Merge branch 'master' of ssh://ssh.nx2.site:50022/nx2/dotfiles

configuration.nix

@@ -43,7 +43,11 @@
     ./system-modules/nx2site.nix
     ./system-modules/postgres.nix
     ./system-modules/nx2site/proxy.nix
+    ./system-modules/calendar-publish.nix
+    ./system-modules/calendar-lec.nix
+    ./system-modules/nx2site/audiobookshelf.nix
     ./system-modules/nx2site/gitea.nix
+    ./system-modules/nx2site/open-web-calendar.nix
     ./system-modules/nx2site/radicale.nix
     # ./system-modules/nx2site/nextcloud.nix
     ./system-modules/nx2site/vaultwarden.nix
@@ -121,6 +125,9 @@
     xwayland.enable = true;
   };
 
+  systemd.extraConfig = "DefaultLimitNOFILE=2048";
+  boot.tmp.useTmpfs = false; 
+
   system.stateVersion = "24.11";
 
   nixpkgs.config.allowUnfree = true;

flake-modules/colors.json

@@ -1,13 +1,13 @@
 {
     "base": {
-        "foreground": "#eedce2",
+        "foreground": "#dddddd",
-        "background": "#221016"
+        "background": "#000000"
     },
     "to_alter": {
-        "accent": "#ac5271",
+        "accent": "#8888ff",
-        "secondary": "#f20c5b",
+        "secondary": "#4444ff",
-        "tertiary": "#d5a287",
+        "tertiary": "#44ff88",
-        "special": "#51ac8d",
+        "special": "#ff6666",
-        "weird": "#0cf2a3"
+        "weird": "#ff66ff"
     }
 }

home-modules/calendar.nix

@@ -35,7 +35,7 @@
     }
     {
       name = "LEC";
-      url = "https://zlypher.github.io/lol-events/cal/league-of-legends-lec.ical";
+      url = "https://${domain}/lec.ics";
       color = "#A87000";
       read-only = true;
       type = "ics";

home-modules/nx2site-backup.nix

@@ -0,0 +1,67 @@
+{ pkgs, ... }:
+{
+  home.packages = [
+    (pkgs.writeShellApplication {
+      name = "nx_backup";
+      runtimeInputs = [ ];
+      text = let
+        web-root = "/var/nginx/webroot";
+        gitea-backup = "/var/backup/gitea";
+        postgres-backup = "/var/backup/postgresql";
+      in /* bash */ ''
+        DIRECTORIES=(
+          "${web-root}"
+          "${gitea-backup}"
+          "${postgres-backup}"
+        )
+
+        NOW=$(date +%Y_%m_%d-%H_%M)
+        TEMP_BAK_DIR=$(mktemp -d)
+        TEMP_WORKING_DIR=$(mktemp -d)
+        ZIP_NAME="nx2site-backup-''${NOW}.zip"
+        ZIP_FILE="$TEMP_WORKING_DIR/$ZIP_NAME"
+        ENCRYPTED_NAME="''${ZIP_NAME}.asc"
+        ENCRYPTED_FILE="$TEMP_WORKING_DIR/$ENCRYPTED_NAME"
+        DESTINATION="/vault/$ENCRYPTED_NAME"
+        WEBROOT="${web-root}"
+
+        echo "Fixing Permissions of Gitea dump"
+        sudo chmod -R g+r "${gitea-backup}"
+
+        echo "Fixing Permissions of Postgres dump"
+        sudo chmod -R g+r "${postgres-backup}"
+        sudo chmod g+x "${postgres-backup}"
+        echo "Fixing Ownership of Postgres dump"
+        sudo chown -R postgres:postgres "${postgres-backup}"
+
+        echo "Copying files to backup to tempoary directory $TEMP_BAK_DIR ..."
+        for DIR in "''${DIRECTORIES[@]}"; do
+            rsync -aR "$DIR" "$TEMP_BAK_DIR"
+        done
+
+        # Create the zip file
+        echo "Adding files to $ZIP_NAME ..."
+        zip -qr "$ZIP_FILE" "$TEMP_BAK_DIR"
+
+        # Encrypt the zip file using GPG
+        echo "Encryping file with gpg"
+        gpg -e -r gpg@nx2.site -o "$ENCRYPTED_FILE" "$ZIP_FILE"
+
+        echo "Moving file to Destination $DESTINATION"
+        mv "$ENCRYPTED_FILE" "$DESTINATION"
+
+        echo "Updating latest-bakup path in $WEBROOT"
+        echo "$DESTINATION" > "$WEBROOT/latest-backup"
+
+        echo "Cleaning up tempoary files and directories"
+        rm -rf "$TEMP_BAK_DIR" "$TEMP_WORKING_DIR" "$ZIP_FILE"
+
+        echo "Backup and encryption complete: $DESTINATION"
+
+        echo "Space remaining:"
+        df -h | head -n 1
+        df -h | grep -P "^/dev.+? "
+      '';
+    })
+  ];
+}

home.nix

@@ -1,4 +1,4 @@
-{ pkgs, pkgs-unstable, host, user, inputs, ... }:
+{ pkgs, pkgs-unstable, lib, host, user, inputs, ... }:
 {
   imports = [
     ./home-modules/auto-mount.nix
@@ -31,7 +31,6 @@
     ./home-modules/nh.nix
     ./home-modules/nixd.nix
     ./home-modules/nvidia.nix
-    ./home-modules/nx2site.nix
     ./home-modules/nxgs.nix
     # ./home-modules/nx-gcal-event.nix
     ./home-modules/obs.nix
@@ -62,7 +61,10 @@
     ./home-modules/yazi.nix
     ./home-modules/zathura.nix
     ./home-modules/zoxide.nix
-  ];
+  ] ++ (if (host == "NxACE") then [ 
+    ./home-modules/nx2site.nix
+    ./home-modules/nx2site-backup.nix
+  ] else []);
   home.username = user;
   home.homeDirectory = "/home/${user}";
   home.stateVersion = "24.05";
@@ -98,7 +100,10 @@
     qbittorrent
 
     glib
+    pv
     gsettings-desktop-schemas
+
+    yt-dlp
     wl-clipboard
     xclip
     xournal

system-modules/calendar-lec.nix

@@ -0,0 +1,97 @@
+{ config, pkgs, user, domain, ... }:
+{
+  systemd.timers."nx_cal_lec" = {
+    enable = true;
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "40m";
+      OnUnitActiveSec = "24h";
+      Unit = "nx_cal_lec.service";
+    };
+  };
+
+  systemd.services."nx_cal_lec" = {
+    script = let 
+      nx_cal_lec = (pkgs.writers.writePython3Bin "nx_cal_lec" {
+      libraries = with pkgs.python3Packages; [
+        ical
+        ics
+        requests
+        dateutils
+      ];
+      flakeIgnore = [ "E302" "E305" "E226" "E501" ];
+    } /*python */ ''
+import hashlib
+from ics import Calendar
+import requests
+from datetime import timedelta
+
+def get_event_hash(event):
+    """
+    Generate a unique hash for an event based on its details.
+    """
+    event_data = f"{event.name}{event.begin}{event.end}{event.description}"
+    return hashlib.md5(event_data.encode('utf-8')).hexdigest()
+
+def adjust_events(events):
+    """
+    Adjust overlapping events to ensure they do not conflict.
+    """
+    sorted_events = sorted(events, key=lambda e: e.begin)
+    for i in range(1, len(sorted_events)):
+        previous_event = sorted_events[i - 1]
+        current_event = sorted_events[i]
+
+        if current_event.begin < previous_event.end:
+            # Adjust the start time of the current event to just after the previous event
+            current_event.begin = previous_event.end + timedelta(minutes=1)
+            print(f"Adjusted event '{current_event.name}' to start at {current_event.begin} and end at {current_event.end}")
+    return sorted_events
+
+def fetch_and_save_ical_events(ical_url, save_path):
+    """
+    Fetch events from an iCal URL and save them as a single combined calendar.
+    """
+    try:
+        # Fetch the iCal data
+        response = requests.get(ical_url)
+        response.raise_for_status()
+
+        # Parse the iCal data
+        calendar = Calendar(response.text)
+
+        # Adjust events
+        adjusted_events = adjust_events(list(calendar.events))
+
+        # Create a new combined calendar
+        combined_calendar = Calendar()
+        for event in adjusted_events:
+            combined_calendar.events.add(event)
+
+        # Save the combined calendar to a single .ics file
+        with open(save_path, 'w') as file:
+            file.writelines(combined_calendar.serialize_iter())
+
+        print(f"Saved combined calendar to {save_path}")
+
+    except requests.exceptions.RequestException as e:
+        print(f"Error fetching iCal data: {e}")
+    except Exception as e:
+        print(f"Error processing iCal data: {e}")
+
+if __name__ == "__main__":
+    # Replace with your iCal URL and target file path
+    ICAL_URL = "https://zlypher.github.io/lol-events/cal/league-of-legends-lec.ical"
+    SAVE_PATH = "${config.services.nginx.virtualHosts."${domain}".root}/lec.ics"
+
+    fetch_and_save_ical_events(ICAL_URL, SAVE_PATH)
+'');
+    in ''
+      ${nx_cal_lec}/bin/nx_cal_lec
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "nx2";
+    };
+  };
+}

system-modules/calendar-publish.nix

@@ -0,0 +1,138 @@
+{ config, pkgs, user, ... }:
+{
+  environment.systemPackages = with pkgs; let
+    radicale-root = "/var/lib/radicale";
+    web-root = "/var/nginx/webroot";
+  in [
+    (writers.writePython3Bin "nx_cal_pub" {
+      libraries = with python3Packages; [ 
+        ical
+        ics
+        requests
+        dateutils
+      ];
+      flakeIgnore = [ "E302" "E305" "E226" "E501" ];
+    } /*python */ ''
+import pytz
+import os
+from ics import Calendar, Event
+from ics.grammar.parse import ContentLine
+from dateutil.rrule import rrulestr
+from ics.event import datetime, timedelta
+
+def combine_ics_from_directories(directories, output_file):
+    """
+    Combine all .ics events from a list of directories into one .ics file, supporting recurring events.
+
+    :param directories: List of directories containing .ics files.
+    :param output_file: Path to the output .ics file.
+    """
+    combined_calendar = Calendar()
+
+    for directory in directories:
+        if not os.path.exists(directory):
+            print(f"Directory '{directory}' does not exist. Skipping.")
+            continue
+
+        for filename in os.listdir(directory):
+            if filename.endswith(".ics"):
+                file_path = os.path.join(directory, filename)
+                try:
+                    with open(file_path, 'r') as file:
+                        calendar = Calendar(file.read())
+                        for event in calendar.events:
+                            # Handle recurring events
+                            rrule_line = None
+                            for line in event.extra:
+                                if isinstance(line, ContentLine) and line.name == "RRULE":
+                                    rrule_line = line
+                                    break
+
+                            if rrule_line:
+                                # Convert UNTIL to UTC if DTSTART is timezone-aware
+                                rrule_params = rrule_line.value.split(";")
+                                rrule_dict = {}
+                                for param in rrule_params:
+                                    key, value = param.split("=")
+                                    rrule_dict[key] = value
+
+                                if "UNTIL" in rrule_dict and event.begin.tzinfo:
+                                    until = datetime.fromisoformat(rrule_dict["UNTIL"])
+                                    if until.tzinfo is None:  # If UNTIL is naive, make it UTC
+                                        until = until.astimezone(pytz.UTC)
+                                    rrule_dict["UNTIL"] = until.astimezone(pytz.UTC).strftime("%Y%m%dT%H%M%SZ")
+
+                                # Reconstruct RRULE string
+                                rrule_fixed = ";".join(f"{key}={value}" for key, value in rrule_dict.items())
+                                rrule = rrulestr(rrule_fixed, dtstart=event.begin.astimezone(pytz.timezone('CET')))
+
+                                # Expand recurring events and filter based on the date
+                                for occurrence in rrule:
+                                    notTooOld = occurrence.date() >= (datetime.now().astimezone(pytz.UTC) - timedelta(days=1)).date()
+                                    notTooFuturisic = occurrence.date() < (datetime.now().astimezone(pytz.UTC) + timedelta(days=60)).date()
+                                    if notTooOld and notTooFuturisic:
+                                        new_event = Event(
+                                            name="",
+                                            begin=occurrence,
+                                            end=occurrence + (event.end - event.begin),
+                                            transparent=event.transparent or True,
+                                        )
+                                        combined_calendar.events.add(new_event)
+                            else:
+                                # Regular events, directly add if within date range
+                                if event.begin.astimezone(pytz.timezone('CET')).date() >= (datetime.now().astimezone(pytz.timezone('CET')) - timedelta(days=1)).date():
+                                    new_event = Event(
+                                        name="",
+                                        begin=event.begin,
+                                        end=event.end,
+                                        transparent=event.transparent or True,
+                                    )
+                                    combined_calendar.events.add(new_event)
+
+                except Exception as e:
+                    print(f"Error reading file '{file_path}': {e}")
+                    exit(1)
+
+    try:
+        with open(output_file, 'w') as file:
+            file.writelines(combined_calendar.serialize_iter())
+        print(f"Combined .ics file saved to '{output_file}'")
+    except Exception as e:
+        print(f"Error saving combined .ics file: {e}")
+
+if __name__ == "__main__":
+    # List of directories containing .ics files
+    DIRECTORIES = [
+        "${radicale-root}/collections/collection-root/${user}/preservation",
+        "${radicale-root}/collections/collection-root/${user}/effort",
+        "${radicale-root}/collections/collection-root/${user}/experience",
+        "${radicale-root}/collections/collection-root/${user}/exposure",
+        "${radicale-root}/collections/collection-root/${user}/engagement",
+    ]
+
+    # Path to the output .ics file
+    OUTPUT_FILE = "${web-root}/schedule.ics"
+
+    combine_ics_from_directories(DIRECTORIES, OUTPUT_FILE)
+'')
+  ];
+  systemd.timers."nx_cal_publish" = {
+    enable = true;
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "2m";
+      OnUnitActiveSec = "6h";
+      Unit = "nx_cal_publish.service";
+    };
+  };
+
+  systemd.services."nx_cal_publish" = {
+    script = ''
+      nx_cal_publish
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "nx2";
+    };
+  };
+}

system-modules/nx2site/audiobookshelf.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+{
+  services = {
+    audiobookshelf = {
+      # authentication is mangaed imperatively in the web interface upon first start
+      enable = true;
+      # user = "audiobookshelf";
+      # group = "audiobookshelf";
+      # host = "127.0.0.1";
+      port = 11648; # spells out audi(o)
+      package = pkgs.audiobookshelf;
+    };
+  };
+}

system-modules/nx2site/gitea.nix

@@ -41,7 +41,7 @@ let git-user = "git"; in
     dump = {
       enable = true;
       backupDir = "/var/backup/gitea";
-      file = null; # default = chosen by gitea
+      file = "gitea-dump.zip"; # default = chosen by gitea
       interval = "daily";
       type = "zip"; # default
     };
@@ -99,7 +99,7 @@ let git-user = "git"; in
   in {
     "gitea-theme" = /* bash */ ''
       mkdir -p ${config.services.gitea.stateDir}/custom/public/assets/css/
-      ln -s ${theme}/theme-pitchblack.css ${config.services.gitea.stateDir}/custom/public/assets/css/theme-pitchblack.css
+      ln -fs ${theme}/theme-pitchblack.css ${config.services.gitea.stateDir}/custom/public/assets/css/theme-pitchblack.css
       chown -R ${git-user}:${git-user} ${config.services.gitea.stateDir}/custom/ 
     '';
   };

system-modules/nx2site/open-web-calendar.nix

@@ -0,0 +1,15 @@
+{ pkgs, domain, ... }:
+{
+  services = {
+    open-web-calendar = {
+      enable = true;
+      domain = "cal.${domain}";
+      package = pkgs.open-web-calendar;
+      settings = {
+        # PORT = 21342;        
+      };
+      calendarSettings = {
+      };
+    };
+  };
+}

system-modules/nx2site/paperless.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, secrets, user, domain, ... }:
+{ pkgs, config, secrets, domain, user, ... }:
 let paperless-user = "paperless"; in
 {
   sops.secrets = {
@@ -7,7 +7,10 @@ let paperless-user = "paperless"; in
     };
   };
 
-  users.users."${user}".extraGroups = [ paperless-user ];
+  users.users = {
+    "${user}".extraGroups = [ paperless-user ];
+    "${paperless-user}".extraGroups = [ "redis-paperless" ];
+  }; 
 
   services = {
     postgresql = {
@@ -19,178 +22,181 @@ let paperless-user = "paperless"; in
     };
     paperless = {
       enable = true;
-      address = "127.0.0.1";
+      # address = "0.0.0.0";
       port = 8441;
       user = paperless-user;
       consumptionDirIsPublic = true;
       # package = pkgs.paperless-ngx;
       # dataDir = "/var/lib/paperless"; # default
-      # address = "127.0.0.1";
+      address = "127.0.0.1";
       # mediaDir = "${dataDir}/media";
       passwordFile = config.sops.secrets."nx2site/paperless.pw".path;
       # consumptionDir = "${dataDir}/consume";
       # consumptionDirIsPublic = false;
       # openMPThreadingWorkaround = true;
       settings = {
-        # PAPERLESS_REDIS = "redis://localhost:6379";
+          # PAPERLESS_REDIS = "redis://localhost:6379";
-        # PAPERLESS_REDIS_PREFIX=""
+          # PAPERLESS_REDIS_PREFIX=""
-
+        # PAPERLESS_DBENGINE = "postgresql";
-      PAPERLESS_DBENGINE = "postgresql";
+        PAPERLESS_DBHOST = "/run/postgresql";
-      # PAPERLESS_DBHOST = "/run/postgresql"; # config.services.postgresql.settings.listen_addresses;
+        # PAPERLESS_DBHOST = config.services.postgresql.settings.listen_addresses;
-      # PAPERLESS_DBPORT = config.services.postgresql.settings.port;
+        # PAPERLESS_DBPORT = config.services.postgresql.settings.port;
-      PAPERLESS_DBNAME = paperless-user;
+        # PAPERLESS_DBNAME = paperless-user;
-      PAPERLESS_DBUSER = paperless-user;
+        # PAPERLESS_DBUSER = paperless-user;
-      PAPERLESS_DBPASS = secrets.nx2site.paperless.PAPERLESS_DBPASS;
+        PAPERLESS_DBPASS = secrets.nx2site.paperless.PAPERLESS_DBPASS;
-        # PAPERLESS_DBSSLMODE=
+          # PAPERLESS_DBSSLMODE=
-        # PAPERLESS_DBSSLROOTCERT=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DBSSLROOTCERT=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DBSSLCERT=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DBSSLCERT=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DBSSLKEY=null; # unset, using the documented path in the home directory.
+          # PAPERLESS_DBSSLKEY=null; # unset, using the documented path in the home directory.
-        # PAPERLESS_DB_TIMEOUT=null; # unset, keeping the Django defaults.
+          # PAPERLESS_DB_TIMEOUT=null; # unset, keeping the Django defaults.
-        # PAPERLESS_TIKA_ENABLED=false
+          # PAPERLESS_TIKA_ENABLED=false
-        # PAPERLESS_TIKA_ENDPOINT="http://localhost:9998".
+          # PAPERLESS_TIKA_ENDPOINT="http://localhost:9998".
-        # PAPERLESS_TIKA_GOTENBERG_ENDPOINT="http://localhost:3000".
+          # PAPERLESS_TIKA_GOTENBERG_ENDPOINT="http://localhost:3000".
-      PAPERLESS_CONSUMPTION_DIR = "${config.services.paperless.dataDir}/consume/";  
+        PAPERLESS_CONSUMPTION_DIR = "${config.services.paperless.dataDir}/consume/";  
-      # PAPERLESS_DATA_DIR = "${config.services.paperless.dataDir}/data/"; 
+        # PAPERLESS_DATA_DIR = "${config.services.paperless.dataDir}/data/"; 
-      PAPERLESS_EMPTY_TRASH_DIR ="${config.services.paperless.dataDir}/trash/"; # null = really delete files
+        # PAPERLESS_MEDIA_ROOT = "${config.services.paperless.dataDir}/media/"; 
-      # PAPERLESS_MEDIA_ROOT = "${config.services.paperless.dataDir}/media/"; 
+        # PAPERLESS_STATICDIR = "${config.services.paperless.dataDir}/static/"; 
-      # PAPERLESS_STATICDIR = "${config.services.paperless.dataDir}/static/"; 
+          # PAPERLESS_FILENAME_FORMAT=
-        # PAPERLESS_FILENAME_FORMAT=
+          # PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=
-        # PAPERLESS_FILENAME_FORMAT_REMOVE_NONE=
+        # PAPERLESS_LOGGING_DIR = "${config.services.paperless.dataDir}/log/";
-      # PAPERLESS_LOGGING_DIR = "${config.services.paperless.dataDir}/log/";
+          # PAPERLESS_NLTK_DIR =
-        # PAPERLESS_NLTK_DIR =
+          # PAPERLESS_MODEL_FILE= PAPERLESS_DATA_DIR/classification_model.pickle.
-        # PAPERLESS_MODEL_FILE= PAPERLESS_DATA_DIR/classification_model.pickle.
+          # PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
-        # PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
+          # PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
-        # PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
+          # PAPERLESS_SECRET_KEY=
-        # PAPERLESS_SECRET_KEY=
+          PAPERLESS_URL = "https://doc.${domain}";
-        # PAPERLESS_URL="" # empty string, leaving the other settings unaffected.
+          # PAPERLESS_CSRF_TRUSTED_ORIGINS=
-        # PAPERLESS_CSRF_TRUSTED_ORIGINS=
+          # PAPERLESS_ALLOWED_HOSTS=
-        # PAPERLESS_ALLOWED_HOSTS=
+          # PAPERLESS_CORS_ALLOWED_HOSTS=
-        # PAPERLESS_CORS_ALLOWED_HOSTS=
+          # PAPERLESS_TRUSTED_PROXIES=
-        # PAPERLESS_TRUSTED_PROXIES=
+          # PAPERLESS_FORCE_SCRIPT_NAME=
-        # PAPERLESS_FORCE_SCRIPT_NAME=
+          # PAPERLESS_STATIC_URL= "/static/".
-        # PAPERLESS_STATIC_URL= "/static/".
+          # PAPERLESS_AUTO_LOGIN_USERNAME=null;
-        # PAPERLESS_AUTO_LOGIN_USERNAME=null;
+        # PAPERLESS_ADMIN_USER="${user}";
-      PAPERLESS_ADMIN_USER="${user}";
+        # PAPERLESS_ADMIN_MAIL=secrets.email.gmail-online.mail;
-      PAPERLESS_ADMIN_MAIL=secrets.email.gmail-online.mail;
+        # PAPERLESS_ADMIN_PASSWORD=;
-      # PAPERLESS_ADMIN_PASSWORD=;
+          # PAPERLESS_COOKIE_PREFIX=
-        # PAPERLESS_COOKIE_PREFIX=
+          # PAPERLESS_ENABLE_HTTP_REMOTE_USER=
-        # PAPERLESS_ENABLE_HTTP_REMOTE_USER=
+          # PAPERLESS_ENABLE_HTTP_REMOTE_USER_API=
-        # PAPERLESS_ENABLE_HTTP_REMOTE_USER_API=
+          # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=
-        # PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=
+        # PAPERLESS_LOGOUT_REDIRECT_URL="https://youtu.be/dMN-pjcchrE?si=EcFYvAnbXFkounYR";
-      # PAPERLESS_LOGOUT_REDIRECT_URL="https://youtu.be/dMN-pjcchrE?si=EcFYvAnbXFkounYR";
+          # PAPERLESS_USE_X_FORWARD_HOST= false
-        # PAPERLESS_USE_X_FORWARD_HOST= false
+          # PAPERLESS_USE_X_FORWARD_PORT= false
-        # PAPERLESS_USE_X_FORWARD_PORT= false
+          # PAPERLESS_PROXY_SSL_HEADER= null
-        # PAPERLESS_PROXY_SSL_HEADER= null
+          # PAPERLESS_EMAIL_CERTIFICATE_LOCATION = null;
-        # PAPERLESS_EMAIL_CERTIFICATE_LOCATION = null;
+          # PAPERLESS_SOCIALACCOUNT_PROVIDERS=;
-        # PAPERLESS_SOCIALACCOUNT_PROVIDERS=;
+          # PAPERLESS_SOCIAL_AUTO_SIGNUP = false;
-        # PAPERLESS_SOCIAL_AUTO_SIGNUP = false;
+          # PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS= True
-        # PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS= True
+          # PAPERLESS_ACCOUNT_ALLOW_SIGNUPS= False
-        # PAPERLESS_ACCOUNT_ALLOW_SIGNUPS= False
+          # PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL= 'https'
-        # PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL= 'https'
+          # PAPERLESS_ACCOUNT_EMAIL_VERIFICATION= 'optional'
-        # PAPERLESS_ACCOUNT_EMAIL_VERIFICATION= 'optional'
+          # PAPERLESS_DISABLE_REGULAR_LOGIN= False
-        # PAPERLESS_DISABLE_REGULAR_LOGIN= False
+          # PAPERLESS_REDIRECT_LOGIN_TO_SSO= False
-        # PAPERLESS_REDIRECT_LOGIN_TO_SSO= False
+          # PAPERLESS_ACCOUNT_SESSION_REMEMBER= True
-        # PAPERLESS_ACCOUNT_SESSION_REMEMBER= True
+          # PAPERLESS_SESSION_COOKIE_AGE= 1209600; # (2 weeks)
-        # PAPERLESS_SESSION_COOKIE_AGE= 1209600; # (2 weeks)
+          PAPERLESS_OCR_LANGUAGE = "eng+deu";
-        PAPERLESS_OCR_LANGUAGE = "eng+deu";
+          # PAPERLESS_OCR_MODE= "skip";
-        # PAPERLESS_OCR_MODE= "skip";
+          # PAPERLESS_OCR_SKIP_ARCHIVE_FILE=
-        # PAPERLESS_OCR_SKIP_ARCHIVE_FILE=
+          # PAPERLESS_OCR_CLEAN= clean.
-        # PAPERLESS_OCR_CLEAN= clean.
+          # PAPERLESS_OCR_DESKEW = true; # which enables this feature.
-        # PAPERLESS_OCR_DESKEW = true; # which enables this feature.
+          # PAPERLESS_OCR_ROTATE_PAGES = true; # which enables this feature.
-        # PAPERLESS_OCR_ROTATE_PAGES = true; # which enables this feature.
+          # PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD = "12";
-        # PAPERLESS_OCR_ROTATE_PAGES_THRESHOLD = "12";
+          # PAPERLESS_OCR_OUTPUT_TYPE = "pdfa";
-        # PAPERLESS_OCR_OUTPUT_TYPE = "pdfa";
+          # PAPERLESS_OCR_PAGES = null;
-        # PAPERLESS_OCR_PAGES = null;
+          # PAPERLESS_OCR_IMAGE_DPI = null;
-        # PAPERLESS_OCR_IMAGE_DPI = null;
+          # PAPERLESS_OCR_MAX_IMAGE_PIXELS=
-        # PAPERLESS_OCR_MAX_IMAGE_PIXELS=
+          # PAPERLESS_OCR_COLOR_CONVERSION_STRATEGY=
-        # PAPERLESS_OCR_COLOR_CONVERSION_STRATEGY=
+          PAPERLESS_OCR_USER_ARGS = {
-        PAPERLESS_OCR_USER_ARGS = {
+            optimize = 1;
-          optimize = 1;
+            pdfa_image_compression = "lossless";
-          pdfa_image_compression = "lossless";
+          };
-        };
+          # PAPERLESS_TASK_WORKERS= 1
-        # PAPERLESS_TASK_WORKERS= 1
+          # PAPERLESS_THREADS_PER_WORKER=
-        # PAPERLESS_THREADS_PER_WORKER=
+          # PAPERLESS_WORKER_TIMEOUT=
-        # PAPERLESS_WORKER_TIMEOUT=
+          PAPERLESS_TIME_ZONE = "CET";
-        PAPERLESS_TIME_ZONE = "CET";
+          # PAPERLESS_ENABLE_NLTK=1;
-        # PAPERLESS_ENABLE_NLTK=1;
+          # PAPERLESS_EMAIL_TASK_CRON= */10 * * * * or every ten minutes.
-        # PAPERLESS_EMAIL_TASK_CRON= */10 * * * * or every ten minutes.
+          # PAPERLESS_TRAIN_TASK_CRON= 5 */1 * * * or every hour at 5 minutes past the hour.
-        # PAPERLESS_TRAIN_TASK_CRON= 5 */1 * * * or every hour at 5 minutes past the hour.
+          # PAPERLESS_INDEX_TASK_CRON= 0 0 * * * or daily at midnight.
-        # PAPERLESS_INDEX_TASK_CRON= 0 0 * * * or daily at midnight.
+          # PAPERLESS_SANITY_TASK_CRON= 30 0 * * sun or Sunday at 30 minutes past midnight.
-        # PAPERLESS_SANITY_TASK_CRON= 30 0 * * sun or Sunday at 30 minutes past midnight.
+          # PAPERLESS_ENABLE_COMPRESSION = 1; # enabling compression.
-        # PAPERLESS_ENABLE_COMPRESSION = 1; # enabling compression.
+          # PAPERLESS_CONVERT_MEMORY_LIMIT = 0; # which disables the limit.
-        # PAPERLESS_CONVERT_MEMORY_LIMIT = 0; # which disables the limit.
+          # PAPERLESS_CONVERT_TMPDIR =
-        # PAPERLESS_CONVERT_TMPDIR =
+          # PAPERLESS_APPS = null;
-        # PAPERLESS_APPS = null;
+          # PAPERLESS_MAX_IMAGE_PIXELS = null;
-        # PAPERLESS_MAX_IMAGE_PIXELS = null;
+          # PAPERLESS_CONSUMER_DELETE_DUPLICATES= false.
-        # PAPERLESS_CONSUMER_DELETE_DUPLICATES= false.
+          # PAPERLESS_CONSUMER_RECURSIVE= false.
-        # PAPERLESS_CONSUMER_RECURSIVE= false.
+          # PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS= false.
-        # PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS= false.
+          PAPERLESS_CONSUMER_IGNORE_PATTERNS = [
-        PAPERLESS_CONSUMER_IGNORE_PATTERNS = [
+            ".DS_Store"
-          ".DS_Store"
+            ".DS_STORE"
-          ".DS_STORE"
+            "._*"
-          "._*"
+            ".stfolder/*"
-          ".stfolder/*"
+            ".stversions/*"
-          ".stversions/*"
+            ".localized/*"
-          ".localized/*"
+            "desktop.ini"
-          "desktop.ini"
+            "@eaDir/*"
-          "@eaDir/*"
+            "Thumbs.db"
-          "Thumbs.db"
+          ];
-        ];
+          # PAPERLESS_CONSUMER_BARCODE_SCANNER=
-        # PAPERLESS_CONSUMER_BARCODE_SCANNER=
+          # PAPERLESS_PRE_CONSUME_SCRIPT=
-        # PAPERLESS_PRE_CONSUME_SCRIPT=
+          # PAPERLESS_POST_CONSUME_SCRIPT=
-        # PAPERLESS_POST_CONSUME_SCRIPT=
+          # PAPERLESS_FILENAME_DATE_ORDER= none, which disables this feature.
-        # PAPERLESS_FILENAME_DATE_ORDER= none, which disables this feature.
+          # PAPERLESS_NUMBER_OF_SUGGESTED_DATES= 3. Set to 0 to disable this feature.
-        # PAPERLESS_NUMBER_OF_SUGGESTED_DATES= 3. Set to 0 to disable this feature.
+          # PAPERLESS_THUMBNAIL_FONT_NAME= /usr/share/fonts/liberation/LiberationSerif-Regular.ttf.
-        # PAPERLESS_THUMBNAIL_FONT_NAME= /usr/share/fonts/liberation/LiberationSerif-Regular.ttf.
+          # PAPERLESS_IGNORE_DATES="";
-        # PAPERLESS_IGNORE_DATES="";
+          # PAPERLESS_DATE_ORDER = "DMY";
-        # PAPERLESS_DATE_ORDER = "DMY";
+          # PAPERLESS_ENABLE_GPG_DECRYPTOR = false;
-        # PAPERLESS_ENABLE_GPG_DECRYPTOR = false;
+          # PAPERLESS_CONSUMER_POLLING = 0; # which disables polling and uses filesystem notifications.
-        # PAPERLESS_CONSUMER_POLLING = 0; # which disables polling and uses filesystem notifications.
+          # PAPERLESS_CONSUMER_POLLING_RETRY_COUNT = 5;
-        # PAPERLESS_CONSUMER_POLLING_RETRY_COUNT = 5;
+          # PAPERLESS_CONSUMER_POLLING_DELAY = 5;
-        # PAPERLESS_CONSUMER_POLLING_DELAY = 5;
+          # PAPERLESS_CONSUMER_INOTIFY_DELAY= 0.5; # seconds.
-        # PAPERLESS_CONSUMER_INOTIFY_DELAY= 0.5; # seconds.
+          # PAPERLESS_OAUTH_CALLBACK_BASE_URL = null;
-        # PAPERLESS_OAUTH_CALLBACK_BASE_URL = null;
+          # PAPERLESS_GMAIL_OAUTH_CLIENT_ID = null;
-        # PAPERLESS_GMAIL_OAUTH_CLIENT_ID = null;
+          # PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET = null;
-        # PAPERLESS_GMAIL_OAUTH_CLIENT_SECRET = null;
+          # PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID = null;
-        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_ID = null;
+          # PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET = null;
-        # PAPERLESS_OUTLOOK_OAUTH_CLIENT_SECRET = null;
+          # PAPERLESS_EMAIL_GNUPG_HOME=
-        # PAPERLESS_EMAIL_GNUPG_HOME=
+          # PAPERLESS_CONSUMER_ENABLE_BARCODES=
-        # PAPERLESS_CONSUMER_ENABLE_BARCODES=
+          # PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT= false.
-        # PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT= false.
+          # PAPERLESS_CONSUMER_BARCODE_STRING= "PATCHT"
-        # PAPERLESS_CONSUMER_BARCODE_STRING= "PATCHT"
+          # PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES= false.
-        # PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES= false.
+          # PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE= false.
-        # PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE= false.
+          # PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX= "ASN"
-        # PAPERLESS_CONSUMER_ASN_BARCODE_PREFIX= "ASN"
+          # PAPERLESS_CONSUMER_BARCODE_UPSCALE= 0.0
-        # PAPERLESS_CONSUMER_BARCODE_UPSCALE= 0.0
+          # PAPERLESS_CONSUMER_BARCODE_DPI= "300"
-        # PAPERLESS_CONSUMER_BARCODE_DPI= "300"
+          # PAPERLESS_CONSUMER_BARCODE_MAX_PAGES= "0"
-        # PAPERLESS_CONSUMER_BARCODE_MAX_PAGES= "0"
+          # PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE= false.
-        # PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE= false.
+          # PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING=
-        # PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING=
+          # PAPERLESS_AUDIT_LOG_ENABLED= true.
-        # PAPERLESS_AUDIT_LOG_ENABLED= true.
+          # PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED= false.
-        # PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED= false.
+          # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME= "double-sided".
-        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME= "double-sided".
+          # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT= false.
-        # PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT= false.
+        PAPERLESS_EMPTY_TRASH_DELAY = 30; # days, minimum of 1 day.
-      # PAPERLESS_EMPTY_TRASH_DELAY = 30; # days, minimum of 1 day.
+          # PAPERLESS_EMPTY_TRASH_TASK_CRON= 0 1 * * *, once per day.
-        # PAPERLESS_EMPTY_TRASH_TASK_CRON= 0 1 * * *, once per day.
+          # PAPERLESS_CONVERT_BINARY = "convert".
-        # PAPERLESS_CONVERT_BINARY = "convert".
+        PAPERLESS_GS_BINARY = "${pkgs.ghostscript}/bin/gs";
-      # PAPERLESS_GS_BINARY = "${pkgs.ghostscript}/bin/gs";
+          # PAPERLESS_WEBSERVER_WORKERS= 1;
-        # PAPERLESS_WEBSERVER_WORKERS= 1;
+          # PAPERLESS_BIND_ADDR= [::], meaning all interfaces, including IPv6.
-        # PAPERLESS_BIND_ADDR= [::], meaning all interfaces, including IPv6.
+          # PAPERLESS_PORT = config.services.paperless.port;
-        # PAPERLESS_PORT = config.services.paperless.port;
+          # PAPERLESS_OCR_LANGUAGES=
-        # PAPERLESS_OCR_LANGUAGES=
+          # PAPERLESS_ENABLE_FLOWER=
-        # PAPERLESS_ENABLE_FLOWER=
+          # PAPERLESS_SUPERVISORD_WORKING_DIR=
-        # PAPERLESS_SUPERVISORD_WORKING_DIR=
+        PAPERLESS_APP_TITLE = "NxPPL";
-      # PAPERLESS_APP_TITLE = "NxPPL";
+          # PAPERLESS_APP_LOGO =
-        # PAPERLESS_APP_LOGO =
+          # PAPERLESS_ENABLE_UPDATE_CHECK=false;
-        # PAPERLESS_ENABLE_UPDATE_CHECK=false;
+          # PAPERLESS_EMAIL_HOST = "localhost";
-        # PAPERLESS_EMAIL_HOST = "localhost";
+          # PAPERLESS_EMAIL_PORT= 25.
-        # PAPERLESS_EMAIL_PORT= 25.
+          # PAPERLESS_EMAIL_HOST_USER= "";
-        # PAPERLESS_EMAIL_HOST_USER= "";
+          # PAPERLESS_EMAIL_FROM=
-        # PAPERLESS_EMAIL_FROM=
+          # PAPERLESS_EMAIL_HOST_PASSWORD = "".
-        # PAPERLESS_EMAIL_HOST_PASSWORD = "".
+          # PAPERLESS_EMAIL_USE_TLS = false.
-        # PAPERLESS_EMAIL_USE_TLS = false.
+          # PAPERLESS_EMAIL_USE_SSL = false. 
-        # PAPERLESS_EMAIL_USE_SSL = false. 
       };
     };
   };
+  systemd.services.paperless-web.after = [ "postgresql.service" ];
+  systemd.services.paperless-task-queue.after = [ "postgresql.service" ];
+  systemd.services.paperless-consumer.after = [ "postgresql.service" ];
+  systemd.services.paperless-sceduler.after = [ "postgresql.service" ];
 }

system-modules/nx2site/proxy.nix

@@ -14,7 +14,7 @@
     };
     certs = {
       "${domain}" = {
-        extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "pw" "sync" ];
+        extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "sync" ];
       };
     };
   };
@@ -140,9 +140,24 @@
         listen = dl;
         locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; }; 
       });
-      "nc.${domain}" = vh // {
+      # "nc.${domain}" = vh // {
-        # directly to nc 
+      #   # directly to nc 
+      # };
+      "abs.${domain}" = vh // {
+        listen = dl;
+        locations = { "/" = { 
+          proxyPass = "http://127.0.0.1:${builtins.toString config.services.audiobookshelf.port}";
+          proxyWebsockets = true;
+        }; }; 
       };
+      # is done atomatically
+      # "cal.${domain}" = vh // {
+      #   listen = dl;
+      #   locations = { "/" = { 
+      #     proxyPass = "http://unix:///run/open-web-calendar/socket";
+      #     proxyWebsockets = true;
+      #   }; }; 
+      # };
       "~^(.*).${domain}$" = {
         listen = dl;
         root = "/var/nginx/webroot";

system-modules/nx2site/rallly.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [
+    (pkgs.mkYarnPackage {
+      name = "rallly";
+      src = pkgs.fetchFromGitHub {
+        owner = "lukevella";
+        repo = "rallly";
+        rev = "v3.11.2";
+        hash = "sha256-ej6Y0ouiheoH6dSBWsSIW6qt9UvsLh9ODDQA5Fqt3zs=";
+      };
+      packageJson = ./package.json;
+      yarnLock = ./yarn.lock;
+      yarnNix = ./yarn.nix;
+      # patchPhase = /* shell */ ''
+      #   cp ........ ?
+      # '';
+    })
+  ];
+}

system-modules/postgres.nix

@@ -26,6 +26,7 @@
 			ensureDatabases = [
 				"gitea"
 				"vaultwarden"
+				"paperless"
 				"nextcloud"
 			];
 			settings = {
@@ -49,6 +50,10 @@
 					name = "nextcloud";
 					ensureDBOwnership = true;
 				}
+				{
+					name = "paperless";
+					ensureDBOwnership = true;
+				}
 			];
 		};
 		postgresqlBackup = {

system-modules/users.nix

@@ -23,6 +23,7 @@
       "adbusers" 
       "postgres"
       "radicale"
+      "audiobookshelf"
       "nextcloud"
     ];
     useDefaultShell = true;