DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Hardened Paperless

Browse Source
This commit is contained in:
DerGrumpf
2026-04-28 23:22:41 +02:00
parent 3dc398a460
commit d824b42a2b
2 changed files with 42 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/roles/paperless-ngx.nix
+25 -15
View File
@@ -1,39 +1,49 @@
{ pkgs, ... }: { config, ... }:
{ {
services = { sops.secrets.paperless_admin = {
paperless = { owner = "paperless";
};
services.paperless = {
enable = true; enable = true;
package = pkgs.paperless-ngx;
address = "0.0.0.0"; address = "0.0.0.0";
port = 28101; port = 28101;
domain = "ngx.cyperpunk.de";
consumptionDir = "/var/lib/paperless/consume";
dataDir = "/storage/fast/paperless";
configureTika = true;
passwordFile = config.sops.secrets.paperless_admin.path;
settings = { settings = {
PAPERLESS_USE_X_FORWARDED_HOST = "true"; PAPERLESS_USE_X_FORWARDED_HOST = true;
PAPERLESS_USE_X_FORWARDED_PORT = "true"; PAPERLESS_USE_X_FORWARDED_PORT = true;
PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost"; PAPERLESS_ALLOWED_HOSTS = "ngx.cyperpunk.de,100.109.179.25,localhost";
PAPERLESS_CSRF_TRUSTED_ORIGINS = [ PAPERLESS_CSRF_TRUSTED_ORIGINS = [
"https://ngx.cyperpunk.de" "https://ngx.cyperpunk.de"
"http://100.109.179.25:28101" "http://100.109.179.25:28101"
]; ];
PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_CONSUMPTION_DIR = "/var/lib/paperless/consume";
PAPERLESS_URL = "https://ngx.cyperpunk.de";
}; };
exporter = { exporter = {
enable = true; enable = true;
}; directory = "/storage/backup/paperless";
}; };
}; };
users.users.paperless.extraGroups = [ "users" ]; users.users.paperless.extraGroups = [ "users" ];
systemd.tmpfiles.rules = [ systemd = {
"d /storage/internal/paperless 0775 root users -" tmpfiles.rules = [
"z /storage/internal/paperless 0775 root users -" "d /storage/fast/paperless 0775 paperless paperless -"
"d /storage/fast/paperless/media 0775 paperless paperless -"
"d /storage/fast/paperless/consume 0775 paperless paperless -"
"d /storage/backup/paperless 0775 root users -"
]; ];
networking.firewall.allowedTCPPorts = [ services.paperless-scheduler = {
28101 after = [ "systemd-tmpfiles-setup.service" ];
]; requires = [ "systemd-tmpfiles-setup.service" ];
};
};
networking.firewall.allowedTCPPorts = [ 28101 ];
} }
secrets/secrets.yaml
+3 -2
View File
@@ -7,6 +7,7 @@ matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8
vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9yamwDV7cTSRRp3n3O2VjDKTcI5Vo6RP2QUjcqUqYf98cZ09wDMc+6+oHHJke7+O0FgRgOC0vOQFs4bfZCBJBLxogrGiwtLGkyykR6VYhrT64AN3CbrXflj82OED2Hl8WwEdruBzGIcfnh6FqQowDx6vDR/kXXJHk=,iv:PJQo5V7FaKPQ+GzZNsy3KB+xyjcDKJ1UBHErrqgn/1U=,tag:BRIDJEDOAeToqio/DHMQaA==,type:str] vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9yamwDV7cTSRRp3n3O2VjDKTcI5Vo6RP2QUjcqUqYf98cZ09wDMc+6+oHHJke7+O0FgRgOC0vOQFs4bfZCBJBLxogrGiwtLGkyykR6VYhrT64AN3CbrXflj82OED2Hl8WwEdruBzGIcfnh6FqQowDx6vDR/kXXJHk=,iv:PJQo5V7FaKPQ+GzZNsy3KB+xyjcDKJ1UBHErrqgn/1U=,tag:BRIDJEDOAeToqio/DHMQaA==,type:str]
flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str] flame_phil_password: ENC[AES256_GCM,data:Xy2ixMeRlnzC2gjKGrjfSbz/ee4=,iv:WFuBS8jn7WYRxEDG3XBzCMnm4eNkHQpSs5+GUwq/dcg=,tag:1zzj0eB9/4KrmYAqcxJMlg==,type:str]
flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str] flame_calvin_password: ENC[AES256_GCM,data:P5ppyqTjAJ1TL4hXtx5WyoS9a+g=,iv:sq98P3Oqud2FXfqsD76YS/p5NEF2xlN0MfG+ukCB9B0=,tag:AeKnu4Hg4xQ3tII0y6oNpQ==,type:str]
paperless_admin: ENC[AES256_GCM,data:sVvlMQ3dDE2XsDfpwpCTbzPCEKdUMNTFtRXDIuBbgyf1gd6oiJzE23Ytc57plNUGg5h5aEtgxZ7NXeuK5vrhQw==,iv:x+QNAzY9k9t23UYlM9GcAke0urEA5jlV0VzHaBQkm7M=,tag:D/bMtjuwrX6pquZfJLwdkQ==,type:str]
gitea: gitea:
dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str] dbPassword: ENC[AES256_GCM,data:S6VvRgkdYk1AzXljyQEEq68UJ9zrFy6+INBMIAspXNcqcM6o+es19o0mcXA=,iv:/pHYpkZZq+9Md+75uSCb2YXfSvaDzUh6mMfH53wb7eg=,tag:ZnbyCQwrK2JnbO5HFqgJYw==,type:str]
internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str] internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str]
@@ -25,7 +26,7 @@ sops:
N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9 N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w== 6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-28T20:24:56Z" lastmodified: "2026-04-28T20:56:41Z"
mac: ENC[AES256_GCM,data:ckUMW2VucN8foLbSk8iKBHOtIOSFi0eOy4d0unLlJZpaKEFO91UofHN00Gh+sfw3jG0VNRWGUhAGxQC+di4LFbITlODPkWOzY10FMAES5FSQVyKkW9gnQY/BGbHlDX63iwZ9FLQEbCg4LSVA1emVlCmZ5QEYy5bBH7LddNdnEbo=,iv:u9akYdHujAuFoSAv0Q7rcsSAn5PJZhBhkKjrBWn0XBg=,tag:GvN2Kgi2+5bTZ7t/tZASRw==,type:str] mac: ENC[AES256_GCM,data:7LzlnFm2R7YFtZ2Nei/uOG2G/VSGcN3KQtTZSUM+TKvPXgCcFXa/ZF8u4WtoXSJOiVTJ9gQ2wvtKjW8OPtd4ALGId33dM4fapB9fl3LTF9hgVpu01s5kIkYKPf1bRZ8vpsFzMUoPDUHXgIlTgobf9dTxeyu6utBrM9+7AHCQxV4=,iv:LYgDr+10bXmk9Jg0oyvfr3jty4Y7GeFDuUMkjsXYzXs=,tag:/553lafJUjOdUrljLYd2Wg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.12.2