diff --git a/.stylua.toml b/.stylua.toml deleted file mode 100644 index 3be1637..0000000 --- a/.stylua.toml +++ /dev/null @@ -1,6 +0,0 @@ -column_width = 120 -line_endings = "Unix" -indent_type = "Tabs" -indent_width = 1 -quote_style = "AutoPreferDouble" -no_call_parentheses = true diff --git a/flake.lock b/flake.lock index e108171..da13959 100644 --- a/flake.lock +++ b/flake.lock @@ -85,6 +85,22 @@ } }, "base16-alacritty": { + "flake": false, + "locked": { + "lastModified": 1703982197, + "narHash": "sha256-TNxKbwdiUXGi4Z4chT72l3mt3GSvOcz6NZsUH8bQU/k=", + "owner": "aarowill", + "repo": "base16-alacritty", + "rev": "c95c200b3af739708455a03b5d185d3d2d263c6e", + "type": "github" + }, + "original": { + "owner": "aarowill", + "repo": "base16-alacritty", + "type": "github" + } + }, + "base16-alacritty-yaml": { "flake": false, "locked": { "lastModified": 1674275109, @@ -97,6 +113,7 @@ "original": { "owner": "aarowill", "repo": "base16-alacritty", + "rev": "63d8ae5dfefe5db825dd4c699d0cdc2fc2c3eaf7", "type": "github" } }, @@ -335,11 +352,11 @@ ] }, "locked": { - "lastModified": 1705348229, - "narHash": "sha256-CssPema1sBxZkrT95KFuKCNNiqxNe1lnf2QNeXk88Xk=", + "lastModified": 1705540973, + "narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=", "owner": "nix-community", "repo": "disko", - "rev": "d0b4408eaf782a1ada0a9133bb1cecefdd59c696", + "rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733", "type": "github" }, "original": { @@ -531,11 +548,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "lastModified": 1704982712, + "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "rev": "07f6395285469419cf9d078f59b5b49993198c00", "type": "github" }, "original": { @@ -762,11 +779,11 @@ ] }, "locked": { - "lastModified": 1705347059, - "narHash": "sha256-MSdJZDeyBIjf1SAZ7OvA44b00zUGTrDxkAm9vVR+XRk=", + "lastModified": 1705535278, + "narHash": "sha256-V5+XKfNbiY0bLKLQlH+AXyhHttEL7XcZBH9iSbxxexA=", "owner": "nix-community", "repo": "home-manager", - "rev": "8c3b2a0cab64a464de9e41a470eecf1318ccff57", + "rev": "b84191db127c16a92cbdf7f7b9969d58bb456699", "type": "github" }, "original": { @@ -817,11 +834,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1705320633, - "narHash": "sha256-ZFHqXr8f1zPAUJGLxB2qFapQCs7Dc8R75/mKIiw3sP0=", + "lastModified": 1705423846, + "narHash": "sha256-PULm77CvMZ9cQ4MaTXgvJom2ePB9c38p39JB4TFXEdw=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "b170b6a80de0a6df07d73594290dcd6d26ef7bbb", + "rev": "1d0951ca1b3721ff4e6049c3a37df56c78c60c65", "type": "github" }, "original": { @@ -854,11 +871,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1705263072, - "narHash": "sha256-DCqqaNWn9G81U+0Myyr36JrOKitcmS34oBWxqiHjabk=", + "lastModified": 1705592620, + "narHash": "sha256-97/yDm6n9C6fma0pSM/mMQeMLfmEOZPGbpKARNoKeG4=", "owner": "astro", "repo": "microvm.nix", - "rev": "088ba565537eaef1041a87be5a44ca0daa4e1908", + "rev": "ccf44d60393a571b549448167fa03882693a5a3d", "type": "github" }, "original": { @@ -979,11 +996,11 @@ "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { - "lastModified": 1705283066, - "narHash": "sha256-uYvo7hr28saTQuzZ+t0v2dPAxfcVLs4WirMuFl/ykAA=", + "lastModified": 1705582795, + "narHash": "sha256-hfP3TcXu76XHtwkIoTQSQLAe00yHrS1/Vt+pMZdsNRg=", "owner": "oddlama", "repo": "nixos-extra-modules", - "rev": "cab2f4b0408cc072a8f9405daa542298b11ea87b", + "rev": "dca8158b4f4354d7898439f4d449d0bfc4f6ebac", "type": "github" }, "original": { @@ -1000,11 +1017,11 @@ ] }, "locked": { - "lastModified": 1701689616, - "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=", + "lastModified": 1705400161, + "narHash": "sha256-0MFaNIwwpVWB1N9m7cfHAM2pSVtYESQ7tlHxnDTOhM4=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "246219bc21b943c6f6812bb7744218ba0df08600", + "rev": "521fb4cdd8a2e1a00d1adf0fea7135d1faf04234", "type": "github" }, "original": { @@ -1036,31 +1053,31 @@ ] }, "locked": { - "lastModified": 1703019250, - "narHash": "sha256-Ykp/kh2tF33sVsiEYdIVssIi1gepN+TGnjZsabycJbo=", - "owner": "oddlama", + "lastModified": 1703279052, + "narHash": "sha256-0rbG/9SwaWtXT7ZuifMq+7wvfxDpZrjr0zdMcM4KK+E=", + "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "f5b43e40755f7519085236980ad971025db8985f", + "rev": "3bf23aeb346e772d157816e6b72a742a6c97db80", "type": "github" }, "original": { - "owner": "oddlama", + "owner": "thelegy", "repo": "nixos-nftables-firewall", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1705351535, - "narHash": "sha256-l6UP54vksO6IRhNRTcTEFmrIEWt86VPKA5XHZHGnpkk=", - "owner": "oddlama", + "lastModified": 1705496572, + "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6cfc951b5237de6d62e43e235e65690e063e09bc", + "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19", "type": "github" }, "original": { - "owner": "oddlama", - "ref": "fix-kanidm-build", + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -1172,11 +1189,11 @@ ] }, "locked": { - "lastModified": 1705323114, - "narHash": "sha256-VOrbI0RLWenZ4H70DcD1WxpFkY2IG/F/3gMZUujAZaM=", + "lastModified": 1705585910, + "narHash": "sha256-5pvcEdTiVn5F+6gpyQbTxeLhcRlV/oN8nNiwjgLqigs=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "25ea5dd63dab3d63f679071a30994ae711c906ba", + "rev": "5b2b874c87882a5fc7f30be353410432e685ca0d", "type": "github" }, "original": { @@ -1230,11 +1247,11 @@ ] }, "locked": { - "lastModified": 1705268857, - "narHash": "sha256-IMaCyPTp5Za0xVUorHRxq39VaUrEDuWA9MbV1z6eHR8=", + "lastModified": 1705581923, + "narHash": "sha256-ms+6X+Sbx7Je8vMzux4ricuUR6JNHGoMZJLqhjGLxn8=", "owner": "nix-community", "repo": "nixvim", - "rev": "9e04eb3c3c6fcb6ea31e4d3633ea5fd7378906cb", + "rev": "df7a90127b079a39bfaba3eae1885ce6ab3a062a", "type": "github" }, "original": { @@ -1411,11 +1428,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1702865809, - "narHash": "sha256-K7caQe+KqjqTBFmJawmBjmm25S6bza5CXhAqbXFLyH8=", + "lastModified": 1705112162, + "narHash": "sha256-IAM0+Uijh/fwlfoeDrOwau9MxcZW3zeDoUHc6Z3xfqM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "b2aafcee4a8842cecfc877ff7dd271f333dc0fa8", + "rev": "9e0af26ffe52bf955ad5575888f093e41fba0104", "type": "github" }, "original": { @@ -1444,6 +1461,7 @@ "inputs": { "base16": "base16", "base16-alacritty": "base16-alacritty", + "base16-alacritty-yaml": "base16-alacritty-yaml", "base16-fish": "base16-fish", "base16-foot": "base16-foot", "base16-helix": "base16-helix", @@ -1459,11 +1477,11 @@ ] }, "locked": { - "lastModified": 1704308480, - "narHash": "sha256-88ICCdJyYYtsolRnPhI9IF+bhUIVUyhJ7nrKcKPgf6M=", + "lastModified": 1705504375, + "narHash": "sha256-oRVxuJ6sCljsgfoWb+SsIK2MvUjsxrXQHRoVTUDVC40=", "owner": "danth", "repo": "stylix", - "rev": "9bc1900b6888efdda39c2e02c7c8666911b72608", + "rev": "2d59480b4531ce8d062d20a42560a266cb42b9d0", "type": "github" }, "original": { @@ -1653,11 +1671,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1705313011, - "narHash": "sha256-ASZCgwE1rTnhlMfooTrcLIaxaQBdFKcpX7r8rYtrpE8=", + "lastModified": 1705487953, + "narHash": "sha256-6oh1H7/74v57m3AtK8jQLvN9LtKqyeT862krjJasOJs=", "owner": "Toqozz", "repo": "wired-notify", - "rev": "2857b543b2fc0d1471ceb5409c846fbaa4ed8062", + "rev": "fe0f02af93b09e5fe689c948a557e466b99d9a58", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8a2b02e..c08381c 100644 --- a/flake.nix +++ b/flake.nix @@ -63,12 +63,11 @@ }; nixos-nftables-firewall = { - url = "github:oddlama/nixos-nftables-firewall"; + url = "github:thelegy/nixos-nftables-firewall"; inputs.nixpkgs.follows = "nixpkgs"; }; - # BUG: nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixpkgs.url = "github:oddlama/nixpkgs/fix-kanidm-build"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-wayland = { url = "github:nix-community/nixpkgs-wayland"; diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index 8639923..1dd172c 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -47,6 +47,7 @@ mkGuest = guestName: { enableStorageDataset ? false, enableBunkerDataset ? false, + enablePaperlessDataset ? false, ... }: { autostart = true; @@ -67,6 +68,10 @@ pool = "storage"; dataset = "bunker/guests/${guestName}"; }; + zfs."/paperless" = lib.mkIf enablePaperlessDataset { + pool = "storage"; + dataset = "bunker/paperless"; + }; modules = [ ../../modules ./guests/common.nix @@ -116,11 +121,14 @@ // mkMicrovm "samba" { enableStorageDataset = true; enableBunkerDataset = true; + enablePaperlessDataset = true; } // mkMicrovm "grafana" {} // mkMicrovm "influxdb" {} // mkMicrovm "loki" {} - // mkMicrovm "paperless" {} + // mkMicrovm "paperless" { + enablePaperlessDataset = true; + } #// mkMicrovm "minecraft" #// mkMicrovm "immich" #// mkMicrovm "firefly" diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index 793b9f1..1959ede 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -6,19 +6,8 @@ sentinelCfg = nodes.sentinel.config; paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}"; in { - # XXX: remove microvm.mem = 1024 * 12; - # XXX: remove microvm.vcpu = 4; - - meta.wireguard-proxy.sentinel.allowedTCPPorts = [ - config.services.paperless.port - ]; - - age.secrets.paperless-admin-password = { - rekeyFile = config.node.secretsDir + "/paperless-admin-password.age"; - generator.script = "alnum"; - mode = "440"; - group = "paperless"; - }; + microvm.mem = 1024 * 6; + microvm.vcpu = 8; nodes.sentinel = { networking.providedDomains.paperless = paperlessDomain; @@ -46,27 +35,49 @@ in { }; }; - # TODO environment.persistence."/persist".directories = [ - # TODO { - # TODO directory = "/var/lib/???"; - # TODO user = "???"; - # TODO group = "???"; - # TODO mode = "0700"; - # TODO } - # TODO ]; + meta.wireguard-proxy.sentinel.allowedTCPPorts = [ + config.services.paperless.port + ]; + + age.secrets.paperless-admin-password = { + rekeyFile = config.node.secretsDir + "/paperless-admin-password.age"; + generator.script = "alnum"; + mode = "440"; + group = "paperless"; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/paperless"; + user = "paperless"; + group = "paperless"; + mode = "0750"; + } + ]; services.paperless = { enable = true; address = "0.0.0.0"; passwordFile = config.age.secrets.paperless-admin-password.path; + consumptionDir = "/paperless/consume"; + mediaDir = "/paperless/media"; settings = { PAPERLESS_URL = "https://${paperlessDomain}"; + PAPERLESS_ALLOWED_HOSTS = paperlessDomain; + PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; + PAPERLESS_TRUSTED_PROXIES = sentinelCfg.meta.wireguard.proxy-sentinel.ipv4; + PAPERLESS_CONSUMER_ENABLE_BARCODES = true; PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true; PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING"; - PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}"; + PAPERLESS_CONSUMER_RECURSIVE = true; + PAPERLESS_FILENAME_FORMAT = "{owner_username}/{created_year}-{created_month}-{created_day}_{asn}_{title}"; + + # Nginx does that better. + PAPERLESS_ENABLE_COMPRESSION = false; + #PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates; - PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; + PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 8; PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_TASK_WORKERS = 4; PAPERLESS_WEBSERVER_WORKERS = 4; diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix index e3cce5d..1f7d27c 100644 --- a/hosts/sire/guests/samba.nix +++ b/hosts/sire/guests/samba.nix @@ -46,7 +46,11 @@ } ); - mkUserShares = user: {enableBunker ? false, ...}: + mkUserShares = user: { + enableBunker ? false, + enablePaperless ? false, + ... + }: [ (mkShare user "/shares/users/${user}" { "valid users" = user; @@ -56,6 +60,13 @@ mkShare "${user}-bunker" "/shares/users/${user}-bunker" { "valid users" = user; } + ) + ++ lib.optional enablePaperless ( + mkShare "${user}-paperless" "/shares/users/${user}-paperless" { + "valid users" = user; + "force user" = "paperless"; + "force group" = "paperless"; + } ); in { age.secrets."samba-passdb.tdb" = { @@ -89,9 +100,8 @@ in { ''; }; - fileSystems."/storage".neededForBoot = true; - fileSystems."/bunker".neededForBoot = true; - environment.persistence = lib.mkMerge ([ + environment.persistence = lib.mkMerge ( + [ { "/persist".files = [ "/etc/ssh/ssh_host_rsa_key" @@ -114,7 +124,13 @@ in { mkPersistent "/bunker" "/shares/groups/${name}-bunker" name ) ) - )); + ) + ); + + services.samba-wsdd = { + enable = true; + openFirewall = true; + }; services.samba = { enable = true; @@ -188,6 +204,100 @@ in { )); }; + systemd.tmpfiles.settings = lib.mkMerge ( + # Make sure the main paperless structure exists + [ + { + "10-smb-paperless" = { + "/paperless/consume".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + "/paperless/media".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + "/paperless/media/documents".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + "/paperless/media/documents/archive".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + "/paperless/media/documents/originals".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + }; + } + ] + # For each paperless share, make sure the necessary sub-folders for that user are created + # at boot so we can bind-mount them into the shares. + ++ lib.flatten (lib.flip lib.mapAttrsToList smbUsers ( + user: userCfg: + lib.optional (userCfg.enablePaperless or false) { + "10-smb-paperless" = { + "/shares/users/${user}-paperless".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + "/paperless/consume/${user}".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + "/paperless/media/documents/archive/${user}".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + "/paperless/media/documents/originals/${user}".d = { + user = "paperless"; + group = "paperless"; + mode = "0750"; + }; + }; + } + )) + ); + + # For each paperless share, bind-mount create the necessary folders using tmpfiles. + fileSystems = lib.mkMerge ( + [ + { + "/storage".neededForBoot = true; + "/bunker".neededForBoot = true; + } + ] + ++ lib.flip lib.mapAttrsToList smbUsers ( + user: userCfg: + lib.optionalAttrs (userCfg.enablePaperless or false) { + "/shares/users/${user}-paperless/consume" = { + fsType = "none"; + options = ["bind"]; + device = "/paperless/consume/${user}"; + }; + "/shares/users/${user}-paperless/documents" = { + fsType = "none"; + options = ["bind" "ro"]; + device = "/paperless/media/documents/archive/${user}"; + }; + "/shares/users/${user}-paperless/originals" = { + fsType = "none"; + options = ["bind" "ro"]; + device = "/paperless/media/documents/originals/${user}"; + }; + } + ) + ); + users.users = let mkUser = name: id: groups: { isNormalUser = true; @@ -210,10 +320,20 @@ in { scanner.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJcWkqM2gXM9MJoKggCMpXLBJvgPP0fuoIO3UNy4h4uFzyDqMKAADjaJHCqyIQPq/s5vATVmuu4GQyajkc7Y3fBg/2rvAACzFx/2ufK2M4dkdDcYOX6kyNZL7XiJRmLfUR2cqda3P3bQxapkdfIOWfPQQJUAnYlVvUaIShoBxYw5HXRTr2jR5UAklfIRWZOmx07WKC6dZG5MIm1Luun5KgvqQmzQ9ErL5tz/Oi5pPdK30kdkS5WdeWD6KwL78Ff4KfC0DVTO0zb/C7WyKk4ZLu+UKCLHXDTzE4lhBAu6mSUfJ5nQhmdLdKg6Gvh1St/vRcsDJOZqEFBVn35/oK974l root@ADS_4300N_BRN000EC691D285" ]; + + paperless = { + group = "paperless"; + uid = config.ids.uids.paperless; + home = "/var/empty"; + }; } ]; - users.groups = lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups); + users.groups = + { + paperless.gid = config.ids.gids.paperless; + } + // lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups); # Backups # ======================================================================== diff --git a/hosts/sire/secrets/samba/local.nix.age b/hosts/sire/secrets/samba/local.nix.age index 75eefdc..9f8d0ba 100644 --- a/hosts/sire/secrets/samba/local.nix.age +++ b/hosts/sire/secrets/samba/local.nix.age @@ -1,12 +1,9 @@ age-encryption.org/v1 --> X25519 XPiCVTwoNp+wxBHO+VroeCoWNHVsdtjeSEX4cLCnHFY -RWmVk3RrtU3qOBjvBbYJ9qSf34PHXAUVhnC9fdFCEf4 --> piv-p256 xqSe8Q A4hKgmiwNm99B4RVisUnKDDj4r6KtOOpeVCBM35Z/V76 -OLj3c+OIFfqbclocmoIKuKEaOengs0cCipI4wNRrbaQ --> 46$NeX?-grease Z'&t |s}Wh: -P0L0T0ObtToRodYfse+ETpl3GWGAbLlVFrJJackWMgkOWIjkU8YvKmQHcQ7QTSc7 -bFyyf1pDEkkAGAZEzoqnem+0sZN4bcqNuZJKqkzCaJDeJvrui0sCfyj0 ---- HCDoDWmBPaPfC3oh/qroi2nMtBI3PvmAfhlRpPpktJk -e>~/Ĭƻo!e܎~FheFdR˲0%ETxV\7% zBѢ&qՒe=pR K΍cZپ4w~s -b<[u Z6Qk!!$K[QU;fg|P쐆KVQh~ -eKE1ޝAΜt UD\; ş \ No newline at end of file +-> X25519 Q7D2vrZW1uTnMN/Z4EK9TbW1G2TY8Qb2Ws/hMLXu4i0 +lR33X+3PHN4BwkuPmL9e3nl4RvM1li2bnCnhGt7mV54 +-> piv-p256 xqSe8Q ApCyiAdPYwN34Nz/e3FdnmCNvNpDXKcmO3o9MOylggFi +uEAIcTjk4iOPjDzkdBKnXc9Mbu+17FKJXKJ+uWiXO60 +-> !hç_r懿Y#I[+9G?u) v´k_P@`/i%!X5`Cr_.\z2G>e}!}Oa4iƟZDߩmPI2Z[!!wT]pS6DSLxTҘW@)8Un1 29Ǝ>x,RUoc־Qz#'fHU1P"9k6dΕfk-A8]BQN W&:ꗓ$7z e}&YaJ x$?}/Pp~s M" p|Q ˓톕kȘ裱,r f쬓 Ɔ^QQ%. \ No newline at end of file diff --git a/modules/wireguard-proxy.nix b/modules/wireguard-proxy.nix index 20e5b5a..5d21c99 100644 --- a/modules/wireguard-proxy.nix +++ b/modules/wireguard-proxy.nix @@ -65,6 +65,7 @@ in { rules."${proxy}-to-local" = { from = [proxy]; to = ["local"]; + ignoreEmptyRule = true; inherit (cfg.${proxy})