summary refs log tree commit diff stats
path: root/system/linde.nix
diff options
context:
space:
mode:
Diffstat (limited to 'system/linde.nix')
-rw-r--r--system/linde.nix42
1 files changed, 37 insertions, 5 deletions
diff --git a/system/linde.nix b/system/linde.nix
index 6628637e..6fcd28ad 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -47,6 +47,7 @@ in
     redis-website.file = ../secrets/redis-website.age;
     photoprism.file = ../secrets/photoprism.age;
     cifs-photoprism.file = ../secrets/cifs-photoprism.age;
+    cifs-paperless.file = ../secrets/cifs-paperless.age;
     golink = let golink = config.services.golink; in {
       # hope this doesn't collide...
       path = "${golink.dataDir}/.config/tsnet-golink/auth.key";
@@ -816,15 +817,41 @@ in
     home = "/srv/paperless";
   };
   users.groups.paperless.members = [ "alan" "syncthing" ];
+
+  fileSystems."/srv/paperless" = {
+    device = "//u439959-sub3.your-storagebox.de/u439959-sub3";
+    fsType = "smb3";
+    options =
+      let
+        # prevents hanging on network split
+        automount_opts = [
+          "x-systemd.automount"
+          "noauto"
+          "x-systemd.idle-timeout=1h"
+          "x-systemd.mount-timeout=5s"
+        ];
+        uid = config.ids.uids.paperless;
+      in
+      automount_opts ++ [
+        "credentials=${config.age.secrets.cifs-paperless.path}"
+        "seal"
+        "multichannel"
+        "nobrl" # needed for sqlite
+        "forceuid"
+        "forcegid"
+        "uid=${toString uid}"
+        "gid=${toString uid}"
+      ];
+  };
   containers.papers =
     let
-      hostDataDir = config.users.users.paperless.home;
+      externalDir = "/srv/paperless";
       localAddress6 = "fc00::2";
       tsHostname = "papers.${ts-domain}";
       tsPort = 41642;
+      hostConfig = config;
     in
     {
-      # or maybe socket activated?
       autoStart = true;
       # does TS need this?
       enableTun = true;
@@ -836,11 +863,15 @@ in
       }];
       bindMounts = {
         ${config.services.paperless.dataDir} = {
-          hostPath = hostDataDir;
+          hostPath = hostConfig.services.paperless.dataDir;
+          isReadOnly = false;
+        };
+        ${externalDir} = {
+          hostPath = externalDir;
           isReadOnly = false;
         };
       };
-      config = {
+      config = { config, lib, pkgs, ... }: {
         environment.systemPackages = with pkgs; [
           lsof
         ];
@@ -849,7 +880,7 @@ in
           resolvconf.enable = false;
           firewall.trustedInterfaces = [ "tailscale0" ];
           firewall.rejectPackets = true;
-          nameservers = config.networking.nameservers;
+          nameservers = hostConfig.networking.nameservers;
         };
         services.resolved = {
           enable = true;
@@ -908,6 +939,7 @@ in
         services.paperless = {
           enable = true;
           address = "[::1]";
+          mediaDir = "${externalDir}/media";
           settings = {
             PAPERLESS_DBENGINE = "sqlite";
             PAPERLESS_TIME_ZONE = "Europe/Berlin";
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-01-08 15:02:51 +0000