+1

hosts/marvin/default.nix

reviewed

··· 22 22 ./services/miniflux.nix 23 23 ./services/nextcloud 24 24 ./services/nginx.nix 25 25 + ./services/paperless.nix 25 26 ./services/pinchflat.nix 26 27 ./services/planka.nix 27 28 ./services/pocket-id.nix

+43

hosts/marvin/services/paperless.nix

reviewed

··· 1 1 + { 2 2 + self, 3 3 + config, 4 4 + ... 5 5 + }: 6 6 + let 7 7 + d = self.lib.data.services.paperless; 8 8 + sec = config.age.secrets; 9 9 + in 10 10 + { 11 11 + services.paperless = { 12 12 + enable = true; 13 13 + inherit (d) port; 14 14 + address = "0.0.0.0"; 15 15 + domain = d.extUrl; 16 16 + passwordFile = sec.paperless-admin-pw.path; 17 17 + database.createLocally = true; 18 18 + configureTika = true; 19 19 + settings = { 20 20 + PAPERLESS_EMAIL_TASK_CRON = "0 */4 * * *"; 21 21 + PAPERLESS_TIME_ZONE = "America/New_York"; 22 22 + PAPERLESS_EMAIL_HOST = "mail.pyrox.dev"; 23 23 + PAPERLESS_EMAIL_PORT = 465; 24 24 + PAPERLESS_EMAIL_HOST_USER = "paperless@pyrox.dev"; 25 25 + PAPERLESS_EMAIL_FROM = "dish Docs<paperless@pyrox.dev>"; 26 26 + PAPERLESS_EMAIL_USE_SSL = true; 27 27 + PAPERLESS_APP_TITLE = "dish Docs"; 28 28 + PAPERLESS_TASK_WORKERS = 3; 29 29 + }; 30 30 + }; 31 31 + age.secrets = { 32 32 + paperless-admin-pw = { 33 33 + file = ./secrets/paperless/admin-password.age; 34 34 + owner = "paperless"; 35 35 + group = "paperless"; 36 36 + }; 37 37 + paperless-secrets = { 38 38 + file = ./secrets/paperless/secrets.age; 39 39 + owner = "paperless"; 40 40 + group = "paperless"; 41 41 + }; 42 42 + }; 43 43 + }

hosts/marvin/services/secrets/paperless/admin-password.age

reviewed

This is a binary file and will not be displayed.

+19

hosts/marvin/services/secrets/paperless/secrets.age

reviewed

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-ed25519 iqBxIA P8u58J2nZZbRds95JpFHLOc5lcAf7YF03dPk6L49BT0 3 3 + xj8PzYA7W3xanYp8brg6bQ+xuhdOM3J6FcslKNv+YOI 4 4 + -> ssh-rsa fFaiTA 5 5 + lG8IMuChMKHEo1jAJu6xJ+AnoDZ/RuTVf9DdtDFToFbwNZ15gJkA8+BRm07n2rCS 6 6 + fmBMLOQpg2n3VHQRlMgONGZwOpB3kRKqJJ6AbUlO7alyL3j/kveZ0SQf8pv7sSpe 7 7 + EgZEcOzrqpEQIlPtkWg6cjVxLk4TIZ2Vrh1/rRdegw/sGHygAX9YQ5dFo/r6o1Df 8 8 + QflZOW887PeZPYOuuG/wBrPI/aj1McpcV7A1YbX7kfnoVUWdnydUYADiaHYf6036 9 9 + 0A8tER8mjPr3poZEeIRPnMa/FjiqPSNR7HzHJzJP9NJMuW0yS2zCz9p1LJWuFfTT 10 10 + 3bk8l+8cN42WbiMV62CCXM7B3aOZ2Bes7W72nSEuhjdj3+TA2B/niT3hYTw+h8hf 11 11 + ffSEGth2HUO8Ai+sVA/53ZJ/obLPKY6QCKPfZcMO33GuLzIfpzDXe7PKazoKdNah 12 12 + ycdYQjmT0+xmJ7tw36B3w/RDTKdUK2t7VowCi0miJGmPJ32YbUpJpLvZ4D7DbvuJ 13 13 + NdNcG79H54op8ltma9548URuRXCCVYGMYwc80fvOUwzR8IgbnWG5dpZR8iDp/2KM 14 14 + 0IztlQ9UMStSBHzt4t+xbk97glS0N4Rv+OGCoYjc8cpAKSjTahxZSnaWQ6NlRYeg 15 15 + tc71FBe1j+chr6B4ku69CGzQFdt901OjPD8AcKWN0ZA 16 16 + -> ssh-ed25519 wpmdHA sZjjKQPZ11T5XNH6xmeI+MpPN4a6P2IojjHsu1rZ230 17 17 + r2VSTyyCfJk7KwqHh3FkP7oyylojwG2QBDldnF3y5iY 18 18 + --- m2RCaIONWymiVYzS+i59W3pW1SLefIn3TlAEhi1EMNo 19 19 + *��)eUt^�� ����N�2��(�������@_n魘�;�����g#�?sE�������9���/�������It���'N5�������ʔ��j��48�

+2

hosts/marvin/services/secrets/secrets.nix

reviewed

··· 36 36 "miniflux-admin.age".publicKeys = marvinDefault; 37 37 "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault; 38 38 "nix-serve-priv.age".publicKeys = marvinDefault; 39 39 + "paperless/admin-password.age".publicKeys = marvinDefault; 40 40 + "paperless/secrets.age".publicKeys = marvinDefault; 39 41 "pinchflat-secrets.age".publicKeys = marvinDefault; 40 42 "planka-env.age".publicKeys = marvinDefault; 41 43 "pocket-id-secrets.age".publicKeys = marvinDefault;

+14

hosts/prefect/services/caddy.nix

reviewed

··· 201 201 ''; 202 202 }; 203 203 204 204 + # Paperless-NGX 205 205 + ${pns.paperless.extUrl} = { 206 206 + extraConfig = '' 207 207 + reverse_proxy ${marvin}:${toString pns.paperless.port} { 208 208 + header_down Referrer-Policy "strict-origin-when-cross-origin" 209 209 + header_down X-XSS-Protection 0 210 210 + header_down X-Content-Type-Options nosniff 211 211 + header_down -Server 212 212 + header_up X-Real-Ip {remote_host} 213 213 + header_up X-Http-Version {http.request.proto} 214 214 + } 215 215 + ''; 216 216 + }; 217 217 + 204 218 # Immich 205 219 ${pns.immich.extUrl} = { 206 220 extraConfig = ''

+6 -1

lib/data/services.toml

reviewed

··· 6 6 # tsHost: (optional) What Tailscale host this service will run on, for services only available via Tailscale. 7 7 # # Should only be set if this is available externally, if at all, since TS-only services aren't able to be scraped. 8 8 # Current lowest unassigned service/anubis port: 6938/8410 9 9 - # Misc available ports: 6902, 6905-6, 6908-11, 6913, 6916-21, 6923-4, 6927, 6933 9 9 + # Misc available ports: 6905-6, 6908-11, 6913, 6916-21, 6923-4, 6927, 6933 10 10 # Misc Anubis available: 8401, 8407 11 11 12 12 [buildbot-server] ··· 69 69 [nextcloud-imaginary] 70 70 port = 6928 71 71 host = "marvin" 72 72 + 73 73 + [paperless] 74 74 + port = 6902 75 75 + host = "marvin" 76 76 + extUrl = "paper.pyrox.dev" 72 77 73 78 [pinchflat] 74 79 port = 6930