mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: add paperless

Browse source
This commit is contained in:
oddlama 2023-08-03 00:35:20 +02:00
parent d577fb1d1a
commit 8be9646d1a
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
12 changed files with 149 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

15
README.md
View file

@ -136,11 +136,9 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
```bash ```bash
# Recover admin account (server must not be running) # Recover admin account
systemctl stop kanidm kanidmd recover-account admin
kanidmd recover-account -c server.toml admin
> AhNeQgKkwwEHZ85dxj1GPjx58vWsBU8QsvKSyYwUL7bz57bp > AhNeQgKkwwEHZ85dxj1GPjx58vWsBU8QsvKSyYwUL7bz57bp
systemctl start kanidm
# Login with recovered root account # Login with recovered root account
kanidm login --name admin kanidm login --name admin
# Generate new credentials for idm_admin account # Generate new credentials for idm_admin account
@ -166,6 +164,15 @@ kanidm system oauth2 update-scope-map web-sentinel web-sentinel-access openid em
kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-adguardhome-access access_adguardhome
kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb kanidm system oauth2 update-sup-scope-map web-sentinel web-sentinel-influxdb-access access_influxdb
kanidm system oauth2 show-basic-secret web-sentinel kanidm system oauth2 show-basic-secret web-sentinel
# Generate new oauth2 app for forgejo
kanidm group create forgejo-access
kanidm group create forgejo-admins
kanidm system oauth2 create forgejo "Forgejo" https://git.${personalDomain}
kanidm system oauth2 update-scope-map forgejo forgejo-access openid email profile
kanidm system oauth2 update-sup-scope-map forgejo forgejo-server-admins server_admin
kanidm system oauth2 update-sup-scope-map forgejo forgejo-admins admin
kanidm system oauth2 update-sup-scope-map forgejo forgejo-editors editor
kanidm system oauth2 show-basic-secret forgejo
# Add new user # Add new user
kanidm login --name idm_admin kanidm login --name idm_admin
kanidm person create myuser "My User" kanidm person create myuser "My User"

12
hosts/ward/default.nix
View file

@ -59,8 +59,16 @@
]; ];
}; };
in in
lib.genAttrs lib.genAttrs [
["kanidm" "grafana" "loki" "vaultwarden" "adguardhome" "influxdb" "forgejo"] "adguardhome"
"forgejo"
"grafana"
"influxdb"
"kanidm"
"loki"
"paperless"
"vaultwarden"
]
defaultConfig; defaultConfig;
#ddclient = defineVm; #ddclient = defineVm;

73
hosts/ward/microvms/paperless.nix Normal file
View file

@ -0,0 +1,73 @@
{
config,
lib,
nodes,
utils,
...
}: let
sentinelCfg = nodes.sentinel.config;
paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
microvm.mem = 1024 * 12;
# XXX: increase once real hardware is used
microvm.vcpu = 4;
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.paperless.port
];
age.secrets.paperless-admin-password = {
rekeyFile = config.node.secretsDir + "/paperless-admin-password.age";
generator.script = "alnum";
mode = "440";
group = "paperless";
};
nodes.sentinel = {
networking.providedDomains.paperless = paperlessDomain;
services.nginx = {
upstreams.paperless = {
servers."${config.services.paperless.address}:${toString config.services.paperless.port}" = {};
extraConfig = ''
zone paperless 64k;
keepalive 2;
'';
};
virtualHosts.${paperlessDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/" = {
proxyPass = "http://paperless";
proxyWebsockets = true;
X-Frame-Options = "SAMEORIGIN";
};
};
};
};
services.paperless = {
enable = true;
address = config.meta.wireguard.proxy-sentinel.ipv4;
passwordFile = config.age.secrets.paperless-admin-password.path;
extraConfig = {
PAPERLESS_URL = "https://${paperlessDomain}";
PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}";
#PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates;
PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_TASK_WORKERS = 4;
PAPERLESS_WEBSERVER_WORKERS = 4;
};
};
#systemd.services.paperless = {
# after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
# serviceConfig.StateDirectory = lib.mkForce "paperless";
# serviceConfig.RestartSec = "600"; # Retry every 10 minutes
#};
}

1
hosts/ward/secrets/paperless/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCpvF0FjDWj1a2fE+3VuMV9naHIJIAufxYEScxM7s0B

9
hosts/ward/secrets/paperless/paperless-admin-password.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 T+p8DC+r5eXbafinXz0AuqaDgyTXzVEk75YCzbzPORg
AocHJ7AtX2NWN7PeLjc6tbaYKW6p793vajC+eBAtA2k
-> piv-p256 xqSe8Q A5oLMFDESd7+zHU0i/DXaiFC/G8OWgW2y8boYRR5NUQ1
qcIQJlkPhS/ARwzV6ajvnefELmxI4/a6kXnJyjryq5I
-> +8Z-grease o*-Th)vX %TAq
nQRpWbLvit6lC0NV/sZk
--- p4feRTSXzE66RtPi9F/vxSxJv1tlcnYa7OFnt0FyDeI
vh³ ºa«ç9/YýU¹¶œþã¼S}üZ& 'Yõ7Y´=K†L,»HWç‹tŸ¨…�¤ïé1º„h¦æf'£š±M÷ðßpÿ{E ×£,«d™4

13
hosts/ward/secrets/paperless/telegraf-influxdb-token.age Normal file
View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4
KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU
-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o
SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk
-> e\9`z-grease
PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa
RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF
6g
--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE
¶ßÌÚÝp 6SD´…˜W(¶YRÜ3ƒs_Ûª/2g}Äܶ§W?ub
)‘¯/û ,{÷&ƒFÿ-ŒØ5£ß/u.�p¬ \%ÊÉŸæ—üï4qÓ‰�ðÛ˜yKQk4W™3÷ËŒ
§Óˆ[Áþ°t‡__4y× ±q�¬^/Fש*

1
modules/config/users.nix
View file

@ -24,5 +24,6 @@
telegraf = uidGid 985; telegraf = uidGid 985;
rtkit = uidGid 984; rtkit = uidGid 984;
gitea = uidGid 983; gitea = uidGid 983;
redis-paperless = uidGid 982;
}; };
} }

BIN
secrets/generated/sentinel/loki-basic-auth-hashes.age
View file

Binary file not shown.

9
secrets/generated/ward-paperless/promtail-loki-basic-auth-password.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 MFMlVVVbu3eYcmxKOR15d8Y1OLKuFGPwpbIpTwaIHX8
J2IOsGRqErwce89aB7T1rja3SW/017lxm0dirFplG68
-> piv-p256 xqSe8Q A74Ivea0NjcFql+TgRh3826EDJYwG1s1GHVPclTPsTta
1JjTAroG6lkJKSxhDVm57Jz5lbugDl9UGrnkeRXof3U
-> qBL8W-grease V p MWH1` 3!#Aut=c
q1Q0
--- 2HAreXSGFKj8uWhpQcmhFFLFhx1KvVIDEkFKI/sfowo
¥C|7§>핧‡Lƒ£�ZÉÝ|ókj‘íÙ²PD•‘Æ�Ë=9©„zá ÏS9ýí £øfóÚS‚[rÊûoáª)Úgy­ýæÉßc

11
secrets/wireguard/proxy-sentinel/keys/ward-paperless.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> X25519 rUkrb/IJCEqIurde8bsrG1/Ut8GvCrcTkQ+92/dTcTw
DkezFKaJCftcqgmbuPS9MaePqAwp77FtCwzwhbQGDqk
-> piv-p256 xqSe8Q AmL9y2iktPhe13jamhHQ+PiSduEay6yz8GUtJBtb7PJC
FCfyLD4PGk7HXcvMrUtlZIMIVEk3//pCi11l/AW2r6s
-> u-grease 0& y3;s< zMl MG
phIk2ihy5iMBEhI7y0rYbm0+LCcrZSfdQSmdG5TfczSHCGsMtkvgk4N2e5k/lQMO
+KSu9qp2A6bxm54IGUKUhQ
--- iag+JUxptmLfr1nTBuFfqE7cgb9z71c3yLqepf1C8AA
k"ÌÂ[ô»£þÛq½P„@† BR» ”�UÕ©‡÷€,ª9
»À�}j¹ÀS€>G%•‰�D5^JÿË%W’d`)Ùg3A

1
secrets/wireguard/proxy-sentinel/keys/ward-paperless.pub Normal file
View file

@ -0,0 +1 @@
bPwKLfoXJUZP04BxbfacyUPp/NLgSqsvA/10Q05onhw=

10
secrets/wireguard/proxy-sentinel/psks/sentinel+ward-paperless.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 7ZQ55YhLawpfz23LAOUqRDbmLUhr7dL2/ZkUgDD6mBg
Nzh7u4SF5pLg7g9u717hl+wPzXINi+6BroQ2Jqeqb5o
-> piv-p256 xqSe8Q Age9jnlRoiyfCxIXn5vVhiwO7a1HiTZnz9/a+V7qS0YI
fJzHUFYUkGto1WfNcUD8UQsScNPt8d3qRF+sqFGjTts
-> HI@6(W-grease O<2e |P>^1C1 '
9OgaVkrKDXDkP9BYSzR3/ryEcsFftsHwXMZ8N5H+BVRkIJWjCW190xRilQwX25s
--- yxHWX2gZaxD1Plx6u31Sr4nce1/sHmRcGRghAwbbQfo
;ŚIăY†Ď6`ôźe%B¨8;,t줾ByY
�—Ä‚bä˘{{ˇ ĽB-"˙ľl6¸đöüĚôÄSţÜ‚ú„“®HĄüpę·í5