linde: move paperless media to storage box volume

2 files changed, 44 insertions, 5 deletions

diff --git a/secrets/cifs-paperless.age b/secrets/cifs-paperless.age
new file mode 100644
index 00000000..8a510314
--- /dev/null
+++ b/secrets/cifs-paperless.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw m5nrwSF0dhp432vdyHt9qn9VU46NwF5uoILs2uKRyG4
+9QBfJXCjT9BBMIzou/oweWhenkYmP9q2whE8G6Q+15Q
+-> piv-p256 VBDKjg A2aESbZZG7090wQqjU8IljN+G+Gja5MpIeYdcsS4eyqC
+Ow0/HkI2/Wp1sTQyhmDfVRD6yaufkHiNX+nuzQhywhw
+--- CNUUxOYG0GgCGlZ7mDkBltwsynq7OhEY5vBxmwg6l74
+Jì«1ˆ˜™Ó£k½mçÍEkM®J½O*4<#1)¢Í–Ôs claã$*ñ%<¢z^NQT1ø€Š‰º¡£ù\–‘xE›ZØ
›ÄU$—€²Û
\ No newline at end of file
diff --git a/system/linde.nix b/system/linde.nix
index 6628637e..6fcd28ad 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -47,6 +47,7 @@ in
     redis-website.file = ../secrets/redis-website.age;
     photoprism.file = ../secrets/photoprism.age;
     cifs-photoprism.file = ../secrets/cifs-photoprism.age;
+    cifs-paperless.file = ../secrets/cifs-paperless.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
@@ -816,15 +817,41 @@ in
     home = "/srv/paperless";
   };
   users.groups.paperless.members = [ "alan" "syncthing" ];
+
+  fileSystems."/srv/paperless" = {
+    device = "//u439959-sub3.your-storagebox.de/u439959-sub3";
+    fsType = "smb3";
+    options =
+      let
+        # prevents hanging on network split
+        automount_opts = [
+          "x-systemd.automount"
+          "noauto"
+          "x-systemd.idle-timeout=1h"
+          "x-systemd.mount-timeout=5s"
+        ];
+        uid = config.ids.uids.paperless;
+      in
+      automount_opts ++ [
+        "credentials=${config.age.secrets.cifs-paperless.path}"
+        "seal"
+        "multichannel"
+        "nobrl" # needed for sqlite
+        "forceuid"
+        "forcegid"
+        "uid=${toString uid}"
+        "gid=${toString uid}"
+      ];
+  };
   containers.papers =
     let
-      hostDataDir = config.users.users.paperless.home;
+      externalDir = "/srv/paperless";
       localAddress6 = "fc00::2";
       tsHostname = "papers.${ts-domain}";
       tsPort = 41642;
+      hostConfig = config;
     in
     {
-      # or maybe socket activated?
       autoStart = true;
       # does TS need this?
       enableTun = true;
@@ -836,11 +863,15 @@ in
       }];
       bindMounts = {
         ${config.services.paperless.dataDir} = {
-          hostPath = hostDataDir;
+          hostPath = hostConfig.services.paperless.dataDir;
+          isReadOnly = false;
+        };
+        ${externalDir} = {
+          hostPath = externalDir;
           isReadOnly = false;
         };
       };
-      config = {
+      config = { config, lib, pkgs, ... }: {
         environment.systemPackages = with pkgs; [
           lsof
         ];
@@ -849,7 +880,7 @@ in
           resolvconf.enable = false;
           firewall.trustedInterfaces = [ "tailscale0" ];
           firewall.rejectPackets = true;
-          nameservers = config.networking.nameservers;
+          nameservers = hostConfig.networking.nameservers;
         };
         services.resolved = {
           enable = true;
@@ -908,6 +939,7 @@ in
         services.paperless = {
           enable = true;
           address = "[::1]";
+          mediaDir = "${externalDir}/media";
           settings = {
             PAPERLESS_DBENGINE = "sqlite";
             PAPERLESS_TIME_ZONE = "Europe/Berlin";