From 171ff2f3bc7481ca86663637a680c1b04f6640dd Mon Sep 17 00:00:00 2001 From: Aner Zakobar Date: Wed, 20 May 2026 23:09:21 +0300 Subject: [PATCH] New mealie, paperless-ngx dirs --- README.org | 12 +++ flake.nix | 2 + hosts/pi-main/default.nix | 4 + modules/backup.nix | 4 + modules/caddy.nix | 31 ++++++++ modules/services/authelia.nix | 3 + modules/services/mealie.nix | 108 ++++++++++++++++++++++++++ modules/services/paperless.nix | 136 +++++++++++++++++++++++++++++++++ modules/storage.nix | 8 ++ secrets/secrets.yaml | 8 +- 10 files changed, 314 insertions(+), 2 deletions(-) create mode 100644 modules/services/mealie.nix create mode 100644 modules/services/paperless.nix diff --git a/README.org b/README.org index d425c23..89006e3 100644 --- a/README.org +++ b/README.org @@ -132,6 +132,18 @@ rollback if activation fails. Some services require manual one-time configuration after the first deploy. +** Nix build directory + +The nix daemon is configured to use =/mnt/data/nix-build= for sandbox +builds instead of the default =/tmp= (which is a small RAM-backed tmpfs). +This directory must be created manually once — =systemd-tmpfiles= will +maintain it on subsequent boots but cannot create it on the very first deploy +because the nix build itself needs the directory to already exist. + +#+begin_src bash +sudo mkdir -p /mnt/data/nix-build +#+end_src + ** Ntfy — push notifications Ntfy's admin user is created automatically from sops on first start. diff --git a/flake.nix b/flake.nix index 6c9c474..45a06e5 100644 --- a/flake.nix +++ b/flake.nix @@ -77,6 +77,8 @@ ./modules/services/jellyfin.nix ./modules/services/transmission.nix ./modules/services/gitea-runner.nix + ./modules/services/paperless.nix + ./modules/services/mealie.nix ./modules/services/uptime-kuma.nix ./modules/services/ntfy.nix ./modules/monitoring.nix diff --git a/hosts/pi-main/default.nix b/hosts/pi-main/default.nix index 2f75a1f..5d86ef7 100644 --- a/hosts/pi-main/default.nix +++ b/hosts/pi-main/default.nix @@ -88,6 +88,10 @@ homey.jellyfin.enable = false; homey.transmission.enable = false; + # Documents and recipes + homey.paperless.enable = true; + homey.mealie.enable = true; + # Reverse proxy + Cloudflare homey.caddy.enable = true; homey.cloudflared.enable = true; diff --git a/modules/backup.nix b/modules/backup.nix index 0432f76..d0fb14d 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -141,6 +141,8 @@ in "${dataDir}/ntfy" # Eurovision Vote — SQLite DB with votes and rankings "/var/lib/eurovote" + "${dataDir}/paperless" + "${dataDir}/mealie" ]; # Exclude Nextcloud's raw DB directory in favour of the pg_dump file @@ -148,6 +150,8 @@ in "${dataDir}/nextcloud/db" "${dataDir}/restic-cache" "${dataDir}/media" + # consume dir holds unprocessed drop files; usually empty after ingestion + "${dataDir}/paperless/consume" ]; timerConfig = { diff --git a/modules/caddy.nix b/modules/caddy.nix index f11a0c1..6bb9019 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -257,6 +257,37 @@ in ''; }; + # ------------------------------------------------------------------ + # Paperless — one_factor for all authenticated users (authelia policy). + # Authelia sets Remote-User; Caddy copies it to the upstream request; + # Paperless trusts HTTP_REMOTE_USER for automatic login (no separate + # Paperless login page shown). + # ------------------------------------------------------------------ + "paperless.${domain}" = { + extraConfig = '' + ${autheliaForwardAuth} + reverse_proxy localhost:8083 + ''; + }; + "http://paperless.${domain}" = { + extraConfig = '' + ${autheliaForwardAuth} + ${cfProxy 8083} + ''; + }; + + # ------------------------------------------------------------------ + # Mealie — no forward_auth; LDAP handles auth via Mealie's login page. + # ------------------------------------------------------------------ + "mealie.${domain}" = { + extraConfig = '' + reverse_proxy localhost:9093 + ''; + }; + "http://mealie.${domain}" = { + extraConfig = cfProxy 9093; + }; + # ------------------------------------------------------------------ # Grafana — two_factor, admins only (enforced by authelia policy). # After Authelia verifies the user, Caddy maps the Remote-User header diff --git a/modules/services/authelia.nix b/modules/services/authelia.nix index 0c36cbf..c4c73b7 100644 --- a/modules/services/authelia.nix +++ b/modules/services/authelia.nix @@ -144,6 +144,9 @@ let - domain: - "eurovision-vote.${domain}" policy: "one_factor" + - domain: + - "paperless.${domain}" + policy: "one_factor" notifier: filesystem: diff --git a/modules/services/mealie.nix b/modules/services/mealie.nix new file mode 100644 index 0000000..54dcff0 --- /dev/null +++ b/modules/services/mealie.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, homeyConfig, ... }: + +# Mealie — recipe manager and meal planner. +# +# Auth model: LDAP. Users log in with the same uid/password as the rest of +# the stack (OpenLDAP). No Authelia forward_auth — Mealie's own login page +# handles authentication via django-auth-ldap. +# +# Volume layout: +# /mealie/data/ → /app/data (SQLite DB, images, backups) +# +# Secrets consumed from sops: +# mealie/secret_key + +let + cfg = config.homey.mealie; + dataDir = config.homey.storage.mountPoint; + domain = homeyConfig.domain; + + # LDAP base DN derived from domain (zakobar.com → dc=zakobar,dc=com) + ldapBaseDn = lib.concatStringsSep "," + (map (p: "dc=${p}") (lib.splitString "." domain)); +in +{ + options.homey.mealie = { + enable = lib.mkEnableOption "Mealie recipe manager"; + + image = lib.mkOption { + type = lib.types.str; + default = "ghcr.io/mealie-recipes/mealie:latest"; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 9093; + description = "Host port Mealie listens on (bound to 127.0.0.1)."; + }; + }; + + config = lib.mkIf cfg.enable { + # ----------------------------------------------------------------------- + # Secrets + # ----------------------------------------------------------------------- + sops.secrets."mealie/secret_key" = { owner = "root"; }; + + # ----------------------------------------------------------------------- + # Container + # ----------------------------------------------------------------------- + virtualisation.oci-containers.containers.mealie = { + image = cfg.image; + ports = [ "127.0.0.1:${toString cfg.port}:9000" ]; + + environment = { + BASE_URL = "https://mealie.${domain}"; + ALLOW_SIGNUP = "false"; + TZ = homeyConfig.timezone; + + # LDAP auth — users log in with their LDAP uid and password. + # Mealie binds directly as the user (no service account needed). + LDAP_AUTH_ENABLED = "true"; + LDAP_SERVER_URL = "ldap://openldap:389"; + LDAP_ENABLE_STARTTLS = "false"; + LDAP_BASE_DN = "ou=users,${ldapBaseDn}"; + LDAP_BIND_TEMPLATE = "uid={username},ou=users,${ldapBaseDn}"; + LDAP_ID_ATTRIBUTE = "uid"; + LDAP_NAME_ATTRIBUTE = "cn"; + LDAP_MAIL_ATTRIBUTE = "mail"; + }; + + environmentFiles = [ "/run/mealie-secrets.env" ]; + + volumes = [ + "${dataDir}/mealie/data:/app/data" + ]; + + extraOptions = [ "--network=homey" ]; + }; + + # ----------------------------------------------------------------------- + # ExecStartPre: write ephemeral secrets env file + # ----------------------------------------------------------------------- + systemd.services."podman-mealie" = { + serviceConfig = { + ExecStartPre = [ + (pkgs.writeShellScript "mealie-write-secrets" '' + set -euo pipefail + install -m 600 /dev/null /run/mealie-secrets.env + printf '%s\n' \ + "SECRET_KEY=$(cat ${config.sops.secrets."mealie/secret_key".path})" \ + >> /run/mealie-secrets.env + '') + ]; + }; + postStop = "rm -f /run/mealie-secrets.env"; + after = lib.mkAfter [ "mnt-data.mount" "podman-openldap.service" "podman-homey-network.service" ]; + requires = lib.mkAfter [ "mnt-data.mount" "podman-homey-network.service" ]; + }; + + # ----------------------------------------------------------------------- + # Uptime Kuma monitor + # ----------------------------------------------------------------------- + homey.monitoring.monitors = [{ + name = "Mealie"; + url = "https://mealie.${domain}"; + interval = 60; + }]; + }; +} diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix new file mode 100644 index 0000000..f9ba02f --- /dev/null +++ b/modules/services/paperless.nix @@ -0,0 +1,136 @@ +{ config, lib, pkgs, homeyConfig, ... }: + +# Paperless-ngx — document management with OCR. +# +# Auth model: HTTP Remote User SSO. Authelia authenticates via Caddy +# forward_auth and sets the Remote-User header; Paperless trusts it and +# auto-creates/logs in the user. No separate Paperless login needed. +# +# The admin user (set via homey.paperless.adminUser) is created as a +# superuser on first start. Its password is randomly generated and never +# used — all logins go through Authelia. +# +# Requires a Redis sidecar for Celery task workers. +# +# Volume layout: +# /paperless/data/ → /usr/src/paperless/data (DB, index) +# /paperless/media/ → /usr/src/paperless/media (document files) +# /paperless/consume/ → /usr/src/paperless/consume (drop folder) +# /paperless/export/ → /usr/src/paperless/export (export output) +# +# Secrets consumed from sops: +# paperless/secret_key + +let + cfg = config.homey.paperless; + dataDir = config.homey.storage.mountPoint; + domain = homeyConfig.domain; +in +{ + options.homey.paperless = { + enable = lib.mkEnableOption "Paperless-ngx document management"; + + image = lib.mkOption { + type = lib.types.str; + default = "ghcr.io/paperless-ngx/paperless-ngx:latest"; + }; + + redisImage = lib.mkOption { + type = lib.types.str; + default = "docker.io/redis:7-alpine"; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 8083; + description = "Host port Paperless listens on (bound to 127.0.0.1)."; + }; + + }; + + config = lib.mkIf cfg.enable { + # ----------------------------------------------------------------------- + # Secrets + # ----------------------------------------------------------------------- + sops.secrets."paperless/secret_key" = { owner = "root"; }; + + # ----------------------------------------------------------------------- + # Redis — Celery task queue, stateless (no persistent storage) + # ----------------------------------------------------------------------- + virtualisation.oci-containers.containers.paperless-redis = { + image = cfg.redisImage; + extraOptions = [ "--network=homey" ]; + }; + + systemd.services."podman-paperless-redis" = { + after = lib.mkAfter [ "podman-homey-network.service" ]; + requires = lib.mkAfter [ "podman-homey-network.service" ]; + }; + + # ----------------------------------------------------------------------- + # Paperless container + # ----------------------------------------------------------------------- + virtualisation.oci-containers.containers.paperless = { + image = cfg.image; + ports = [ "127.0.0.1:${toString cfg.port}:8000" ]; + + environment = { + PAPERLESS_REDIS = "redis://paperless-redis:6379"; + PAPERLESS_URL = "https://paperless.${domain}"; + PAPERLESS_ALLOWED_HOSTS = "paperless.${domain}"; + PAPERLESS_CORS_ALLOWED_HOSTS = "https://paperless.${domain}"; + PAPERLESS_TIME_ZONE = homeyConfig.timezone; + PAPERLESS_OCR_LANGUAGE = "eng"; + USERMAP_UID = "1000"; + USERMAP_GID = "1000"; + + # SSO via Authelia: Caddy's forward_auth copies Remote-User from + # Authelia's response; Gunicorn/WSGI exposes it as HTTP_REMOTE_USER. + PAPERLESS_ENABLE_HTTP_REMOTE_USER = "true"; + PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_REMOTE_USER"; + # Redirect to Authelia on logout so the SSO session is also cleared. + PAPERLESS_LOGOUT_REDIRECT_URL = "https://auth.${domain}"; + }; + + environmentFiles = [ "/run/paperless-secrets.env" ]; + + volumes = [ + "${dataDir}/paperless/data:/usr/src/paperless/data" + "${dataDir}/paperless/media:/usr/src/paperless/media" + "${dataDir}/paperless/consume:/usr/src/paperless/consume" + "${dataDir}/paperless/export:/usr/src/paperless/export" + ]; + + extraOptions = [ "--network=homey" ]; + }; + + # ----------------------------------------------------------------------- + # ExecStartPre: write ephemeral secrets env file + # ----------------------------------------------------------------------- + systemd.services."podman-paperless" = { + serviceConfig = { + ExecStartPre = [ + (pkgs.writeShellScript "paperless-write-secrets" '' + set -euo pipefail + install -m 600 /dev/null /run/paperless-secrets.env + printf '%s\n' \ + "PAPERLESS_SECRET_KEY=$(cat ${config.sops.secrets."paperless/secret_key".path})" \ + >> /run/paperless-secrets.env + '') + ]; + }; + postStop = "rm -f /run/paperless-secrets.env"; + after = lib.mkAfter [ "mnt-data.mount" "podman-paperless-redis.service" "podman-homey-network.service" ]; + requires = lib.mkAfter [ "mnt-data.mount" "podman-paperless-redis.service" "podman-homey-network.service" ]; + }; + + # ----------------------------------------------------------------------- + # Uptime Kuma monitor + # ----------------------------------------------------------------------- + homey.monitoring.monitors = [{ + name = "Paperless"; + url = "https://paperless.${domain}"; + interval = 60; + }]; + }; +} diff --git a/modules/storage.nix b/modules/storage.nix index 7fe3dbc..d688af1 100644 --- a/modules/storage.nix +++ b/modules/storage.nix @@ -110,6 +110,14 @@ in "d ${cfg.mountPoint}/uptime-kuma 0750 root root -" "d ${cfg.mountPoint}/ntfy 0750 ntfy-sh ntfy-sh -" "d ${cfg.mountPoint}/ntfy/attachments 0750 ntfy-sh ntfy-sh -" + "d ${cfg.mountPoint}/paperless 0750 root root -" + # Paperless runs as UID 1000 (configured via USERMAP_UID) + "d ${cfg.mountPoint}/paperless/data 0750 1000 1000 -" + "d ${cfg.mountPoint}/paperless/media 0750 1000 1000 -" + "d ${cfg.mountPoint}/paperless/consume 0750 1000 1000 -" + "d ${cfg.mountPoint}/paperless/export 0750 1000 1000 -" + "d ${cfg.mountPoint}/mealie 0750 root root -" + "d ${cfg.mountPoint}/mealie/data 0755 root root -" "d ${cfg.mountPoint}/restic-cache 0700 root root -" ]; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d6e74ef..6d114e7 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -33,6 +33,10 @@ wifi: psk: ENC[AES256_GCM,data:znk9Wr+vsntzbJ3H0TORUrAiDw==,iv:wbl8fUuKlgTqhajwjlTgFS7ijaTwXBFPRW2AmtiTklg=,tag:IK4oe8cJcccPaQ0V0NlncQ==,type:str] eurovote: secret_key: ENC[AES256_GCM,data:Re9MTYA46ERXsxucT19K4Pj3rV5i74s8zQ/WYj6GlxeoN1r0Oit6PP0C3PY5Arp6Y6g=,iv:0BnuZ9Uv2RgDwlisrVSvg7ESmNZvd8trggQDSJ42ewM=,tag:SXW2hbprj2qSRzjKY3Aw3Q==,type:str] +paperless: + secret_key: ENC[AES256_GCM,data:jHbyLh4Yn0v7huw9oJiytMJ5KjifmEFsWh3u+YyOTlnm/M313dAigZItcX860oFVtZ8zZcuelUVAjcmIcl1LYw==,iv:PJhyXWa4r99dIXuKrEF+2wF9O8GEHIK8ereNQiXzO3Q=,tag:qDcPs3ulzjdQ2EUibo1Nlw==,type:str] +mealie: + secret_key: ENC[AES256_GCM,data:AmtyMMK2RMOy//o9G974wn5IcgZaqAn97OyNaY1AlMc5cCoydZhdAXymQ4RR8opWd+Oelx7vRcSscGJ0hTGakg==,iv:QH+iIbMoD33MAUraMTyuGghaWdjRBhypP9UEcEr9bL4=,tag:uHGW9OLqrDhRy+mnlfRmQA==,type:str] sops: age: - recipient: age120j8ty7nn04l3s3kgph5ty3v9g4e52fknn8xtnmzwakq9nv2la3skgte0p @@ -44,8 +48,8 @@ sops: QXVkRlJHeW52NFZFYnVwaW8ycytDSzAKZt+p5QnZKcEOBghHA2xkH6d7NObtTEoE wMwCYasnBHzy2unXRbZq/4v9NQ5HJd0Nu1iqbqKgIxMCD3dnxEdK7g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-13T20:49:38Z" - mac: ENC[AES256_GCM,data:2iQyp3U5KYCHIWvBsEyz8XFLTtQ5dN+2TF1gkFADFCyyJLAPWAxYPSH60d7fhJ5qhs7IJ7GV/N1J23JsXV+jyqS95foF9ThYT/wNeh4cAPGWB5RbnpP9RsYt8nCEIl/RHkkGmnS9HUO2HHpqo7hMUGRCHMLYMxJxHdPGrm+KHgA=,iv:D+x06308n14/xkRR9WvD6MYcORVM+crIH20+oHesHds=,tag:q7L7OyXEXThYFEkPrgzSBw==,type:str] + lastmodified: "2026-05-20T19:56:00Z" + mac: ENC[AES256_GCM,data:i/uXzipvkadRGHxj7sk593SyALHVdv8wjH74xBduCI3y1cgsMYhAzH2+zY2N6BZ2ymrrcEI1+bVr2JAsCRASZ62dKEc3+m9H0+6ydpb5hl9kK7fLpuxy2nntMhTPnHznquysF4cRZoZeUJ0bDudo8mnog7GYoDI8LUvqEXZR/M8=,iv:X5WugE4STQEZHhaq6OzJLpXUgk+imbZNLZnXl5J1jUw=,tag:IDmsFOJEikpQKqi97ZKngg==,type:str] pgp: - created_at: "2026-04-21T06:39:49Z" enc: |-