From a713913eefd3a201f971c456c648099d5ca1e3e1 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 22 Aug 2024 23:44:40 +0200
Subject: [PATCH] nixos: services: add pdf-edit

---
 modules/nixos/services/default.nix          |  1 +
 modules/nixos/services/pdf-edit/default.nix | 73 +++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 modules/nixos/services/pdf-edit/default.nix

diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
index e877c8f..1211ee6 100644
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -26,6 +26,7 @@
     ./nginx
     ./nix-cache
     ./paperless
+    ./pdf-edit
     ./podgrab
     ./postgresql
     ./postgresql-backup
diff --git a/modules/nixos/services/pdf-edit/default.nix b/modules/nixos/services/pdf-edit/default.nix
new file mode 100644
index 0000000..d59507b
--- /dev/null
+++ b/modules/nixos/services/pdf-edit/default.nix
@@ -0,0 +1,73 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.pdf-edit;
+in
+{
+  options.my.services.pdf-edit = with lib; {
+    enable = mkEnableOption "PDF edition service";
+
+    port = mkOption {
+      type = types.port;
+      default = 8089;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    loginFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/pdf-edit/login.env";
+      description = ''
+        `SECURITY_INITIALLOGIN_USERNAME` and `SECURITY_INITIALLOGIN_PASSWORD`
+        defined in the format of 'EnvironmentFile' (see `systemd.exec(5)`).
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.stirling-pdf = lib.mkIf cfg.enable {
+      enable = true;
+
+      environment = {
+        SERVER_PORT = cfg.port;
+        SECURITY_CSRFDISABLED = "false";
+
+        SYSTEM_SHOWUPDATE = "false"; # We don't care about update notifications
+        INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true"; # Installed by the module
+
+        SECURITY_ENABLELOGIN = "true";
+        SECURITY_LOGINATTEMPTCOUNT = "-1"; # Rely on fail2ban instead
+      };
+
+      environmentFiles = [ cfg.loginFile ];
+    };
+
+    my.services.nginx.virtualHosts = {
+      pdf-edit = {
+        inherit (cfg) port;
+
+        extraConfig = {
+          # Allow upload of PDF files up to 1G
+          locations."/".extraConfig = ''
+            client_max_body_size 1G;
+          '';
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      stirling-pdf = ''
+        enabled = true
+        filter = stirling-pdf
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/stirling-pdf.conf".text = ''
+        [Definition]
+        failregex = ^.*Failed login attempt from IP: <HOST>$
+        journalmatch = _SYSTEMD_UNIT=stirling-pdf.service
+      '';
+    };
+  };
+}