Install paperless

This commit is contained in:
Philip Peterson 2026-06-05 22:58:17 -07:00
parent 85b8479e44
commit dd4a80e034
5 changed files with 119 additions and 0 deletions

View file

@ -0,0 +1,73 @@
{ pkgs, ... }:
{
project.name = "paperless";
networks.paperless.external = false;
services = {
redis = {
service = {
image = "redis:7";
container_name = "paperless-redis";
restart = "unless-stopped";
networks = [ "paperless" ];
volumes = [
"/var/paperless/redis:/data"
];
};
};
db = {
service = {
image = "postgres:16";
container_name = "paperless-db";
restart = "unless-stopped";
networks = [ "paperless" ];
volumes = [
"/var/paperless/postgres:/var/lib/postgresql/data"
];
environment = {
POSTGRES_DB = "paperless";
POSTGRES_USER = "paperless";
POSTGRES_PASSWORD = "paperless";
};
healthcheck = {
test = [ "CMD-SHELL" "pg_isready -U paperless -d paperless" ];
interval = "5s";
timeout = "5s";
retries = 20;
};
};
};
webserver = {
service = {
image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
container_name = "paperless-ngx";
restart = "unless-stopped";
networks = [ "paperless" ];
depends_on = [ "db" "redis" ];
ports = [ "127.0.0.1:8000:8000" ];
volumes = [
"/var/paperless/data:/usr/src/paperless/data"
"/var/paperless/media:/usr/src/paperless/media"
"/var/paperless/export:/usr/src/paperless/export"
"/var/paperless/consume:/usr/src/paperless/consume"
];
environment = {
PAPERLESS_REDIS = "redis://redis:6379";
PAPERLESS_DBHOST = "db";
PAPERLESS_DBNAME = "paperless";
PAPERLESS_DBUSER = "paperless";
PAPERLESS_DBPASS = "paperless";
PAPERLESS_URL = "https://paperless.philippeterson.com";
PAPERLESS_TIME_ZONE = "America/Anchorage";
PAPERLESS_OCR_LANGUAGE = "eng";
USERMAP_UID = "1000";
USERMAP_GID = "1000";
};
env_file = [ "/run/agenix/paperless" ];
};
};
};
}

View file

@ -0,0 +1,3 @@
import <nixpkgs> {
system = "x86_64-linux";
}

View file

@ -78,6 +78,11 @@ in {
file = ./secrets/vnc-htpasswd.age; file = ./secrets/vnc-htpasswd.age;
owner = "nginx"; owner = "nginx";
}; };
paperless = {
file = ./secrets/paperless.age;
owner = "root";
};
}; };
environment.systemPackages = [ environment.systemPackages = [
@ -164,6 +169,7 @@ in {
projects.forgejo.settings = import ./arion/arion-compose.nix; projects.forgejo.settings = import ./arion/arion-compose.nix;
projects.riverside.settings = import ./arion-riverside/arion-compose.nix; projects.riverside.settings = import ./arion-riverside/arion-compose.nix;
projects.pluto.settings = import ./arion-pluto/arion-compose.nix; projects.pluto.settings = import ./arion-pluto/arion-compose.nix;
projects.paperless.settings = import ./arion-paperless/arion-compose.nix;
}; };
# The arion NixOS module sets backend = "podman-socket" but doesn't inject # The arion NixOS module sets backend = "podman-socket" but doesn't inject
@ -172,6 +178,7 @@ in {
systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-forgejo.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-riverside.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-pluto.environment.DOCKER_HOST = "unix:///run/podman/podman.sock"; systemd.services.arion-pluto.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
systemd.services.arion-paperless.environment.DOCKER_HOST = "unix:///run/podman/podman.sock";
# Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed. # Build the VNC desktop image locally from the Dockerfile — no registry push/pull needed.
# vncContext is a Nix store path that changes whenever any file under vnc-desktop/ changes, # vncContext is a Nix store path that changes whenever any file under vnc-desktop/ changes,
@ -241,6 +248,12 @@ in {
"d /root/.config 0755 ${username} users" "d /root/.config 0755 ${username} users"
"d /var/pluto/notebooks 0755 root root" "d /var/pluto/notebooks 0755 root root"
"d /var/pluto/julia-depot 0755 root root" "d /var/pluto/julia-depot 0755 root root"
"d /var/paperless/data 0755 root root"
"d /var/paperless/media 0755 root root"
"d /var/paperless/export 0755 root root"
"d /var/paperless/consume 0755 root root"
"d /var/paperless/postgres 0755 root root"
"d /var/paperless/redis 0755 root root"
"d /var/riverside/files 0755 root root" "d /var/riverside/files 0755 root root"
"d /var/riverside/postgres 0755 root root" "d /var/riverside/postgres 0755 root root"
"d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner" "d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner"
@ -431,6 +444,13 @@ in {
webroot = null; webroot = null;
group = config.services.nginx.group; group = config.services.nginx.group;
}; };
certs."paperless.philippeterson.com" = {
dnsProvider = "nearlyfreespeech";
environmentFile = config.age.secrets."nearlyfreespeech".path;
webroot = null;
group = config.services.nginx.group;
};
}; };
# Break the systemd ordering cycle that deadlocks nixos-rebuild switch. # Break the systemd ordering cycle that deadlocks nixos-rebuild switch.
@ -454,5 +474,6 @@ in {
"acme-selfsigned-vnc.quinefoundation.com.service" "acme-selfsigned-vnc.quinefoundation.com.service"
"acme-selfsigned-webdav.philippeterson.com.service" "acme-selfsigned-webdav.philippeterson.com.service"
"acme-selfsigned-pluto.philippeterson.com.service" "acme-selfsigned-pluto.philippeterson.com.service"
"acme-selfsigned-paperless.philippeterson.com.service"
]; ];
} }

View file

@ -114,6 +114,22 @@
}; };
}; };
"paperless.philippeterson.com" = {
useACMEHost = "paperless.philippeterson.com";
onlySSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8000/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100M;
'';
};
};
"pluto.philippeterson.com" = { "pluto.philippeterson.com" = {
useACMEHost = "pluto.philippeterson.com"; useACMEHost = "pluto.philippeterson.com";
onlySSL = true; onlySSL = true;

View file

@ -24,4 +24,10 @@ in {
# htpasswd-format credentials for nginx basic auth on vnc.quinefoundation.com # htpasswd-format credentials for nginx basic auth on vnc.quinefoundation.com
# Generate with: htpasswd -n <username> # Generate with: htpasswd -n <username>
"./vnc-htpasswd.age".publicKeys = [mainframePublicKey]; "./vnc-htpasswd.age".publicKeys = [mainframePublicKey];
# PAPERLESS_SECRET_KEY=<long random string>
# PAPERLESS_ADMIN_USER=admin
# PAPERLESS_ADMIN_PASSWORD=<password>
# PAPERLESS_ADMIN_EMAIL=peterson@sent.com
"./paperless.age".publicKeys = [mainframePublicKey];
} }