DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Paperless ngx; bumped version of frontpage

Browse Source
This commit is contained in:
DerGrumpf
2026-04-25 03:07:49 +02:00
parent 58982e7741
commit 335de2ad15
4 changed files with 80 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/cyper-controller/configuration.nix
+1
View File
@@ -13,6 +13,7 @@
../../nixos/roles/vaultwarden.nix
../../nixos/roles/frontpage
../../nixos/roles/cage.nix
../../nixos/roles/paperless-ngx.nix
];
networking = {
nixos/roles/frontpage/frontpage.nix
+32 -27
View File
@@ -1,40 +1,45 @@
{ config, lib, ... }:
let
address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
ip = builtins.elemAt (lib.splitString "/" address) 0;
mkFlameInstance =
{
name,
port,
extraVolumes ? [ ],
}:
lib.nameValuePair name {
image = "pawelmalak/flame:2.4.0";
ports = [ "${toString port}:5005" ];
volumes = [
"/var/lib/flame-${name}:/app/data"
]
++ extraVolumes;
environmentFiles = [ config.sops.secrets."flame_${name}_password".path ];
};
instances = [
{
name = "phil";
port = 15005;
extraVolumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
}
{
name = "calvin";
port = 15006;
}
];
in
{
sops.secrets.flame_password = { };
sops.secrets.flame_calvin_password = { };
sops.secrets = lib.listToAttrs (
map ({ name, ... }: lib.nameValuePair "flame_${name}_password" { }) instances
);
virtualisation = {
docker.enable = true;
oci-containers = {
backend = "docker";
containers = {
flame = {
image = "pawelmalak/flame:latest";
ports = [ "15005:5005" ];
volumes = [
"/var/lib/flame:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environmentFiles = [ config.sops.secrets.flame_password.path ];
};
flame-calvin = {
image = "pawelmalak/flame:latest";
ports = [ "15006:5005" ];
volumes = [ "/var/lib/flame-calvin:/app/data" ];
environmentFiles = [ config.sops.secrets.flame_calvin_password.path ];
};
};
containers = lib.listToAttrs (map mkFlameInstance instances);
};
};
networking.firewall.allowedTCPPorts = [
15005
15006
];
networking.firewall.allowedTCPPorts = map ({ port, ... }: port) instances;
}
nixos/roles/paperless-ngx.nix
+44
View File
@@ -0,0 +1,44 @@
{ pkgs, ... }:
{
services.paperless = {
enable = true;
package = pkgs.paperless-ngx;
address = "0.0.0.0";
port = 28101;
settings = {
# Da der Proxy auf einem anderen Server (via Tailscale) liegt:
# Erlaubt Paperless, die 'X-Forwarded-*' Header zu akzeptieren
PAPERLESS_USE_X_FORWARDED_HOST = "true";
PAPERLESS_USE_X_FORWARDED_PORT = "true";
# Erlaubt den Zugriff über die Domain UND die Tailscale-IP
# Der Stern '*' ist die einfachste Lösung für private Server
PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
# Füge die IP auch zu den vertrauenswürdigen Ursprüngen hinzu (für CSRF)
PAPERLESS_CSRF_TRUSTED_ORIGINS = [
"https://ngx.cyperpunk.de"
"http://100.109.179.25:28101"
];
# Restliche Einstellungen bleiben gleich
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_CONSUMPTION_DIR = "/var/lib/paperless/consume"; # Falls du den Bind-Mount nutzt
PAPERLESS_URL = "https://ngx.cyperpunk.de";
};
};
# Gruppe und Berechtigungen wie besprochen
users.users.paperless.extraGroups = [ "users" ];
systemd.tmpfiles.rules = [
"d /storage/internal/paperless 0775 root users -"
"z /storage/internal/paperless 0775 root users -"
];
# Öffne den Port für Tailscale (oder das lokale Netz)
networking.firewall.allowedTCPPorts = [ 28101 ];
}
secrets/secrets.yaml
+3 -3
View File
@@ -5,7 +5,7 @@ grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds
matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str]
matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str]
vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9yamwDV7cTSRRp3n3O2VjDKTcI5Vo6RP2QUjcqUqYf98cZ09wDMc+6+oHHJke7+O0FgRgOC0vOQFs4bfZCBJBLxogrGiwtLGkyykR6VYhrT64AN3CbrXflj82OED2Hl8WwEdruBzGIcfnh6FqQowDx6vDR/kXXJHk=,iv:PJQo5V7FaKPQ+GzZNsy3KB+xyjcDKJ1UBHErrqgn/1U=,tag:BRIDJEDOAeToqio/DHMQaA==,type:str]
flame_password: ENC[AES256_GCM,data:1rNB2CskrMV3EYII+0JfZVDvZE8=,iv:pHJtc+1YSPRYrZG97X3r0+x/cPPUlr8jO+0w2HR+VNw=,tag:qQ/1IPxweBt9iIH4Zsh7+A==,type:str]
flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str]
flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str]
gitea:
dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str]
@@ -25,7 +25,7 @@ sops:
N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-21T21:07:46Z"
mac: ENC[AES256_GCM,data:pMpc0UWS11OUvY1KS0D6GZkOP1EXM3b9+2VCS23P8js2MAktfzRjfhS2/KKx4XS1tpiHxmoF/eUmZqD+gqIIci4fVx3mpm2lMMx6HpOokM7Q8AEC2cOyJ9NInaZO5ogE7TY81oT8qnuOHPw3sFQARN9e0PLdJajrWWHX6gR2Odk=,iv:yks2AnUrP/6QeIrGGO4w66hvKHTtbFEPVC0GKptWa8g=,tag:VRuaTgfcM2dSi20jYYfp+w==,type:str]
lastmodified: "2026-04-25T01:01:15Z"
mac: ENC[AES256_GCM,data:LEoQilJrVhhzLdAyMz2xugOlnsu1j3XyCJbRLnMpRivbOFlqOu9dvwAJJ8gDzizOxTwh/24YD14f+njdPGNSB42O9sD9Mcb9UdB3N2pzHNaaUYQXFDHdqfxTQ93sYkwOP4KZHbMgbtzb1a/1a+G2cLhBcmIZSdOdkAzcVwUVmVY=,iv:D9xDKS2X6AiJi61/a/YbU+DvhTq5XB30HvE85i5lGvo=,tag:ztDsyGvk4KhBa6NJdOqhGg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2