From 335de2ad15bfb1332a349e16b1547cb4163a8e70 Mon Sep 17 00:00:00 2001
From: DerGrumpf <phil.keier@hotmail.com>
Date: Sat, 25 Apr 2026 03:07:49 +0200
Subject: [PATCH] Added Paperless ngx; bumped version of frontpage

---
 hosts/cyper-controller/configuration.nix |  1 +
 nixos/roles/frontpage/frontpage.nix      | 59 +++++++++++++-----------
 nixos/roles/paperless-ngx.nix            | 44 ++++++++++++++++++
 secrets/secrets.yaml                     |  6 +--
 4 files changed, 80 insertions(+), 30 deletions(-)
 create mode 100644 nixos/roles/paperless-ngx.nix

diff --git a/hosts/cyper-controller/configuration.nix b/hosts/cyper-controller/configuration.nix
index 293f345..5d99c31 100644
--- a/hosts/cyper-controller/configuration.nix
+++ b/hosts/cyper-controller/configuration.nix
@@ -13,6 +13,7 @@
     ../../nixos/roles/vaultwarden.nix
     ../../nixos/roles/frontpage
     ../../nixos/roles/cage.nix
+    ../../nixos/roles/paperless-ngx.nix
   ];
 
   networking = {
diff --git a/nixos/roles/frontpage/frontpage.nix b/nixos/roles/frontpage/frontpage.nix
index c4b6406..3d93b5c 100644
--- a/nixos/roles/frontpage/frontpage.nix
+++ b/nixos/roles/frontpage/frontpage.nix
@@ -1,40 +1,45 @@
 { config, lib, ... }:
-
 let
-  address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
-  ip = builtins.elemAt (lib.splitString "/" address) 0;
+  mkFlameInstance =
+    {
+      name,
+      port,
+      extraVolumes ? [ ],
+    }:
+    lib.nameValuePair name {
+      image = "pawelmalak/flame:2.4.0";
+      ports = [ "${toString port}:5005" ];
+      volumes = [
+        "/var/lib/flame-${name}:/app/data"
+      ]
+      ++ extraVolumes;
+      environmentFiles = [ config.sops.secrets."flame_${name}_password".path ];
+    };
+
+  instances = [
+    {
+      name = "phil";
+      port = 15005;
+      extraVolumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+    }
+    {
+      name = "calvin";
+      port = 15006;
+    }
+  ];
 in
 {
-  sops.secrets.flame_password = { };
-  sops.secrets.flame_calvin_password = { };
+  sops.secrets = lib.listToAttrs (
+    map ({ name, ... }: lib.nameValuePair "flame_${name}_password" { }) instances
+  );
 
   virtualisation = {
     docker.enable = true;
     oci-containers = {
       backend = "docker";
-      containers = {
-        flame = {
-          image = "pawelmalak/flame:latest";
-          ports = [ "15005:5005" ];
-          volumes = [
-            "/var/lib/flame:/app/data"
-            "/var/run/docker.sock:/var/run/docker.sock"
-          ];
-          environmentFiles = [ config.sops.secrets.flame_password.path ];
-        };
-        flame-calvin = {
-          image = "pawelmalak/flame:latest";
-          ports = [ "15006:5005" ];
-          volumes = [ "/var/lib/flame-calvin:/app/data" ];
-          environmentFiles = [ config.sops.secrets.flame_calvin_password.path ];
-        };
-      };
+      containers = lib.listToAttrs (map mkFlameInstance instances);
     };
   };
 
-  networking.firewall.allowedTCPPorts = [
-    15005
-    15006
-  ];
-
+  networking.firewall.allowedTCPPorts = map ({ port, ... }: port) instances;
 }
diff --git a/nixos/roles/paperless-ngx.nix b/nixos/roles/paperless-ngx.nix
new file mode 100644
index 0000000..0f83219
--- /dev/null
+++ b/nixos/roles/paperless-ngx.nix
@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+
+{
+  services.paperless = {
+    enable = true;
+    package = pkgs.paperless-ngx;
+    address = "0.0.0.0";
+    port = 28101;
+
+    settings = {
+
+      # Da der Proxy auf einem anderen Server (via Tailscale) liegt:
+      # Erlaubt Paperless, die 'X-Forwarded-*' Header zu akzeptieren
+      PAPERLESS_USE_X_FORWARDED_HOST = "true";
+      PAPERLESS_USE_X_FORWARDED_PORT = "true";
+
+      # Erlaubt den Zugriff über die Domain UND die Tailscale-IP
+      # Der Stern '*' ist die einfachste Lösung für private Server
+      PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
+
+      # Füge die IP auch zu den vertrauenswürdigen Ursprüngen hinzu (für CSRF)
+      PAPERLESS_CSRF_TRUSTED_ORIGINS = [
+        "https://ngx.cyperpunk.de"
+        "http://100.109.179.25:28101"
+      ];
+
+      # Restliche Einstellungen bleiben gleich
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_CONSUMPTION_DIR = "/var/lib/paperless/consume"; # Falls du den Bind-Mount nutzt
+      PAPERLESS_URL = "https://ngx.cyperpunk.de";
+    };
+  };
+
+  # Gruppe und Berechtigungen wie besprochen
+  users.users.paperless.extraGroups = [ "users" ];
+
+  systemd.tmpfiles.rules = [
+    "d /storage/internal/paperless 0775 root users -"
+    "z /storage/internal/paperless 0775 root users -"
+  ];
+
+  # Öffne den Port für Tailscale (oder das lokale Netz)
+  networking.firewall.allowedTCPPorts = [ 28101 ];
+}
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 8faa183..956759d 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -5,7 +5,7 @@ grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds
 matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str]
 matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str]
 vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9yamwDV7cTSRRp3n3O2VjDKTcI5Vo6RP2QUjcqUqYf98cZ09wDMc+6+oHHJke7+O0FgRgOC0vOQFs4bfZCBJBLxogrGiwtLGkyykR6VYhrT64AN3CbrXflj82OED2Hl8WwEdruBzGIcfnh6FqQowDx6vDR/kXXJHk=,iv:PJQo5V7FaKPQ+GzZNsy3KB+xyjcDKJ1UBHErrqgn/1U=,tag:BRIDJEDOAeToqio/DHMQaA==,type:str]
-flame_password: ENC[AES256_GCM,data:1rNB2CskrMV3EYII+0JfZVDvZE8=,iv:pHJtc+1YSPRYrZG97X3r0+x/cPPUlr8jO+0w2HR+VNw=,tag:qQ/1IPxweBt9iIH4Zsh7+A==,type:str]
+flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str]
 flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str]
 gitea:
     dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str]
@@ -25,7 +25,7 @@ sops:
             N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
             6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-21T21:07:46Z"
-    mac: ENC[AES256_GCM,data:pMpc0UWS11OUvY1KS0D6GZkOP1EXM3b9+2VCS23P8js2MAktfzRjfhS2/KKx4XS1tpiHxmoF/eUmZqD+gqIIci4fVx3mpm2lMMx6HpOokM7Q8AEC2cOyJ9NInaZO5ogE7TY81oT8qnuOHPw3sFQARN9e0PLdJajrWWHX6gR2Odk=,iv:yks2AnUrP/6QeIrGGO4w66hvKHTtbFEPVC0GKptWa8g=,tag:VRuaTgfcM2dSi20jYYfp+w==,type:str]
+    lastmodified: "2026-04-25T01:01:15Z"
+    mac: ENC[AES256_GCM,data:LEoQilJrVhhzLdAyMz2xugOlnsu1j3XyCJbRLnMpRivbOFlqOu9dvwAJJ8gDzizOxTwh/24YD14f+njdPGNSB42O9sD9Mcb9UdB3N2pzHNaaUYQXFDHdqfxTQ93sYkwOP4KZHbMgbtzb1a/1a+G2cLhBcmIZSdOdkAzcVwUVmVY=,iv:D9xDKS2X6AiJi61/a/YbU+DvhTq5XB30HvE85i5lGvo=,tag:ztDsyGvk4KhBa6NJdOqhGg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2