summary refs log tree commit diff stats
path: root/system/linde.nix
diff options
context:
space:
mode:
Diffstat (limited to 'system/linde.nix')
-rw-r--r--system/linde.nix143
1 files changed, 109 insertions, 34 deletions
diff --git a/system/linde.nix b/system/linde.nix
index 59fa4c77..a34d5d4e 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -15,6 +15,7 @@ let
   net-rdnsip = "2a01:4f8:c012:23a4::53";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
+  ts-domain = "hydra-pinecone.ts.net";
 in
 {
   imports =
@@ -881,17 +882,6 @@ in
               reverse_proxy ${server.host}:${toString server.port}
             '';
           };
-        "papers.alanpearce.eu" = {
-          extraConfig = ''
-            encode zstd gzip
-            handle_path /static/* {
-              root * ${config.services.paperless.package}/lib/paperless-ngx/static
-              file_server
-            }
-            reverse_proxy localhost:${toString config.services.paperless.port}
-
-          '';
-        };
         "binarycache.alanpearce.eu" =
           let
             ns = config.services.nix-serve;
@@ -955,36 +945,121 @@ in
     basePath = "${config.services.gitolite.dataDir}/repositories/";
   };
 
-  users.groups.paperless.members = [ "alan" "syncthing" ];
-  services.paperless = {
+  networking.nat = {
     enable = true;
-    package = pkgs.paperless-ngx;
-    dataDir = "/srv/paperless";
-    settings = {
-      PAPERLESS_DBENGINE = "sqlite";
-      PAPERLESS_TIME_ZONE = "Europe/Berlin";
+    internalInterfaces = [ "ve-+" ];
+    externalInterface = netif;
+    enableIPv6 = true;
+  };
+
+  users.users.paperless = {
+    group = "paperless";
+    uid = config.ids.uids.paperless;
+    home = "/srv/paperless";
+  };
+  users.groups.paperless.members = [ "alan" "syncthing" ];
+  containers.papers =
+    let
+      hostDataDir = config.users.users.paperless.home;
+      localAddress6 = "fc00::2";
+      tsHostname = "papers.${ts-domain}";
+      tsPort = 41642;
+    in
+    {
+      # or maybe socket activated?
+      autoStart = true;
+      # does TS need this?
+      enableTun = true;
+      privateNetwork = true;
+      hostAddress6 = "fc00::1";
+      inherit localAddress6;
+      forwardPorts = [{
+        hostPort = tsPort;
+      }];
+      bindMounts = {
+        ${config.services.paperless.dataDir} = {
+          hostPath = hostDataDir;
+          isReadOnly = false;
+        };
+      };
+      config = {
+        environment.systemPackages = with pkgs; [
+          lsof
+        ];
+        networking = {
+          useHostResolvConf = false;
+          resolvconf.enable = false;
+          firewall.trustedInterfaces = [ "tailscale0" ];
+          firewall.rejectPackets = true;
+          nameservers = config.networking.nameservers;
+        };
+        services.resolved = {
+          enable = true;
+          llmnr = "false";
+        };
+        services.tailscale = {
+          enable = true;
+          openFirewall = true;
+          permitCertUid = "caddy";
+          port = tsPort;
+        };
+        services.caddy = {
+          enable = true;
+          email = "caddy@alanpearce.eu";
+          virtualHosts = {
+            "http://" = {
+              # avoid logging to an awkward file name based on the attribute name i.e. http://
+              hostName = "papers";
+              extraConfig = ''
+                redir ${tsHostname}{uri}
+              '';
+            };
+            ${tsHostname} = {
+              extraConfig = ''
+                encode zstd gzip
+                tls {
+                  get_certificate tailscale
+                }
+                handle_path /static/* {
+                  root * ${config.services.paperless.package}/lib/paperless-ngx/static
+                  file_server
+                }
+                reverse_proxy [::1]:${toString config.services.paperless.port}
+              '';
+            };
+          };
+        };
+        services.paperless = {
+          enable = true;
+          address = "[::1]";
+          settings = {
+            PAPERLESS_DBENGINE = "sqlite";
+            PAPERLESS_TIME_ZONE = "Europe/Berlin";
 
-      PAPERLESS_URL = "https://papers.alanpearce.eu";
-      PAPERLESS_TRUSTED_PROXIES = "127.0.0.1";
-      PAPERLESS_USE_X_FORWARD_HOST = true;
-      PAPERLESS_USE_X_FORWARD_PORT = true;
-      PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ];
-      PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it
+            PAPERLESS_URL = "https://${tsHostname}";
+            PAPERLESS_TRUSTED_PROXIES = "[::1]";
+            PAPERLESS_USE_X_FORWARD_HOST = true;
+            PAPERLESS_USE_X_FORWARD_PORT = true;
+            PAPERLESS_PROXY_SSL_HEADER = [ "HTTP_X_FORWARDED_PROTO" "https" ];
+            PAPERLESS_ENABLE_COMPRESSION = false; # let caddy do it
 
-      PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text";
-      PAPERLESS_OCR_LANGUAGE = "deu+eng";
-      PAPERLESS_IGNORE_DATES = "09.08.90";
+            PAPERLESS_OCR_SKIP_ARCHIVE_FILE = "with_text";
+            PAPERLESS_OCR_LANGUAGE = "deu+eng";
+            PAPERLESS_IGNORE_DATES = "09.08.90";
 
-      PAPERLESS_TASK_WORKERS = 2;
-      PAPERLESS_THREADS_PER_WORKER = 1;
-      PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
+            PAPERLESS_TASK_WORKERS = 2;
+            PAPERLESS_THREADS_PER_WORKER = 1;
+            PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
 
-      PAPERLESS_CONSUMER_IGNORE_PATTERN = [ ".DS_STORE/*" "desktop.ini" ".stfolder/*" ".stversions/*" ];
+            PAPERLESS_CONSUMER_IGNORE_PATTERN = [ ".DS_STORE/*" "desktop.ini" ".stfolder/*" ".stversions/*" ];
 
-      PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}";
-      PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true;
+            PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}";
+            PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true;
+          };
+        };
+        system.stateVersion = "24.11";
+      };
     };
-  };
 
   services.etcd = {
     enable = true;