From a78091c57c35499454037b75381fa91f74729257 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 30 Aug 2021 17:54:15 +0200
Subject: [PATCH 1/7] flake: bump inputs

---
 flake.lock | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/flake.lock b/flake.lock
index faf9162..3125d0e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "futils": {
       "locked": {
-        "lastModified": 1629284811,
+        "lastModified": 1629481132,
         "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c",
+        "rev": "997f7efcb746a9c140ce1f13c72263189225f482",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1629347633,
-        "narHash": "sha256-FGZJ7lmTAMIkjdrh6dIPck5HuB4KMT2GgDV5ZjiCWoc=",
+        "lastModified": 1630294974,
+        "narHash": "sha256-9e3AKxbCoexrsWFXxQ4QUETNxQlXaffnntEnPOO19oI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "bf6b85136b47ab1a76df4a90ea4850871147494a",
+        "rev": "61ca2fc1c00a275b8bd61582b23195d60fe0fa40",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1629292755,
-        "narHash": "sha256-5xMo32NVLnloY9DveqwJO/Cab1+PbTMPqU4WMmawX5M=",
+        "lastModified": 1630248577,
+        "narHash": "sha256-9d/yq96TTrnF7qjA6wPYk+rYjWAXwfUmwk3qewezSeg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "253aecf69ed7595aaefabde779aa6449195bebb7",
+        "rev": "8d8a28b47b7c41aeb4ad01a2bd8b7d26986c3512",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1629359626,
-        "narHash": "sha256-of3obB9km+QnrBpWHm1b1k33qQOqNB0c8grkVcXNP7o=",
+        "lastModified": 1630395220,
+        "narHash": "sha256-Nb5SppZmj+0MH33c2/qdRFqGTo/8g0CTfVtsGZ/sQf0=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "805c0d529efe652fa85f92527bec68ce26a08723",
+        "rev": "607b9cebfdbf57ec864aacf14efa64fac920016d",
         "type": "github"
       },
       "original": {

From 47d19e5b3f027d25918adcd0d6a8dda8160f1349 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 19 Aug 2021 13:07:51 +0200
Subject: [PATCH 2/7] secrets: add paperless

---
 secrets/default.nix             |   2 ++
 secrets/paperless/secretKey.txt | Bin 0 -> 87 bytes
 2 files changed, 2 insertions(+)
 create mode 100644 secrets/paperless/secretKey.txt

diff --git a/secrets/default.nix b/secrets/default.nix
index 5b6c94b..97d9da0 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -56,6 +56,8 @@ throwOnCanary {
 
     nextcloud.password = fileContents ./nextcloud/password.txt;
 
+    paperless.secretKey = fileContents ./paperless/secretKey.txt;
+
     podgrab.password = fileContents ./podgrab/password.txt;
 
     sso = import ./sso { inherit lib; };
diff --git a/secrets/paperless/secretKey.txt b/secrets/paperless/secretKey.txt
new file mode 100644
index 0000000000000000000000000000000000000000..fe31bc4999a48ec5a37340217454c558fb360041
GIT binary patch
literal 87
zcmZQ@_Y83kiVO&0aMfD6P4Vn^t+S8fUVr}knLjkQEB_u(4g2krpWZXcc{O)w*)nk%
uAJlsim9ukkx0d^(%CL)WXE$4}Ge{|3wBYH_w>oG33$$Hh@HDCReE<O0M=8Jn

literal 0
HcmV?d00001


From 87613a9163a69d2440ea3a8d57dfdf5e7791ec24 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 19 Aug 2021 13:05:08 +0200
Subject: [PATCH 3/7] modules: services: add paperless

---
 modules/services/default.nix   |   1 +
 modules/services/paperless.nix | 113 +++++++++++++++++++++++++++++++++
 modules/system/media.nix       |   1 +
 3 files changed, 115 insertions(+)
 create mode 100644 modules/services/paperless.nix

diff --git a/modules/services/default.nix b/modules/services/default.nix
index 4760ab1..9f132d0 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -18,6 +18,7 @@
     ./navidrome.nix
     ./nextcloud.nix
     ./nginx.nix
+    ./paperless.nix
     ./pirate.nix
     ./podgrab.nix
     ./postgresql-backup.nix
diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix
new file mode 100644
index 0000000..dd3a98b
--- /dev/null
+++ b/modules/services/paperless.nix
@@ -0,0 +1,113 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.paperless;
+in
+{
+  options.my.services.paperless = with lib; {
+    enable = mkEnableOption "Paperless service";
+
+    port = mkOption {
+      type = types.port;
+      default = 4535;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    secretKey = mkOption {
+      type = types.str;
+      example = "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee";
+      description = "Secret key used for sessions tokens";
+    };
+
+    documentPath = mkOption {
+      type = with types; nullOr str;
+      default = null;
+      example = "/mnt/paperless";
+      description = ''
+        Path to the directory to store the documents. Use default if null
+      '';
+    };
+
+    username = mkOption {
+      type = types.str;
+      default = "ambroisie";
+      example = "username";
+      description = "Name of the administrator";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.paperless-ng = {
+      enable = true;
+
+      port = cfg.port;
+
+      mediaDir = lib.mkIf (cfg.documentPath != null) cfg.documentPath;
+
+      extraConfig =
+        let
+          paperlessDomain = "paperless.${config.networking.domain}";
+        in
+        {
+          # Use SSO
+          PAPERLESS_ENABLE_HTTP_REMOTE_USER = true;
+          PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_X_USER";
+
+          # Use PostgreSQL
+          PAPERLESS_DBHOST = "/run/postgresql";
+          PAPERLESS_DBUSER = "paperless";
+          PAPERLESS_DBNAME = "paperless";
+
+          # Security settings
+          PAPERLESS_SECRET_KEY = cfg.secretKey; # Insecure, I don't care
+          PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
+          PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
+
+          # OCR settings
+          PAPERLESS_OCR_LANGUAGE = "fra+eng";
+
+          # Misc
+          PAPERLESS_TIME_ZONE = config.time.timeZone;
+          PAPERLESS_ADMIN_USER = cfg.username;
+        };
+    };
+
+    # Set-up database
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "paperless" ];
+      ensureUsers = [
+        {
+          name = "paperless";
+          ensurePermissions."DATABASE paperless" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    systemd.services.paperless-ng-server = {
+      # Make sure the DB is available
+      after = [ "postgresql.service" ];
+    };
+
+
+    users.users.${config.services.paperless-ng.user} = {
+      extraGroups = [ "media" ];
+    };
+
+    my.services.nginx.virtualHosts = [
+      {
+        subdomain = "paperless";
+        inherit (cfg) port;
+        sso = {
+          enable = true;
+        };
+      }
+    ];
+
+    my.services.backup = {
+      paths = [
+        config.services.paperless-ng.mediaDir
+      ];
+    };
+  };
+}
diff --git a/modules/system/media.nix b/modules/system/media.nix
index 4ad2fee..630a351 100644
--- a/modules/system/media.nix
+++ b/modules/system/media.nix
@@ -5,6 +5,7 @@ let
   mediaServices = with config.my.services; [
     calibre-web
     jellyfin
+    paperless
     pirate
     sabnzbd
     transmission

From 5ae7b593e4cc1a7f2eec8e8b3c53b2a7191298f2 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 30 Aug 2021 20:33:27 +0200
Subject: [PATCH 4/7] secrets: add paperless password

To be used as a fallback.
---
 secrets/default.nix            |   5 ++++-
 secrets/paperless/password.txt | Bin 0 -> 55 bytes
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 secrets/paperless/password.txt

diff --git a/secrets/default.nix b/secrets/default.nix
index 97d9da0..fbc1bfa 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -56,7 +56,10 @@ throwOnCanary {
 
     nextcloud.password = fileContents ./nextcloud/password.txt;
 
-    paperless.secretKey = fileContents ./paperless/secretKey.txt;
+    paperless = {
+      password = fileContents ./paperless/password.txt;
+      secretKey = fileContents ./paperless/secretKey.txt;
+    };
 
     podgrab.password = fileContents ./podgrab/password.txt;
 
diff --git a/secrets/paperless/password.txt b/secrets/paperless/password.txt
new file mode 100644
index 0000000000000000000000000000000000000000..5e2cb81f855fcb4517cbd1f6ee8adb9b268574d0
GIT binary patch
literal 55
zcmZQ@_Y83kiVO&0h}b1>v7hDrDYtK@-)r)9asBQ8<#yiZbkUJ{rUh=_Qtl^Z%YD0h
M|F4v7G20q90H7)wBLDyZ

literal 0
HcmV?d00001


From 52706ab4c49b6141931b91d7b7e0e193a35b7842 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 30 Aug 2021 20:37:18 +0200
Subject: [PATCH 5/7] modules: services: paperless: add admin password

This is a fallback in case SSO stops working...
---
 modules/services/paperless.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix
index dd3a98b..ebb655f 100644
--- a/modules/services/paperless.nix
+++ b/modules/services/paperless.nix
@@ -34,6 +34,12 @@ in
       example = "username";
       description = "Name of the administrator";
     };
+
+    passwordFile = mkOption {
+      type = types.str;
+      example = "/var/lib/paperless/password.txt";
+      description = "Read the administrator's password from this path";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -70,6 +76,9 @@ in
           PAPERLESS_TIME_ZONE = config.time.timeZone;
           PAPERLESS_ADMIN_USER = cfg.username;
         };
+
+      # Admin password
+      passwordFile = cfg.passwordFile;
     };
 
     # Set-up database

From 8ffad5d41b3ec6fa2ce811ff1aed1479c591af29 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 19 Aug 2021 13:05:25 +0200
Subject: [PATCH 6/7] machines: porthos: services: enable paperless

---
 machines/porthos/services.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/machines/porthos/services.nix b/machines/porthos/services.nix
index 28b2494..d26bb10 100644
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@@ -93,6 +93,14 @@ in
     nginx = {
       enable = true;
     };
+    paperless = {
+      enable = true;
+      documentPath = "/data/media/paperless";
+      # Insecure, I don't care
+      passwordFile =
+        builtins.toFile "paperless.env" my.secrets.paperless.password;
+      secretKey = my.secrets.paperless.secretKey;
+    };
     # The whole *arr software suite
     pirate.enable = true;
     # Podcast automatic downloader

From 808058d576ea24e0574bc16b56cd9a32e798a108 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Mon, 30 Aug 2021 21:02:47 +0200
Subject: [PATCH 7/7] modules: services: paperless: proxy websockets

---
 modules/services/paperless.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix
index ebb655f..b22628f 100644
--- a/modules/services/paperless.nix
+++ b/modules/services/paperless.nix
@@ -110,6 +110,11 @@ in
         sso = {
           enable = true;
         };
+
+        # Enable websockets on root
+        extraConfig = {
+          locations."/".proxyWebsockets = true;
+        };
       }
     ];