From 6836cd547307f4b8f689f574ed9075dbc14131b0 Mon Sep 17 00:00:00 2001
From: Kabbone <tobias@opel-online.de>
Date: Thu, 26 Feb 2026 20:10:05 +0100
Subject: [PATCH] nas: add paperless

---
 modules/services/nas/paperless.nix    | 39 +++++++++++++++++++++++++++
 secrets/secrets.nix                   |  1 +
 secrets/services/paperless/pwFile.age | 23 ++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 modules/services/nas/paperless.nix
 create mode 100644 secrets/services/paperless/pwFile.age

diff --git a/modules/services/nas/paperless.nix b/modules/services/nas/paperless.nix
new file mode 100644
index 0000000..d41399b
--- /dev/null
+++ b/modules/services/nas/paperless.nix
@@ -0,0 +1,39 @@
+#
+# System notifications
+#
+
+{ config, lib, pkgs, ... }:
+
+{
+  services.paperless = {
+    enable = true;
+    domain = "paperless.home.opel-online.de";
+    passwordFile = config.age.secrets."services/paperless/pwFile".path;
+#    environmentFile = config.age.secrets."services/paperless/environment".path;
+    configureTika = true;
+    configureNginx = true;
+    settings = {
+      PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      PAPERLESS_OCR_USER_ARGS = {
+        optimize = 1;
+        pdfa_image_compression = "lossless";
+      };
+    };
+  };
+
+#  services.nginx = {
+#    virtualHosts = {
+#      "vault.home.opel-online.de" = {
+#        useACMEHost = "home.opel-online.de";
+#        forceSSL = true;
+#        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+#      };
+#    };
+#  };
+
+  age.secrets."services/paperless/pwFile" = {
+      file = ../../../secrets/services/paperless/pwFile.age;
+      owner = "paperless";
+  };
+
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 011c871..e3cb58b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -78,6 +78,7 @@ in
         "services/gitea/homerunner-token.age".publicKeys = homerunners ++ users;
         "services/gitea/serverrunner-token.age".publicKeys = serverrunners ++ users;
         "services/vaultwarden/environment.age".publicKeys = homeServices ++ users;
+        "services/paperless/pwFile.age".publicKeys = homeServices ++ users;
         "services/acme/opel-online.age".publicKeys = homeServices ++ users;
         "keys/nixremote.age".publicKeys = buildClients ++ users;
         "keys/nixservepriv.age".publicKeys = buildServer ++ users;
diff --git a/secrets/services/paperless/pwFile.age b/secrets/services/paperless/pwFile.age
new file mode 100644
index 0000000..30fff5e
--- /dev/null
+++ b/secrets/services/paperless/pwFile.age
@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-ed25519 0HRtjQ VXL0uR1pGE0jy2yyh4sfPAmcWixg4WH+SlZofrNrwFw
+Onp98kfyVRN3AQmmTeFnNIobyVElH+LuL98fyMX7r1M
+-> ssh-ed25519 NNXygQ luAZgAeAteKM0Ot8R/9TyOSjmtLoIo4goqJG+slbESw
+UmUO/oczJACbxYW5TTvGEj9cOZAZWNLZPaqrZm3PAY8
+-> ssh-rsa VtjGpQ
+bCol9jL3GawYKcDhzbyNlWpCJvoPKlGyUjYXDjLWp3Cf0vDrTG4UjqSUibOuJXPJ
+AotSZ74084qsaBR8ZMsDCmufWUffQXf2uO43HEZnSOn2piPbrzwg4Zpeol5HanE3
+x23gh2pHuGhv0YIqaDfvqKsbaZYnvtqRqvDagpyzsuSDQiqFfGlZYq4pfLUhCrLH
+0hS1zWu+RYtbw/oKyDRdDQoFMV06wh64u84Xc6sYQEKBKBtXqMbxUQMAygHfMthY
+LMNYQsD8N8b4Oy8gs1KmN2XBggyLzGd8IKIPPvpFtg6L3EK+zf6Z2mP8oqjbxhLQ
+kBZbj6MDu/jgdIfHaf/qczVcnN6h+q/pEMzWQdHPlepnET6fC3RwhXY710t3rbvH
+uXGP1QUhyPrREiJdj9ywRXenwXkwBR7MSkpL0BsGtzpZMwIi9FOXCsjGNuLzpYaS
+tyzLLVTK2PFMzwS2UdQJNlAvS5eFNSJx6mzBOj7ibwbNCnXJQF6UBLEZ8sXxousn
+QU1OC8mckGhGrTfxO4kRAvuBc8wSjgISiAnsYJbh+M9uFab0+I/XeFDqdolMtgYF
+hvAleBFEI+Nj9MYwgXxubuAZrbBDcWeo7NQeJ8YWzgPrAWx6tO0WMf1hZYUfXRNb
+FiqZ6sgOpJIVoEU3F/23M0bfrxykR3ETWzxVy+LsCag
+-> piv-p256 grR75w AgF5/hbp1fXzVWfyoKyiXer9FiUevRaciJ3dXplFdAcU
+PaK3Ew5wp+UgHZ7qyejdUvR2ApAuT/jNeXiHy09gvV4
+-> piv-p256 RQguQQ AoYM8az53+oaFoRsv1pyFrne790vcUROTkN8/ul5nuX7
+UtW0GRfJZRy202cmNbvEFdTmXfOw8BQblepZbUy6dGs
+--- NG0ZJUpSLj2Oca6xNXwaiXDacJgiY+ZFNc60kua0RWY
+J�-"�w���)�ܢ$����~
�Ѻ4bp)��V*�
��*L=qAwV0�&��;
\ No newline at end of file