Added Paperless ngx; bumped version of frontpage

nixos/roles/frontpage/frontpage.nix

@@ -1,40 +1,45 @@
 { config, lib, ... }:
-
 let
-  address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
-  ip = builtins.elemAt (lib.splitString "/" address) 0;
+  mkFlameInstance =
+    {
+      name,
+      port,
+      extraVolumes ? [ ],
+    }:
+    lib.nameValuePair name {
+      image = "pawelmalak/flame:2.4.0";
+      ports = [ "${toString port}:5005" ];
+      volumes = [
+        "/var/lib/flame-${name}:/app/data"
+      ]
+      ++ extraVolumes;
+      environmentFiles = [ config.sops.secrets."flame_${name}_password".path ];
+    };
+
+  instances = [
+    {
+      name = "phil";
+      port = 15005;
+      extraVolumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+    }
+    {
+      name = "calvin";
+      port = 15006;
+    }
+  ];
 in
 {
-  sops.secrets.flame_password = { };
-  sops.secrets.flame_calvin_password = { };
+  sops.secrets = lib.listToAttrs (
+    map ({ name, ... }: lib.nameValuePair "flame_${name}_password" { }) instances
+  );
 
   virtualisation = {
     docker.enable = true;
     oci-containers = {
       backend = "docker";
-      containers = {
-        flame = {
-          image = "pawelmalak/flame:latest";
-          ports = [ "15005:5005" ];
-          volumes = [
-            "/var/lib/flame:/app/data"
-            "/var/run/docker.sock:/var/run/docker.sock"
-          ];
-          environmentFiles = [ config.sops.secrets.flame_password.path ];
-        };
-        flame-calvin = {
-          image = "pawelmalak/flame:latest";
-          ports = [ "15006:5005" ];
-          volumes = [ "/var/lib/flame-calvin:/app/data" ];
-          environmentFiles = [ config.sops.secrets.flame_calvin_password.path ];
-        };
-      };
+      containers = lib.listToAttrs (map mkFlameInstance instances);
     };
   };
 
-  networking.firewall.allowedTCPPorts = [
-    15005
-    15006
-  ];
-
+  networking.firewall.allowedTCPPorts = map ({ port, ... }: port) instances;
 }

nixos/roles/paperless-ngx.nix

@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+
+{
+  services.paperless = {
+    enable = true;
+    package = pkgs.paperless-ngx;
+    address = "0.0.0.0";
+    port = 28101;
+
+    settings = {
+
+      # Da der Proxy auf einem anderen Server (via Tailscale) liegt:
+      # Erlaubt Paperless, die 'X-Forwarded-*' Header zu akzeptieren
+      PAPERLESS_USE_X_FORWARDED_HOST = "true";
+      PAPERLESS_USE_X_FORWARDED_PORT = "true";
+
+      # Erlaubt den Zugriff über die Domain UND die Tailscale-IP
+      # Der Stern '*' ist die einfachste Lösung für private Server
+      PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
+
+      # Füge die IP auch zu den vertrauenswürdigen Ursprüngen hinzu (für CSRF)
+      PAPERLESS_CSRF_TRUSTED_ORIGINS = [
+        "https://ngx.cyperpunk.de"
+        "http://100.109.179.25:28101"
+      ];
+
+      # Restliche Einstellungen bleiben gleich
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_CONSUMPTION_DIR = "/var/lib/paperless/consume"; # Falls du den Bind-Mount nutzt
+      PAPERLESS_URL = "https://ngx.cyperpunk.de";
+    };
+  };
+
+  # Gruppe und Berechtigungen wie besprochen
+  users.users.paperless.extraGroups = [ "users" ];
+
+  systemd.tmpfiles.rules = [
+    "d /storage/internal/paperless 0775 root users -"
+    "z /storage/internal/paperless 0775 root users -"
+  ];
+
+  # Öffne den Port für Tailscale (oder das lokale Netz)
+  networking.firewall.allowedTCPPorts = [ 28101 ];
+}