Merge branch 'master' of ssh://ssh.nx2.site:50022/nx2/dotfiles

configuration.nix

@@ -44,6 +44,7 @@
     ./system-modules/nx2site/proxy.nix
     ./system-modules/nx2site/gitea.nix
     ./system-modules/nx2site/vaultwarden.nix
+    ./system-modules/nx2site/paperless.nix
   ] else []);
 
   # Set your time zone.

system-modules/nx2site/gitea.nix

@@ -5,9 +5,6 @@ let git-user = "git"; in
     "postgres-pw" = { owner = config.services.gitea.user; };
   };
 
-  environment.systemPackages = with pkgs; [
-    gitea
-  ];
   users = {
     users = {
       "${user}".extraGroups = [ git-user ];
@@ -33,8 +30,8 @@ let git-user = "git"; in
     # camoHmacKeyFile = ;
     database = {
       createDatabase = false; # default
-      host = "127.0.0.1"; # default
+      host = config.services.postgresql.settings.listen_addresses;
-      port = 5432;
+      port = config.services.postgresql.settings.port;
       passwordFile = config.sops.secrets."postgres-pw".path;
       socket = null;
       type = "postgres";
@@ -66,12 +63,12 @@ let git-user = "git"; in
         START_SSH_SERVER = false; # default
         SSH_LISTEN_HOST = "0.0.0.0";
         SSH_PORT = secrets.ssh.port;
-        DOMAIN = "pw.${domain}";
+        DOMAIN = "git.${domain}";
         SSH_DOMAIN = "ssh.${domain}";
         # HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}";
         # HTTP_PORT = 3000; # default
         # PROTOCOL = "http"; # default
-        # ROOT_URL = "https:pw.${domain}/"; # default
+        ROOT_URL = "https://git.${domain}/"; # default
       };
       session = {
         COOKIE_SECURE = true;
@@ -79,6 +76,31 @@ let git-user = "git"; in
       service = {
         DISABLE_REGISTRATION = true;
       };
+      ui = {
+        DEFAULT_THEME = "pitchblack";
+        THEMES = "gitea,arc-green,pitchblack";
       };
     };
+  };
+  system.activationScripts = let
+    # theme = pkgs.fetchFromGitHub {
+    #   owner = "unixtensor";
+    #   repo = "Gitea-Pitch-Black";
+    #   rev = "v1.15.X.2";
+    #   hash = "sha256-Eibgoc3BJUXWdq8irgXea09fAvfKx2eQrJotp3P5DTg=";
+    # };
+    theme = pkgs.fetchFromGitea {
+      domain = "git.${domain}";
+      owner = "nx2";
+      repo = "Gitea-Pitch-Black";
+      rev = "0.1.0";
+      hash = "sha256-pU4YhgcPOT3PTcmBTjNE3FcyJgl39JGP41ckhRUKN7Y=";
+    };
+  in {
+    "gitea-theme" = /* bash */ ''
+      mkdir -p ${config.services.gitea.stateDir}/custom/public/assets/css/
+      ln -s ${theme}/theme-pitchblack.css ${config.services.gitea.stateDir}/custom/public/assets/css/theme-pitchblack.css
+      chown -R ${git-user}:${git-user} ${config.services.gitea.stateDir}/custom/ 
+    '';
+  };
 }

system-modules/nx2site/paperless.nix

@@ -0,0 +1,197 @@
+{ config, pkgs, secrets, user, domain, ... }:
+let paperless-user = "paperless"; in
+{
+  sops.secrets = {
+    "nx2site/paperless.pw" = {
+      owner = paperless-user;
+    };
+  };
+
+  users.users."${user}".extraGroups = [ paperless-user ];
+
+  services = {
+    postgresql = {
+			ensureDatabases = [ paperless-user ];
+			ensureUsers = [{
+				name = paperless-user; 
+				ensureDBOwnership = true;
+			}];
+    };
+    paperless = {
+      enable = true;
+      address = "127.0.0.1";
+      port = 8441;
+      user = paperless-user;
+      consumptionDirIsPublic = true;
+      # package = pkgs.paperless-ngx;
+      # dataDir = "/var/lib/paperless"; # default
+      # address = "127.0.0.1";
+      # mediaDir = "${dataDir}/media";
+      passwordFile = config.sops.secrets."nx2site/paperless.pw".path;
+      # consumptionDir = "${dataDir}/consume";
+      # consumptionDirIsPublic = false;
+      # openMPThreadingWorkaround = true;
+      settings = {
+        # PAPERLESS_REDIS = "redis://localhost:6379";
+        # PAPERLESS_REDIS_PREFIX=""
+
+      PAPERLESS_DBENGINE = "postgresql";
+      # PAPERLESS_DBHOST = "/run/postgresql"; # config.services.postgresql.settings.listen_addresses;
+      # PAPERLESS_DBPORT = config.services.postgresql.settings.port;
+      PAPERLESS_DBNAME = paperless-user;
+      PAPERLESS_DBUSER = paperless-user;
+      PAPERLESS_DBPASS = secrets.nx2site.paperless.PAPERLESS_DBPASS;
+        # PAPERLESS_DBSSLMODE=
+        # PAPERLESS_DBSSLROOTCERT=null; # unset, using the documented path in the home directory.
+        # PAPERLESS_DBSSLCERT=null; # unset, using the documented path in the home directory.
+        # PAPERLESS_DBSSLKEY=null; # unset, using the documented path in the home directory.
+        # PAPERLESS_DB_TIMEOUT=null; # unset, keeping the Django defaults.
+        # PAPERLESS_TIKA_ENABLED=false
+        # PAPERLESS_TIKA_ENDPOINT="http://localhost:9998".
+        # PAPERLESS_TIKA_GOTENBERG_ENDPOINT="http://localhost:3000".
+      PAPERLESS_CONSUMPTION_DIR = "${config.services.paperless.dataDir}/consume/";  
+      # PAPERLESS_DATA_DIR = "${config.services.paperless.dataDir}/data/"; 
+      PAPERLESS_EMPTY_TRASH_DIR ="${config.services.paperless.dataDir}/trash/"; # null = really delete files
+      # PAPERLESS_MEDIA_ROOT = "${config.services.paperless.dataDir}/media/"; 
+      # PAPERLESS_STATICDIR = "${config.services.paperless.dataDir}/static/"; 
+        # PAPERLESS_FILENAME_FORMAT=
+        # PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=
+      # PAPERLESS_LOGGING_DIR = "${config.services.paperless.dataDir}/log/";
+        # PAPERLESS_NLTK_DIR =
+        # PAPERLESS_MODEL_FILE= PAPERLESS_DATA_DIR/classification_model.pickle.
+        # PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
+        # PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
+        # PAPERLESS_SECRET_KEY=
+        # PAPERLESS_URL="" # empty string, leaving the other settings unaffected.
+        # PAPERLESS_CSRF_TRUSTED_ORIGINS=
+        # PAPERLESS_ALLOWED_HOSTS=
+        # PAPERLESS_CORS_ALLOWED_HOSTS=
+        # PAPERLESS_TRUSTED_PROXIES=
+        # PAPERLESS_FORCE_SCRIPT_NAME=
+        # PAPERLESS_STATIC_URL= "/static/".
+        # PAPERLESS_AUTO_LOGIN_USERNAME=null;
+      PAPERLESS_ADMIN_USER="${user}";
+      PAPERLESS_ADMIN_MAIL=secrets.email.gmail-online.mail;
+      # PAPERLESS_ADMIN_PASSWORD=;
+        # PAPERLESS_COOKIE_PREFIX=
+        # PAPERLESS_ENABLE_HTTP_REMOTE_USER=
+        # PAPERLESS_ENABLE_HTTP_REMOTE_USER_API=
+        # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=
+      # PAPERLESS_LOGOUT_REDIRECT_URL="https://youtu.be/dMN-pjcchrE?si=EcFYvAnbXFkounYR";
+        # PAPERLESS_USE_X_FORWARD_HOST= false
+        # PAPERLESS_USE_X_FORWARD_PORT= false
+        # PAPERLESS_PROXY_SSL_HEADER= null
+        # PAPERLESS_EMAIL_CERTIFICATE_LOCATION = null;
+        # PAPERLESS_SOCIALACCOUNT_PROVIDERS=;
+        # PAPERLESS_SOCIAL_AUTO_SIGNUP = false;
+        # PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS= True
+        # PAPERLESS_ACCOUNT_ALLOW_SIGNUPS= False
+        # PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL= 'https'
+        # PAPERLESS_ACCOUNT_EMAIL_VERIFICATION= 'optional'
+        # PAPERLESS_DISABLE_REGULAR_LOGIN= False
+        # PAPERLESS_REDIRECT_LOGIN_TO_SSO= False
+        # PAPERLESS_ACCOUNT_SESSION_REMEMBER= True
+        # PAPERLESS_SESSION_COOKIE_AGE= 1209600; # (2 weeks)
+        PAPERLESS_OCR_LANGUAGE = "eng+deu";
+        # PAPERLESS_OCR_MODE= "skip";
+        # PAPERLESS_OCR_SKIP_ARCHIVE_FILE=
+        # PAPERLESS_OCR_CLEAN= clean.
+        # PAPERLESS_OCR_DESKEW = true; # which enables this feature.
+        # PAPERLESS_OCR_ROTATE_PAGES = true; # which enables this feature.
+        # PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD = "12";
+        # PAPERLESS_OCR_OUTPUT_TYPE = "pdfa";
+        # PAPERLESS_OCR_PAGES = null;
+        # PAPERLESS_OCR_IMAGE_DPI = null;
+        # PAPERLESS_OCR_MAX_IMAGE_PIXELS=
+        # PAPERLESS_OCR_COLOR_CONVERSION_STRATEGY=
+        PAPERLESS_OCR_USER_ARGS = {
+          optimize = 1;
+          pdfa_image_compression = "lossless";
+        };
+        # PAPERLESS_TASK_WORKERS= 1
+        # PAPERLESS_THREADS_PER_WORKER=
+        # PAPERLESS_WORKER_TIMEOUT=
+        PAPERLESS_TIME_ZONE = "CET";
+        # PAPERLESS_ENABLE_NLTK=1;
+        # PAPERLESS_EMAIL_TASK_CRON= */10 * * * * or every ten minutes.
+        # PAPERLESS_TRAIN_TASK_CRON= 5 */1 * * * or every hour at 5 minutes past the hour.
+        # PAPERLESS_INDEX_TASK_CRON= 0 0 * * * or daily at midnight.
+        # PAPERLESS_SANITY_TASK_CRON= 30 0 * * sun or Sunday at 30 minutes past midnight.
+        # PAPERLESS_ENABLE_COMPRESSION = 1; # enabling compression.
+        # PAPERLESS_CONVERT_MEMORY_LIMIT = 0; # which disables the limit.
+        # PAPERLESS_CONVERT_TMPDIR =
+        # PAPERLESS_APPS = null;
+        # PAPERLESS_MAX_IMAGE_PIXELS = null;
+        # PAPERLESS_CONSUMER_DELETE_DUPLICATES= false.
+        # PAPERLESS_CONSUMER_RECURSIVE= false.
+        # PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS= false.
+        PAPERLESS_CONSUMER_IGNORE_PATTERNS = [
+          ".DS_Store"
+          ".DS_STORE"
+          "._*"
+          ".stfolder/*"
+          ".stversions/*"
+          ".localized/*"
+          "desktop.ini"
+          "@eaDir/*"
+          "Thumbs.db"
+        ];
+        # PAPERLESS_CONSUMER_BARCODE_SCANNER=
+        # PAPERLESS_PRE_CONSUME_SCRIPT=
+        # PAPERLESS_POST_CONSUME_SCRIPT=
+        # PAPERLESS_FILENAME_DATE_ORDER= none, which disables this feature.
+        # PAPERLESS_NUMBER_OF_SUGGESTED_DATES= 3. Set to 0 to disable this feature.
+        # PAPERLESS_THUMBNAIL_FONT_NAME= /usr/share/fonts/liberation/LiberationSerif-Regular.ttf.
+        # PAPERLESS_IGNORE_DATES="";
+        # PAPERLESS_DATE_ORDER = "DMY";
+        # PAPERLESS_ENABLE_GPG_DECRYPTOR = false;
+        # PAPERLESS_CONSUMER_POLLING = 0; # which disables polling and uses filesystem notifications.
+        # PAPERLESS_CONSUMER_POLLING_RETRY_COUNT = 5;
+        # PAPERLESS_CONSUMER_POLLING_DELAY = 5;
+        # PAPERLESS_CONSUMER_INOTIFY_DELAY= 0.5; # seconds.
+        # PAPERLESS_OAUTH_CALLBACK_BASE_URL = null;
+        # PAPERLESS_GMAIL_OAUTH_CLIENT_ID = null;
+        # PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET = null;
+        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID = null;
+        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET = null;
+        # PAPERLESS_EMAIL_GNUPG_HOME=
+        # PAPERLESS_CONSUMER_ENABLE_BARCODES=
+        # PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT= false.
+        # PAPERLESS_CONSUMER_BARCODE_STRING= "PATCHT"
+        # PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES= false.
+        # PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE= false.
+        # PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX= "ASN"
+        # PAPERLESS_CONSUMER_BARCODE_UPSCALE= 0.0
+        # PAPERLESS_CONSUMER_BARCODE_DPI= "300"
+        # PAPERLESS_CONSUMER_BARCODE_MAX_PAGES= "0"
+        # PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE= false.
+        # PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING=
+        # PAPERLESS_AUDIT_LOG_ENABLED= true.
+        # PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED= false.
+        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME= "double-sided".
+        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT= false.
+      # PAPERLESS_EMPTY_TRASH_DELAY = 30; # days, minimum of 1 day.
+        # PAPERLESS_EMPTY_TRASH_TASK_CRON= 0 1 * * *, once per day.
+        # PAPERLESS_CONVERT_BINARY = "convert".
+      # PAPERLESS_GS_BINARY = "${pkgs.ghostscript}/bin/gs";
+        # PAPERLESS_WEBSERVER_WORKERS= 1;
+        # PAPERLESS_BIND_ADDR= [::], meaning all interfaces, including IPv6.
+        # PAPERLESS_PORT = config.services.paperless.port;
+        # PAPERLESS_OCR_LANGUAGES=
+        # PAPERLESS_ENABLE_FLOWER=
+        # PAPERLESS_SUPERVISORD_WORKING_DIR=
+      # PAPERLESS_APP_TITLE = "NxPPL";
+        # PAPERLESS_APP_LOGO =
+        # PAPERLESS_ENABLE_UPDATE_CHECK=false;
+        # PAPERLESS_EMAIL_HOST = "localhost";
+        # PAPERLESS_EMAIL_PORT= 25.
+        # PAPERLESS_EMAIL_HOST_USER= "";
+        # PAPERLESS_EMAIL_FROM=
+        # PAPERLESS_EMAIL_HOST_PASSWORD = "".
+        # PAPERLESS_EMAIL_USE_TLS = false.
+        # PAPERLESS_EMAIL_USE_SSL = false. 
+
+      };
+    };
+  };
+}

system-modules/nx2site/proxy.nix

@@ -72,7 +72,7 @@
         http3 = true;
         http3_hq = true;
         quic = true;
-        addSSL = true;
+        forceSSL = true;
         enableACME = true;
       };
     in {
@@ -132,6 +132,10 @@
         listen = dl;
         locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; }; }; 
       };
+      "doc.${domain}" = vh // {
+        listen = dl;
+        locations = { "/" = { proxyPass = "http://127.0.0.1:8441"; }; }; 
+      };
       "~^(.*).${domain}$" = {
         listen = dl;
         root = "/var/nginx/webroot";

system-modules/postgres.nix

@@ -27,7 +27,7 @@
 			];
 			settings = {
 				port = 5432; # default
-				listen_addresses = "localhost";
+				listen_addresses = lib.mkForce "127.0.0.1";
 				log_line_prefix = "[%p] "; # default
 				shared_preload_libraries = [ ]; # default
 			};