DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Hardened Paperless

Browse Source
This commit is contained in:
DerGrumpf
2026-04-28 23:22:41 +02:00
parent 3dc398a460
commit d824b42a2b
2 changed files with 42 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/roles/paperless-ngx.nix
+39 -29
View File
@@ -1,39 +1,49 @@
{ pkgs, ... }:
{ config, ... }:
{
services = {
paperless = {
enable = true;
package = pkgs.paperless-ngx;
address = "0.0.0.0";
port = 28101;
settings = {
PAPERLESS_USE_X_FORWARDED_HOST = "true";
PAPERLESS_USE_X_FORWARDED_PORT = "true";
PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
PAPERLESS_CSRF_TRUSTED_ORIGINS = [
"https://ngx.cyperpunk.de"
"http://100.109.179.25:28101"
];
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_CONSUMPTION_DIR = "/var/lib/paperless/consume";
PAPERLESS_URL = "https://ngx.cyperpunk.de";
};
sops.secrets.paperless_admin = {
owner = "paperless";
};
services.paperless = {
enable = true;
address = "0.0.0.0";
port = 28101;
domain = "ngx.cyperpunk.de";
consumptionDir = "/var/lib/paperless/consume";
dataDir = "/storage/fast/paperless";
configureTika = true;
passwordFile = config.sops.secrets.paperless_admin.path;
settings = {
PAPERLESS_USE_X_FORWARDED_HOST = true;
PAPERLESS_USE_X_FORWARDED_PORT = true;
PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
PAPERLESS_CSRF_TRUSTED_ORIGINS = [
"https://ngx.cyperpunk.de"
"http://100.109.179.25:28101"
];
PAPERLESS_OCR_LANGUAGE = "deu+eng";
};
exporter = {
enable = true;
};
exporter = {
enable = true;
directory = "/storage/backup/paperless";
};
};
users.users.paperless.extraGroups = [ "users" ];
systemd.tmpfiles.rules = [
"d /storage/internal/paperless 0775 root users -"
"z /storage/internal/paperless 0775 root users -"
];
systemd = {
tmpfiles.rules = [
"d /storage/fast/paperless 0775 paperless paperless -"
"d /storage/fast/paperless/media 0775 paperless paperless -"
"d /storage/fast/paperless/consume 0775 paperless paperless -"
"d /storage/backup/paperless 0775 root users -"
];
networking.firewall.allowedTCPPorts = [
28101
];
services.paperless-scheduler = {
after = [ "systemd-tmpfiles-setup.service" ];
requires = [ "systemd-tmpfiles-setup.service" ];
};
};
networking.firewall.allowedTCPPorts = [ 28101 ];
}