New service: Paperless-ngx

2025-05-05 22:42:35 +02:00 · 2025-05-05 22:42:35 +02:00 · 0b0ddfc2f9
commit 0b0ddfc2f9
parent 30cfbe9efd
9 changed files with 264 additions and 0 deletions
--- a/modules/services/paperless-ngx.nix
+++ b/modules/services/paperless-ngx.nix
@ -0,0 +1,134 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.services.paperless;
+  defaultSettings = {
+    PAPERLESS_DBHOST = "/run/postgresql";
+    PAPERLESS_TIKA_ENABLED = true;
+    PAPERLESS_TIKA_ENDPOINT = "http://localhost:${toString config.services.tika.port}";
+    PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${toString config.services.gotenberg.port}";
+    PAPERLESS_OCR_LANGUAGE = "eng+ita";
+    PAPERLESS_OCR_USER_ARGS = {
+      optimize = 1;
+      pdfa_image_compression = "lossless";
+      # Allow OCRmyPDF to modify signed PDFs, since original is also stored
+      # https://github.com/paperless-ngx/paperless-ngx/issues/7383
+      invalidate_digital_signatures = true;
+    };
+  };
+in
+{
+
+  options.my.services.paperless = {
+    enable = lib.mkEnableOption "Enable Paperless NGX module";
+
+    passwordFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/paperless/password";
+      description = "File with the Paperless NGX access password";
+    };
+
+    mediaDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/paperless/media";
+      description = "Directory with the Paperless NGX media files";
+    };
+
+    settings = lib.mkOption {
+      default = { };
+      description = ''
+        Paperless settings as described here: https://search.nixos.org/options?type=packages&query=services.paperless.settings
+      '';
+      inherit (pkgs.formats.json { }) type;
+    };
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      subdomain = lib.mkOption {
+        default = "docs";
+        type = lib.types.str;
+        description = ''
+          The subdomain where Paperless NGX is reachable
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          host name where the service is running
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+
+      my.services.postgresql = {
+        enable = true;
+        ensures = [
+          {
+            username = "paperless";
+            database = "paperless";
+          }
+        ];
+      };
+
+      services.tika = {
+        enable = true;
+        enableOcr = true;
+      };
+
+      services.gotenberg = {
+        enable = true;
+        chromium.disableJavascript = true;
+        extraArgs = [
+          "--chromium-allow-list=file:///tmp/.*"
+        ];
+      };
+
+      services.paperless = {
+        enable = true;
+        address = "0.0.0.0";
+        settings =
+          defaultSettings
+          // cfg.settings
+          // {
+            PAPERLESS_URL = "https://${cfg.proxy.subdomain}.${cfg.proxy.domain}";
+          };
+        passwordFile = cfg.passwordFile;
+        mediaDir = cfg.mediaDir;
+        openMPThreadingWorkaround = true;
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        config.services.paperless.port
+      ];
+
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."${subdomain}.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:${toString config.services.paperless.port}
+          import cloudflare_${domain}
+        '';
+      };
+    })
+  ];
+}