mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: add paperless samba share and per-user consume folder

Browse source
This commit is contained in:
oddlama 2024-01-19 02:03:29 +01:00
parent 8446b8fa13
commit b466f8ab65
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 245 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hosts/sire/default.nix
View file

@ -47,6 +47,7 @@
mkGuest = guestName: {
enableStorageDataset ? false,
enableBunkerDataset ? false,
enablePaperlessDataset ? false,
...
}: {
autostart = true;
@ -67,6 +68,10 @@
pool = "storage";
dataset = "bunker/guests/${guestName}";
};
zfs."/paperless" = lib.mkIf enablePaperlessDataset {
pool = "storage";
dataset = "bunker/paperless";
};
modules = [
../../modules
./guests/common.nix
@ -116,11 +121,14 @@
// mkMicrovm "samba" {
enableStorageDataset = true;
enableBunkerDataset = true;
enablePaperlessDataset = true;
}
// mkMicrovm "grafana" {}
// mkMicrovm "influxdb" {}
// mkMicrovm "loki" {}
// mkMicrovm "paperless" {}
// mkMicrovm "paperless" {
enablePaperlessDataset = true;
}
#// mkMicrovm "minecraft"
#// mkMicrovm "immich"
#// mkMicrovm "firefly"

57
hosts/sire/guests/paperless.nix
View file

@ -6,19 +6,8 @@
sentinelCfg = nodes.sentinel.config;
paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
# XXX: remove microvm.mem = 1024 * 12;
# XXX: remove microvm.vcpu = 4;
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.paperless.port
];
age.secrets.paperless-admin-password = {
rekeyFile = config.node.secretsDir + "/paperless-admin-password.age";
generator.script = "alnum";
mode = "440";
group = "paperless";
};
microvm.mem = 1024 * 6;
microvm.vcpu = 8;
nodes.sentinel = {
networking.providedDomains.paperless = paperlessDomain;
@ -46,27 +35,49 @@ in {
};
};
# TODO environment.persistence."/persist".directories = [
# TODO {
# TODO directory = "/var/lib/???";
# TODO user = "???";
# TODO group = "???";
# TODO mode = "0700";
# TODO }
# TODO ];
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.paperless.port
];
age.secrets.paperless-admin-password = {
rekeyFile = config.node.secretsDir + "/paperless-admin-password.age";
generator.script = "alnum";
mode = "440";
group = "paperless";
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/paperless";
user = "paperless";
group = "paperless";
mode = "0750";
}
];
services.paperless = {
enable = true;
address = "0.0.0.0";
passwordFile = config.age.secrets.paperless-admin-password.path;
consumptionDir = "/paperless/consume";
mediaDir = "/paperless/media";
settings = {
PAPERLESS_URL = "https://${paperlessDomain}";
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
PAPERLESS_TRUSTED_PROXIES = sentinelCfg.meta.wireguard.proxy-sentinel.ipv4;
PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING";
PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}";
PAPERLESS_CONSUMER_RECURSIVE = true;
PAPERLESS_FILENAME_FORMAT = "{owner_username}/{created_year}-{created_month}-{created_day}_{asn}_{title}";
# Nginx does that better.
PAPERLESS_ENABLE_COMPRESSION = false;
#PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates;
PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 8;
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_TASK_WORKERS = 4;
PAPERLESS_WEBSERVER_WORKERS = 4;

132
hosts/sire/guests/samba.nix
View file

@ -46,7 +46,11 @@
}
);
mkUserShares = user: {enableBunker ? false, ...}:
mkUserShares = user: {
enableBunker ? false,
enablePaperless ? false,
...
}:
[
(mkShare user "/shares/users/${user}" {
"valid users" = user;
@ -56,6 +60,13 @@
mkShare "${user}-bunker" "/shares/users/${user}-bunker" {
"valid users" = user;
}
)
++ lib.optional enablePaperless (
mkShare "${user}-paperless" "/shares/users/${user}-paperless" {
"valid users" = user;
"force user" = "paperless";
"force group" = "paperless";
}
);
in {
age.secrets."samba-passdb.tdb" = {
@ -89,9 +100,8 @@ in {
'';
};
fileSystems."/storage".neededForBoot = true;
fileSystems."/bunker".neededForBoot = true;
environment.persistence = lib.mkMerge ([
environment.persistence = lib.mkMerge (
[
{
"/persist".files = [
"/etc/ssh/ssh_host_rsa_key"
@ -114,7 +124,13 @@ in {
mkPersistent "/bunker" "/shares/groups/${name}-bunker" name
)
)
));
)
);
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.samba = {
enable = true;
@ -188,6 +204,100 @@ in {
));
};
systemd.tmpfiles.settings = lib.mkMerge (
# Make sure the main paperless structure exists
[
{
"10-smb-paperless" = {
"/paperless/consume".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
"/paperless/media".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
"/paperless/media/documents".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
"/paperless/media/documents/archive".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
"/paperless/media/documents/originals".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
};
}
]
# For each paperless share, make sure the necessary sub-folders for that user are created
# at boot so we can bind-mount them into the shares.
++ lib.flatten (lib.flip lib.mapAttrsToList smbUsers (
user: userCfg:
lib.optional (userCfg.enablePaperless or false) {
"10-smb-paperless" = {
"/shares/users/${user}-paperless".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
"/paperless/consume/${user}".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
"/paperless/media/documents/archive/${user}".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
"/paperless/media/documents/originals/${user}".d = {
user = "paperless";
group = "paperless";
mode = "0750";
};
};
}
))
);
# For each paperless share, bind-mount create the necessary folders using tmpfiles.
fileSystems = lib.mkMerge (
[
{
"/storage".neededForBoot = true;
"/bunker".neededForBoot = true;
}
]
++ lib.flip lib.mapAttrsToList smbUsers (
user: userCfg:
lib.optionalAttrs (userCfg.enablePaperless or false) {
"/shares/users/${user}-paperless/consume" = {
fsType = "none";
options = ["bind"];
device = "/paperless/consume/${user}";
};
"/shares/users/${user}-paperless/documents" = {
fsType = "none";
options = ["bind" "ro"];
device = "/paperless/media/documents/archive/${user}";
};
"/shares/users/${user}-paperless/originals" = {
fsType = "none";
options = ["bind" "ro"];
device = "/paperless/media/documents/originals/${user}";
};
}
)
);
users.users = let
mkUser = name: id: groups: {
isNormalUser = true;
@ -210,10 +320,20 @@ in {
scanner.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJcWkqM2gXM9MJoKggCMpXLBJvgPP0fuoIO3UNy4h4uFzyDqMKAADjaJHCqyIQPq/s5vATVmuu4GQyajkc7Y3fBg/2rvAACzFx/2ufK2M4dkdDcYOX6kyNZL7XiJRmLfUR2cqda3P3bQxapkdfIOWfPQQJUAnYlVvUaIShoBxYw5HXRTr2jR5UAklfIRWZOmx07WKC6dZG5MIm1Luun5KgvqQmzQ9ErL5tz/Oi5pPdK30kdkS5WdeWD6KwL78Ff4KfC0DVTO0zb/C7WyKk4ZLu+UKCLHXDTzE4lhBAu6mSUfJ5nQhmdLdKg6Gvh1St/vRcsDJOZqEFBVn35/oK974l root@ADS_4300N_BRN000EC691D285"
];
paperless = {
group = "paperless";
uid = config.ids.uids.paperless;
home = "/var/empty";
};
}
];
users.groups = lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);
users.groups =
{
paperless.gid = config.ids.gids.paperless;
}
// lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);
# Backups
# ========================================================================

19
hosts/sire/secrets/samba/local.nix.age
View file

@ -1,12 +1,9 @@
age-encryption.org/v1
-> X25519 XPiCVTwoNp+wxBHO+VroeCoWNHVsdtjeSEX4cLCnHFY
RWmVk3RrtU3qOBjvBbYJ9qSf34PHXAUVhnC9fdFCEf4
-> piv-p256 xqSe8Q A4hKgmiwNm99B4RVisUnKDDj4r6KtOOpeVCBM35Z/V76
OLj3c+OIFfqbclocmoIKuKEaOengs0cCipI4wNRrbaQ
-> 46$NeX?-grease Z'&t |s}Wh:
P0L0T0ObtToRodYfse+ETpl3GWGAbLlVFrJJackWMgkOWIjkU8YvKmQHcQ7QTSc7
bFyyf1pDEkkAGAZEzoqnem+0sZN4bcqNuZJKqkzCaJDeJvrui0sCfyj0
--- HCDoDWmBPaPfC3oh/qroi2nMtBI3PvmAfhlRpPpktJk
e˛”> ~Đ/Ĭ÷Ć»oŞ!eÜŽş·Ý~Fhű��ý™¸±�eFd÷Âř¦R˲0%EâTxV\ę«7™ŇË% �óz˛BѢ&qžŐ’·Üe=pÇR¸ » KÎŤc¨Çî˛ôZŮľ¶±Ň4€ŕwć~Çs
b<[şu÷§Î<gý}W8uYá?Ëä`'źŮ\OÍT»(tJ}ßť5ns(W‚VÚRť"ŁdíLHGĽß1Î<Şm¸OYS·ý‰.Ŕ`†7A¤c¦ZŻĂčöy­¦1"`Ä.3 líŃččăsőg»7étçĚEmAemvGұ�•–ä$”^jŤ)*ᩦ‹¬©ž‹˙=hĄSa�YçPńš1]7Ű�ůą/-RśÇ5P˙qÂŁ"ú$)ÝűŮřť˛^Űý`Ę"~TuŻ.=;¨?.±m÷ű0Şňű-¸×?OŘ!…K,îžB˛„† ܸN?«ĂYhă=”Ł_żĂđ<ŰŻR[Ó>ŰÓĄ Z6Q‡ kŃË˙!ťÓŢńéć!$K[‡QU;fgä|šĺPě�†K‰ŢVQh~ŚŇđ
‹ČńeîąĂKŃE1äŢťAŚéÄôÎśt UD\; Ĺź
-> X25519 Q7D2vrZW1uTnMN/Z4EK9TbW1G2TY8Qb2Ws/hMLXu4i0
lR33X+3PHN4BwkuPmL9e3nl4RvM1li2bnCnhGt7mV54
-> piv-p256 xqSe8Q ApCyiAdPYwN34Nz/e3FdnmCNvNpDXKcmO3o9MOylggFi
uEAIcTjk4iOPjDzkdBKnXc9Mbu+17FKJXKJ+uWiXO60
-> !h<J'(Xn-grease o9_~ hZ&
BNE5AxqxXURYm7ZmQ88gLg
--- T55VcCw25vkWx2TucwlNIIQDaSkCZ4sEFbhUiS8w/nw
|ÙS ç²^ÍB¨Íu'!hD¹XY"iÂ|^ωðÄ"­?"u�ÃmîtÂ…má1yts•ÆS2s ëÁf"È�Q!ÿNr +>ç�_r懿ÂY´ßÀ#I[+ð9èG?u‡) ûvˆÂ´ÜkÔòžšØÚÊÔ_“PÑÆ@`Ø/ó¦iÏ㈭­%!X5`C‚r¤_Ú.\zýŒ’�ã2ÂúG>e}î!}¢�Oø¶aü4º¤œ‰i†‰ÆŸÒZDÙøß©m–PI2Z[ì„ñ!!w��îTí]p–ÕSç6êÐÁDÖÅSLxûøTÒ˜µ‹´©¥ÛçÁW@‡)8‡õ…U•nÁÞ1 2¶Ÿ„ó9튮Ǝ>éæx,«òÙ²RU¼o˜ñ¥Óùc–£²Ö¾Q‘�©z#'f­H¬ÝU1P¨"9Š°ªöÕk6‹dïΕfÁþkþ�ø-A8]ÁÍËB±QN» • îWŸÝ&�‘³�:ê—“á$ï»7z‘Ì …ÅeÀñ}&ÕáY²a…J÷� x$?}/P‡p~«sû½Ûùš˜ M"² ôp´ Æù|øåQ ˓톕Šï­kȘö¾è£±,r ëfÄë쬓 ìƆ´Á^QQ%.ô­