nixos/hosts/faunus-ater/modules/paperless.nix

{
  pkgs,
  config,
  ...
}: {
  services.paperless = {
    enable = true;
    address = "0.0.0.0";
    port = config.state.services.doc.port;
    passwordFile = config.sops.secrets."paperless-admin-password".path;
    dataDir = "/data/dirty/paperless";
    settings = {
      PAPERLESS_CONSUMER_DELETE_DUPLICATES = true;
      PAPERLESS_CONSUMER_RECURSIVE = true;
      PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
      PAPERLESS_FILENAME_FORMAT = "{created_year}/{correspondent}/{created_year}-{created_month}-{created_day}-{document_type}-{title}-{tag_list}";
      PAPERLESS_OCR_LANGUAGE = "deu";
      PAPERLESS_OCR_USER_ARGS = "{\"invalidate_digital_signatures\": true}";
      PAPERLESS_URL = "https://doc.tammena.me";
    };
  };

  # Configure nginx reverse proxy
  services.nginx.virtualHosts."doc.tammena.me" = {
    addSSL = true;
    sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../../../secrets/ca.crt);
    sslCertificateKey = config.sops.secrets."certificate-key-doc-tammena-me".path;
    sslCertificate = pkgs.writeText "doc-tammena-me.crt" (builtins.readFile ../../../secrets/pub/doc-tammena-me.crt);

    serverAliases = [
      "doc.home"
    ];

    locations."/" = {
      proxyPass = "http://localhost:${builtins.toString config.services.paperless.port}";
      proxyWebsockets = true;
    };
  };

  # Secrets
  sops.secrets = {
    "certificate-key-doc-tammena-me" = {
      owner = config.users.users.nginx.name;
      mode = "0400";
    };
    "paperless-admin-password" = {};
  };
}