depot/ops/nixos/bvm-paperless/default.nix

56 lines
1.6 KiB
Nix

# SPDX-FileCopyrightText: 2022 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ depot, pkgs, config, lib, ... }:
let
inherit (depot.ops) secrets;
in {
imports = [
../lib/bvm.nix
];
# Networking!
networking = {
hostName = "bvm-paperless";
hostId = "c8d6f81f";
interfaces.enp1s0 = {
ipv4.addresses = [{ address = "10.100.0.211"; prefixLength = 23; }];
};
};
my.ip.tailscale = "100.85.236.121";
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6255:ec79";
services.paperless = {
enable = true;
address = config.my.ip.tailscale6;
extraConfig = {
PAPERLESS_URL = "https://paperless.int.lukegb.com";
PAPERLESS_ALLOWED_HOSTS = "paperless.int.lukegb.com,bvm-paperless.int.as205479.net:28981,bvm-paperless.int.as205479.net";
PAPERLESS_CORS_ALLOWED_HOSTS = "https://paperless.int.lukegb.com,http://bvm-paperless.int.as205479.net:28981";
PAPERLESS_CSRF_TRUSTED_ORIGINS = "https://paperless.int.lukegb.com,http://bvm-paperless.int.as205479.net:28981";
PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true";
PAPERLESS_DBHOST = "/run/postgresql";
PAPERLESS_DBPASS = "";
};
};
systemd.services.paperless-scheduler.serviceConfig = {
RestrictAddressFamilies = lib.mkForce [];
SystemCallFilter = lib.mkForce [];
PrivateNetwork = lib.mkForce false;
};
services.postgresql = {
enable = true;
ensureUsers = [{
name = "paperless";
ensurePermissions = {
"DATABASE paperless" = "ALL PRIVILEGES";
};
}];
ensureDatabases = [ "paperless" ];
};
system.stateVersion = "22.05";
}