIGIN"; + }; + }; + }; + }; + + services.paperless = { + enable = true; + address = config.meta.wireguard.proxy-sentinel.ipv4; + passwordFile = config.age.secrets.paperless-admin-password.path; + extraConfig = { + PAPERLESS_URL = "https://${paperlessDomain}"; + PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true; + PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}"; + #PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates; + PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + PAPERLESS_TASK_WORKERS = 4; + PAPERLESS_WEBSERVER_WORKERS = 4; + }; + }; + + #systemd.services.paperless = { + # after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + # serviceConfig.StateDirectory = lib.mkForce "paperless"; + # serviceConfig.RestartSec = "600"; # Retry every 10 minutes + #}; +} diff --git a/hosts/ward/secrets/paperless/host.pub b/hosts/ward/secrets/paperless/host.pub new file mode 100644 index 0000000..e099a60 --- /dev/null +++ b/hosts/ward/secrets/paperless/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCpvF0FjDWj1a2fE+3VuMV9naHIJIAufxYEScxM7s0B diff --git a/hosts/ward/secrets/paperless/paperless-admin-password.age b/hosts/ward/secrets/paperless/paperless-admin-password.age new file mode 100644 index 0000000..7c247e7 --- /dev/null +++ b/hosts/ward/secrets/paperless/paperless-admin-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 T+p8DC+r5eXbafinXz0AuqaDgyTXzVEk75YCzbzPORg +AocHJ7AtX2NWN7PeLjc6tbaYKW6p793vajC+eBAtA2k +-> piv-p256 xqSe8Q A5oLMFDESd7+zHU0i/DXaiFC/G8OWgW2y8boYRR5NUQ1 +qcIQJlkPhS/ARwzV6ajvnefELmxI4/a6kXnJyjryq5I +-> +8Z-grease o*-Th)vX %TAq +nQRpWbLvit6lC0NV/sZk +--- p4feRTSXzE66RtPi9F/vxSxJv1tlcnYa7OFnt0FyDeI +vh a9/YUS}Z& 'Y7Y=KL,HWtŸ1hf'Mp{E ,d4 \ No newline at end of file diff --git a/hosts/ward/secrets/paperless/telegraf-influxdb-token.age b/hosts/ward/secrets/paperless/telegraf-influxdb-token.age new file mode 100644 index 0000000..b2da0f5 --- /dev/null +++ b/hosts/ward/secrets/paperless/telegraf-influxdb-token.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4 +KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU +-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o +SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk +-> e\9`z-grease +PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa +RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF +6g +--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE + p 6SDW(YR3s_۪/2g}ܶW?ub +)/ ,{&F-5/u.p \%ɟ4qӉyKQk4W3ˌ +ӈ[t__4y q^/F* \ No newline at end of file diff --git a/modules/config/users.nix b/modules/config/users.nix index f631c8b..aca86c1 100644 --- a/modules/config/users.nix +++ b/modules/config/users.nix @@ -24,5 +24,6 @@ telegraf = uidGid 985; rtkit = uidGid 984; gitea = uidGid 983; + redis-paperless = uidGid 982; }; } diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index b831edc1a690beeabd70e7b55bc0e0f1760b6845..c00089ba4206e598cdfd825b3034a4a355c950db 100644 GIT binary patch delta 1693 zcmV;O24eYv45y57WN24ycv^I2VMR1=OEYXTT2*8=R7Xj6 zM_F`eI0|ZMPcuq(Y;|FFMk`7)F-clTHB)S4V@XwdaAJ8xXGBkOcv(p@b4FrpQ3@?S zAaH4REpRe5HXwL$Q)M_&AVD-TYB6>-VNGjcFmPFSWmr-s!?QE^vOOj<`aFk^KvHg|V1aYT4CdUJS6Wob!wHb-Sy zaa9T}J|IM6StTuKEoX9NVRL05HBVz~3T|;1VQOn@F=cc` zb4hh8XfZ}fb$@4MdT&&9Xlrq1O;BQYMPzj{ZFEL!RZ&w^XGaPvdP!w4Z%k%Lb7KlE zEiE8TS#xPdHBmHEH&bv&O*l$8Qet;SZf{3bL2)>GVnlCJbZ{?eR$)+cN^1(E0nV0H z&O_Ne`A0|G{y0^U*Od|-vp|BaKS7NHPd^mRK4Sk{M}Ks?aT%F!amE4AFJ!HTJ~|X9 zFmknm#s@qQ1x8}-YQl#3)z1Ys2oP2I#Q>cMRTF>6pW-xS=8EkAKdx^y&c~d41qbV@nV`C9g5pnnAod2(uT&r>a`U}-b} zr#cg^j>D{-l&QmnB5Z;h;e%wM34dpkRA!+snVW45=6lWnh*hy8piGd5 zfui_(>uN_(zK-(#tcQ@XsC^1uwgkmaW=h_WC*7N2+n}j8MW6^Pb(#L-iZTAR!43C; zvs8l2(RiB0ti{nTCa=dQh+rG>;D)7x6d><#tq&xsjQ#(ML#Ln+8KhfQ2KqYEEzI4BZ#8~);&YMD#5pGvQjnDxI?+L!dA|O-=T`UNIw|8l>hi*lTH>{xQL~L zb`mze2+N8#_u3WS>!V}4Teoli0)Lav{mTGcs8#-^7o~42Qt|u^mTd&Ds{B|zZh+XX zWea+hPQdC>A}7UF_3=|4xQAP)@sscOU<^-xF_(`xpEyp(s{~y+ckFn;qA{Sbg1c;< zg%>Y*S1<)C?AJmfGf8Nq4Mb$kXqzi9)ZH#JsrHx5Z1FP^Xnz95dj7*Ts(&tKJ;q64 zqk)Qg3x+q!!|iJW$TqOuU?6wA3q}63L^I9)+S(pLAUk{86;@|sm@p-Ki2qQ?ztw^& z`$bDsw}p}?)%-asWn%6klGT9?KudBemj1J)6E)xbC&YKn{V>Axl|56jL1YAe#EFyJ zDkwb%N-oXEoQZB9p+g3F>VGMZ88BUy6n&3)a7!wgquIKkRKsdo$?ra zsQ`&tmHiwx`@SGynl2W=WU2V6jG?(5j#VZEB(;4p>SjCKwWyS;(fg0fJ|+4Mz6>*9NW3*LDB3sIi#kE(9V@I+hB|_o8auZ=-}=RUpR$ n#Wc-F_%&e&gDDnkWEQs7ZAEn0aXV!baU(0jdOLeOZed$Fqf`Ru delta 1523 zcmVprZZl<2OJzB6PikXoad&c0c~&uRIaW+?G%!|j zFfcM_RSH#eLV09*ZFX-qZgOr&cX3Krb8u`maA<00QbjXvOiV9sMk`D?V=pUWV+t)k zAaH4REpRe5HXwL$Q)M_&AVF>~XJ>9xS$Q;JMKoqiaWXMzc7J6{MOJ7_IA$_AOGIXR zNWnpt=3QBcnPFZJhN;W}3RZeYJYJZ>Eg5gUc>KHPC6vWLIK43l^T|fB>#)qIv=91OD?l`~ zeV0G`aG!P=r5wl>3W1vbS2R&rxsl6AyJ=?$Gn**_cz@1uIrxjX3>Jprm?++C4q+lU z7_0&4eZnrzBMeIS&S8$uvA`%`Ke8VU5KYiKU6W{ko)t>4F*1j1E~<>IV&M`Pm0_|= zVSdC@#8npeOF=e{x*w3x-p}?xoJ!ZcgU?@L(C4X?GM{2?}Ztr4{+9I#&JZu1W)lY(j?nHA-*YrSAsWc_VD#(Mx^wPJ#lQ)nGtFsFvzs&UD{ zsTAZ1guLyHWGUB?Lx{&Y+q#lnj^?}2AXV$}iuuQ-;{ z9k^%9U2v);39a~`b%FcK1xxxE5nT2Hw7lfU)Akag5FTWO;mk~)!@xQi`TTDlv%Po1 zxFnp(qYy8P3wm^?WUz;8+uoWMSmX0AFy-~XXbFx?hYZRk*K@9XumhhT(S6X zoX1eMSV)x>86uZ$t!mW(`U_VlPahJ^6maEwJGa)K<;~$u0RQDgYX9n2BVGygDSOqr zBy;=yuXHg)by}g0G+vDONWiaB)gij94S$Q_KFuYVZqA<~H=|iSxHnFlozHIgUNu!W zHoL|rQhxZTu&)!eT7>R@GyR*yL49`&DmDaN04YQ*VW4yLop{_!7By3Q*;tEhm@xqDos>woMM zi(8Q7WINsT5wkXrh*TwmPhkvoshzBi`hxrGRz}uWOTDVh%nf@;q76lMmcDM9%kjD8 z=`#u_ILnG;>$j+#m9v^OL*WC!68$*!uJKSud6PtJEw5DvVz`(@G*4muw^iG_V{G(? z+~{I|Iw}iZ-5n9o~ZDj(-#qk;M-z-7X2;iM}TX7E;3QeyptEbbJz_(7#4; z9LO6%-oUQZ>z;zpE2YX8mgy977(3%o6VMC)*SoZ3;cbcaVSIQ*Qq6$`c=TOL>Rf14 z(0Q{Vd__Dg6iC>W^?sJ++3NKrvHKPaQR12p{T*z{kY$tw|BFiD6l(+`Uw@qp6yKxh zM{o7KGj$$J3MJ(6GcXrW5p)Db@RchrFGq%O%;D==O~ZPEn{thIp1}PjioCmo(SwFQ zOL~?TE_BEv?mQ@&`JW7m#!p7E5Z?#mC3{c@nFp4J4QF1jBq)7tHKJWj7#Q0m9jva| zO}KOV41_S!$C X25519 MFMlVVVbu3eYcmxKOR15d8Y1OLKuFGPwpbIpTwaIHX8 +J2IOsGRqErwce89aB7T1rja3SW/017lxm0dirFplG68 +-> piv-p256 xqSe8Q A74Ivea0NjcFql+TgRh3826EDJYwG1s1GHVPclTPsTta +1JjTAroG6lkJKSxhDVm57Jz5lbugDl9UGrnkeRXof3U +-> qBL8W-grease V p MWH1` 3!#Aut=c +q1Q0 +--- 2HAreXSGFKj8uWhpQcmhFFLFhx1KvVIDEkFKI/sfowo +C|7>핧LZ|kjٲPDƐ=9z S9fS[ro)gyc \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age new file mode 100644 index 0000000..98001fe --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 rUkrb/IJCEqIurde8bsrG1/Ut8GvCrcTkQ+92/dTcTw +DkezFKaJCftcqgmbuPS9MaePqAwp77FtCwzwhbQGDqk +-> piv-p256 xqSe8Q AmL9y2iktPhe13jamhHQ+PiSduEay6yz8GUtJBtb7PJC +FCfyLD4PGk7HXcvMrUtlZIMIVEk3//pCi11l/AW2r6s +-> u-grease 0& y3;s< zMl MG +phIk2ihy5iMBEhI7y0rYbm0+LCcrZSfdQSmdG5TfczSHCGsMtkvgk4N2e5k/lQMO ++KSu9qp2A6bxm54IGUKUhQ +--- iag+JUxptmLfr1nTBuFfqE7cgb9z71c3yLqepf1C8AA +k"[qP@ BR Uթ,9 +}jS>G%D5^J%Wd`)g3A \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub new file mode 100644 index 0000000..79e2af9 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub @@ -0,0 +1 @@ +bPwKLfoXJUZP04BxbfacyUPp/NLgSqsvA/10Q05onhw= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age new file mode 100644 index 0000000..33e38f0 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 7ZQ55YhLawpfz23LAOUqRDbmLUhr7dL2/ZkUgDD6mBg +Nzh7u4SF5pLg7g9u717hl+wPzXINi+6BroQ2Jqeqb5o +-> piv-p256 xqSe8Q Age9jnlRoiyfCxIXn5vVhiwO7a1HiTZnz9/a+V7qS0YI +fJzHUFYUkGto1WfNcUD8UQsScNPt8d3qRF+sqFGjTts +-> HI@6(W-grease O<2e |P>^1C1 ' +9OgaVkrKDXDkP9BYSzR3/ryEcsFftsHwXMZ8N5H+BVRkIJWjCW190xRilQwX25s +--- yxHWX2gZaxD1Plx6u31Sr4nce1/sHmRcGRghAwbbQfo +;IY6`e%B8;,tByY +Ăb{{ B-"l6S܂Hp5 \ No newline at end of file