diff options
author | Alan Pearce | 2024-06-03 15:58:13 +0200 |
---|---|---|
committer | Alan Pearce | 2024-06-03 15:58:13 +0200 |
commit | f5a6699de087225feec13f3de66c02f4986e99c0 (patch) | |
tree | 95e73f4a84611f7dceb84a6d5ab04df77cf8a07c | |
parent | a3f1ee0c6a21bbeae26752557ad8612d0b0ba5de (diff) | |
download | nixfiles-f5a6699de087225feec13f3de66c02f4986e99c0.tar.lz nixfiles-f5a6699de087225feec13f3de66c02f4986e99c0.tar.zst nixfiles-f5a6699de087225feec13f3de66c02f4986e99c0.zip |
linde: move paperless to tailscale container
-rw-r--r-- | system/linde.nix | 143 |
1 files changed, 109 insertions, 34 deletions
diff --git a/system/linde.nix b/system/linde.nix index 59fa4c77..a34d5d4e 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -15,6 +15,7 @@ let net-rdnsip = "2a01:4f8:c012:23a4::53"; net-mask6 = "64"; net-gw6 = "fe80::1"; + ts-domain = "hydra-pinecone.ts.net"; in { imports = @@ -881,17 +882,6 @@ in reverse_proxy ${server.host}:${toString server.port} ''; }; - "papers.alanpearce.eu" = { - extraConfig = '' - encode zstd gzip - handle_path /static/* { - root * ${config.services.paperless.package}/lib/paperless-ngx/static - file_server - } - reverse_proxy localhost:${toString config.services.paperless.port} - - ''; - }; "binarycache.alanpearce.eu" = let ns = config.services.nix-serve; @@ -955,36 +945,121 @@ in basePath = "${config.services.gitolite.dataDir}/repositories/"; }; - users.groups.paperless.members = [ "alan" "syncthing" ]; - services.paperless = { + networking.nat = { enable = true; - package = pkgs.paperless-ngx; - dataDir = "/srv/paperless"; - settings = { - PAPERLESS_DBENGINE = "sqlite"; - PAPERLESS_TIME_ZONE = "Europe/Berlin"; + internalInterfaces = [ "ve-+" ]; + externalInterface = netif; + enableIPv6 = true; + }; + + users.users.paperless = { + group = "paperless"; + uid = config.ids.uids.paperless; + home = "/srv/paperless"; + }; + users.groups.paperless.members = [ "alan" "syncthing" ]; + containers.papers = + let + hostDataDir = config.users.users.paperless.home; + localAddress6 = "fc00::2"; + tsHostname = "papers.${ts-domain}"; + tsPort = 41642; + in + { + # or maybe socket activated? + autoStart = true; + # does TS need this? + enableTun = true; + privateNetwork = true; + hostAddress6 = "fc00::1"; + inherit localAddress6; + forwardPorts = [{ + hostPort = tsPort; + }]; + bindMounts = { + ${config.services.paperless.dataDir} = { + hostPath = hostDataDir; + isReadOnly = false; + }; + }; + config = { + environment.systemPackages = with pkgs; [ + lsof + ]; + networking = { + useHostResolvConf = false; + resolvconf.enable = false; + firewall.trustedInterfaces = [ "tailscale0" ]; + firewall.rejectPackets = true; + nameservers = config.networking.nameservers; + }; + services.resolved = { + enable = true; + llmnr = "false"; + }; + services.tailscale = { + enable = true; + openFirewall = true; + permitCertUid = "caddy"; + port = tsPort; + }; + services.caddy = { + enable = true; + email = "caddy@alanpearce.eu"; + virtualHosts = { + "http://" = { + # avoid logging to an awkward file name based on the attribute name i.e. http:// + hostName = "papers"; + extraConfig = '' + redir ${tsHostname}{uri} + ''; + }; + ${tsHostname} = { + extraConfig = '' + encode zstd gzip + tls { + get_certificate tailscale + } + handle_path /static/* { + root * ${config.services.paperless.package}/lib/paperless-ngx/static + file_server + } + reverse_proxy [::1]:${toString config.services.paperless.port} + ''; + }; + }; + }; + services.paperless = { + enable = true; + address = "[::1]"; + settings = { + PAPERLESS_DBENGINE = "sqlite"; + PAPERLESS_TIME_ZONE = "Europe/Berlin"; - PAPERLESS_URL = "https://papers.alanpearce.eu"; - PAPERLESS_TRUSTED_PROXIES = "127.0.0.1"; - PAPERLESS_USE_X_FORWARD_HOST = true; - PAPERLESS_USE_X_FORWARD_PORT = true; - PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ]; - PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it + PAPERLESS_URL = "https://${tsHostname}"; + PAPERLESS_TRUSTED_PROXIES = "[::1]"; + PAPERLESS_USE_X_FORWARD_HOST = true; + PAPERLESS_USE_X_FORWARD_PORT = true; + PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ]; + PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it - PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text"; - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_IGNORE_DATES = "09.08.90"; + PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text"; + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + PAPERLESS_IGNORE_DATES = "09.08.90"; - PAPERLESS_TASK_WORKERS = 2; - PAPERLESS_THREADS_PER_WORKER = 1; - PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; + PAPERLESS_TASK_WORKERS = 2; + PAPERLESS_THREADS_PER_WORKER = 1; + PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; - PAPERLESS_CONSUMER_IGNORE_PATTERN = [ ".DS_STORE/*" "desktop.ini" ".stfolder/*" ".stversions/*" ]; + PAPERLESS_CONSUMER_IGNORE_PATTERN = [ ".DS_STORE/*" "desktop.ini" ".stfolder/*" ".stversions/*" ]; - PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}"; - PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true; + PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}"; + PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true; + }; + }; + system.stateVersion = "24.11"; + }; }; - }; services.etcd = { enable = true; |