From 157629a40210653dde84b7c1b919f88b8839f1e3 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Wed, 6 Apr 2022 11:49:52 +0100
Subject: [PATCH] paperless: allow websockets, set up postgres

---
 ops/nixos/bvm-paperless/default.nix   | 23 ++++++++++++++++++++---
 ops/nixos/etheroute-lon01/default.nix | 11 ++++++++---
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/ops/nixos/bvm-paperless/default.nix b/ops/nixos/bvm-paperless/default.nix
index c0e77e1907..1be6af71d1 100644
--- a/ops/nixos/bvm-paperless/default.nix
+++ b/ops/nixos/bvm-paperless/default.nix
@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-{ depot, pkgs, config, ... }:
+{ depot, pkgs, config, lib, ... }:
 let
   inherit (depot.ops) secrets;
 in {
@@ -26,11 +26,28 @@ in {
     package = pkgs.paperless-ngx;
     address = config.my.ip.tailscale;
     extraConfig = {
-      PAPERLESS_ALLOWED_HOSTS = "paperless.int.lukegb.com";
-      PAPERLESS_CORS_ALLOWED_HOSTS = "https://paperless.int.lukegb.com";
+      PAPERLESS_ALLOWED_HOSTS = "paperless.int.lukegb.com,bvm-paperless.int.as205479.net:28981,bvm-paperless.int.as205479.net";
+      PAPERLESS_CORS_ALLOWED_HOSTS = "https://paperless.int.lukegb.com,http://bvm-paperless.int.as205479.net:28981";
       PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true";
+      PAPERLESS_DBHOST = "localhost";
     };
   };
+  systemd.services.paperless-ng-server.serviceConfig = {
+    RestrictAddressFamilies = lib.mkForce [];
+    SystemCallFilter = lib.mkForce [];
+    PrivateNetwork = lib.mkForce false;
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureUsers = [{
+      name = "paperless";
+      ensurePermissions = {
+        "DATABASE paperless" = "ALL PRIVILEGES";
+      };
+    }];
+    ensureDatabases = [ "paperless" ];
+  };
 
   system.stateVersion = "22.05";
 }
diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix
index dcbe9944d9..d959908a44 100644
--- a/ops/nixos/etheroute-lon01/default.nix
+++ b/ops/nixos/etheroute-lon01/default.nix
@@ -343,10 +343,15 @@ in {
         (service "bvm-netbox.int.as205479.net:80" "netbox.int.lukegb.com" {})
         (service "localhost:9901" "envoy-debug.int.lukegb.com" {})
         (service "bvm-paperless.int.as205479.net:28981" "paperless.int.lukegb.com" {
-          jwt_claims_headers = {
-            Remote-User = "email";
-          };
+          regex = "^/ws/.*";
+          allow_websockets = true;
+          timeout = "0";
         })
+        (service "bvm-paperless.int.as205479.net:28981" "paperless.int.lukegb.com" {
+          regex = "^/api/.*";
+          timeout = "0";
+        })
+        (service "bvm-paperless.int.as205479.net:28981" "paperless.int.lukegb.com" {})
       ];
     };
   };