New mealie, paperless-ngx dirs

modules/backup.nix

@@ -141,6 +141,8 @@ in
         "${dataDir}/ntfy"
         # Eurovision Vote — SQLite DB with votes and rankings
         "/var/lib/eurovote"
+        "${dataDir}/paperless"
+        "${dataDir}/mealie"
       ];
 
       # Exclude Nextcloud's raw DB directory in favour of the pg_dump file
@@ -148,6 +150,8 @@ in
         "${dataDir}/nextcloud/db"
         "${dataDir}/restic-cache"
         "${dataDir}/media"
+        # consume dir holds unprocessed drop files; usually empty after ingestion
+        "${dataDir}/paperless/consume"
       ];
 
       timerConfig = {

modules/caddy.nix

@@ -257,6 +257,37 @@ in
           '';
         };
 
+        # ------------------------------------------------------------------
+        # Paperless — one_factor for all authenticated users (authelia policy).
+        # Authelia sets Remote-User; Caddy copies it to the upstream request;
+        # Paperless trusts HTTP_REMOTE_USER for automatic login (no separate
+        # Paperless login page shown).
+        # ------------------------------------------------------------------
+        "paperless.${domain}" = {
+          extraConfig = ''
+            ${autheliaForwardAuth}
+            reverse_proxy localhost:8083
+          '';
+        };
+        "http://paperless.${domain}" = {
+          extraConfig = ''
+            ${autheliaForwardAuth}
+            ${cfProxy 8083}
+          '';
+        };
+
+        # ------------------------------------------------------------------
+        # Mealie — no forward_auth; LDAP handles auth via Mealie's login page.
+        # ------------------------------------------------------------------
+        "mealie.${domain}" = {
+          extraConfig = ''
+            reverse_proxy localhost:9093
+          '';
+        };
+        "http://mealie.${domain}" = {
+          extraConfig = cfProxy 9093;
+        };
+
         # ------------------------------------------------------------------
         # Grafana — two_factor, admins only (enforced by authelia policy).
         # After Authelia verifies the user, Caddy maps the Remote-User header

modules/services/authelia.nix

@@ -144,6 +144,9 @@ let
         - domain:
             - "eurovision-vote.${domain}"
           policy: "one_factor"
+        - domain:
+            - "paperless.${domain}"
+          policy: "one_factor"
 
     notifier:
       filesystem:

modules/services/mealie.nix

@@ -0,0 +1,108 @@
+{ config, lib, pkgs, homeyConfig, ... }:
+
+# Mealie — recipe manager and meal planner.
+#
+# Auth model: LDAP. Users log in with the same uid/password as the rest of
+# the stack (OpenLDAP). No Authelia forward_auth — Mealie's own login page
+# handles authentication via django-auth-ldap.
+#
+# Volume layout:
+#   <dataDir>/mealie/data/  → /app/data  (SQLite DB, images, backups)
+#
+# Secrets consumed from sops:
+#   mealie/secret_key
+
+let
+  cfg     = config.homey.mealie;
+  dataDir = config.homey.storage.mountPoint;
+  domain  = homeyConfig.domain;
+
+  # LDAP base DN derived from domain (zakobar.com → dc=zakobar,dc=com)
+  ldapBaseDn = lib.concatStringsSep ","
+    (map (p: "dc=${p}") (lib.splitString "." domain));
+in
+{
+  options.homey.mealie = {
+    enable = lib.mkEnableOption "Mealie recipe manager";
+
+    image = lib.mkOption {
+      type    = lib.types.str;
+      default = "ghcr.io/mealie-recipes/mealie:latest";
+    };
+
+    port = lib.mkOption {
+      type    = lib.types.port;
+      default = 9093;
+      description = "Host port Mealie listens on (bound to 127.0.0.1).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # -----------------------------------------------------------------------
+    # Secrets
+    # -----------------------------------------------------------------------
+    sops.secrets."mealie/secret_key" = { owner = "root"; };
+
+    # -----------------------------------------------------------------------
+    # Container
+    # -----------------------------------------------------------------------
+    virtualisation.oci-containers.containers.mealie = {
+      image = cfg.image;
+      ports = [ "127.0.0.1:${toString cfg.port}:9000" ];
+
+      environment = {
+        BASE_URL     = "https://mealie.${domain}";
+        ALLOW_SIGNUP = "false";
+        TZ           = homeyConfig.timezone;
+
+        # LDAP auth — users log in with their LDAP uid and password.
+        # Mealie binds directly as the user (no service account needed).
+        LDAP_AUTH_ENABLED    = "true";
+        LDAP_SERVER_URL      = "ldap://openldap:389";
+        LDAP_ENABLE_STARTTLS = "false";
+        LDAP_BASE_DN         = "ou=users,${ldapBaseDn}";
+        LDAP_BIND_TEMPLATE   = "uid={username},ou=users,${ldapBaseDn}";
+        LDAP_ID_ATTRIBUTE    = "uid";
+        LDAP_NAME_ATTRIBUTE  = "cn";
+        LDAP_MAIL_ATTRIBUTE  = "mail";
+      };
+
+      environmentFiles = [ "/run/mealie-secrets.env" ];
+
+      volumes = [
+        "${dataDir}/mealie/data:/app/data"
+      ];
+
+      extraOptions = [ "--network=homey" ];
+    };
+
+    # -----------------------------------------------------------------------
+    # ExecStartPre: write ephemeral secrets env file
+    # -----------------------------------------------------------------------
+    systemd.services."podman-mealie" = {
+      serviceConfig = {
+        ExecStartPre = [
+          (pkgs.writeShellScript "mealie-write-secrets" ''
+            set -euo pipefail
+            install -m 600 /dev/null /run/mealie-secrets.env
+            printf '%s\n' \
+              "SECRET_KEY=$(cat ${config.sops.secrets."mealie/secret_key".path})" \
+              >> /run/mealie-secrets.env
+          '')
+        ];
+      };
+      postStop = "rm -f /run/mealie-secrets.env";
+      after    = lib.mkAfter [ "mnt-data.mount" "podman-openldap.service" "podman-homey-network.service" ];
+      requires = lib.mkAfter [ "mnt-data.mount" "podman-homey-network.service" ];
+    };
+
+    # -----------------------------------------------------------------------
+    # Uptime Kuma monitor
+    # -----------------------------------------------------------------------
+    homey.monitoring.monitors = [{
+      name     = "Mealie";
+      url      = "https://mealie.${domain}";
+      interval = 60;
+    }];
+  };
+}

modules/services/paperless.nix

@@ -0,0 +1,136 @@
+{ config, lib, pkgs, homeyConfig, ... }:
+
+# Paperless-ngx — document management with OCR.
+#
+# Auth model: HTTP Remote User SSO. Authelia authenticates via Caddy
+# forward_auth and sets the Remote-User header; Paperless trusts it and
+# auto-creates/logs in the user. No separate Paperless login needed.
+#
+# The admin user (set via homey.paperless.adminUser) is created as a
+# superuser on first start. Its password is randomly generated and never
+# used — all logins go through Authelia.
+#
+# Requires a Redis sidecar for Celery task workers.
+#
+# Volume layout:
+#   <dataDir>/paperless/data/     → /usr/src/paperless/data    (DB, index)
+#   <dataDir>/paperless/media/    → /usr/src/paperless/media   (document files)
+#   <dataDir>/paperless/consume/  → /usr/src/paperless/consume (drop folder)
+#   <dataDir>/paperless/export/   → /usr/src/paperless/export  (export output)
+#
+# Secrets consumed from sops:
+#   paperless/secret_key
+
+let
+  cfg     = config.homey.paperless;
+  dataDir = config.homey.storage.mountPoint;
+  domain  = homeyConfig.domain;
+in
+{
+  options.homey.paperless = {
+    enable = lib.mkEnableOption "Paperless-ngx document management";
+
+    image = lib.mkOption {
+      type    = lib.types.str;
+      default = "ghcr.io/paperless-ngx/paperless-ngx:latest";
+    };
+
+    redisImage = lib.mkOption {
+      type    = lib.types.str;
+      default = "docker.io/redis:7-alpine";
+    };
+
+    port = lib.mkOption {
+      type    = lib.types.port;
+      default = 8083;
+      description = "Host port Paperless listens on (bound to 127.0.0.1).";
+    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+    # -----------------------------------------------------------------------
+    # Secrets
+    # -----------------------------------------------------------------------
+    sops.secrets."paperless/secret_key" = { owner = "root"; };
+
+    # -----------------------------------------------------------------------
+    # Redis — Celery task queue, stateless (no persistent storage)
+    # -----------------------------------------------------------------------
+    virtualisation.oci-containers.containers.paperless-redis = {
+      image        = cfg.redisImage;
+      extraOptions = [ "--network=homey" ];
+    };
+
+    systemd.services."podman-paperless-redis" = {
+      after    = lib.mkAfter [ "podman-homey-network.service" ];
+      requires = lib.mkAfter [ "podman-homey-network.service" ];
+    };
+
+    # -----------------------------------------------------------------------
+    # Paperless container
+    # -----------------------------------------------------------------------
+    virtualisation.oci-containers.containers.paperless = {
+      image = cfg.image;
+      ports = [ "127.0.0.1:${toString cfg.port}:8000" ];
+
+      environment = {
+        PAPERLESS_REDIS                        = "redis://paperless-redis:6379";
+        PAPERLESS_URL                          = "https://paperless.${domain}";
+        PAPERLESS_ALLOWED_HOSTS                = "paperless.${domain}";
+        PAPERLESS_CORS_ALLOWED_HOSTS           = "https://paperless.${domain}";
+        PAPERLESS_TIME_ZONE                    = homeyConfig.timezone;
+        PAPERLESS_OCR_LANGUAGE                 = "eng";
+        USERMAP_UID                            = "1000";
+        USERMAP_GID                            = "1000";
+
+        # SSO via Authelia: Caddy's forward_auth copies Remote-User from
+        # Authelia's response; Gunicorn/WSGI exposes it as HTTP_REMOTE_USER.
+        PAPERLESS_ENABLE_HTTP_REMOTE_USER      = "true";
+        PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME = "HTTP_REMOTE_USER";
+        # Redirect to Authelia on logout so the SSO session is also cleared.
+        PAPERLESS_LOGOUT_REDIRECT_URL          = "https://auth.${domain}";
+      };
+
+      environmentFiles = [ "/run/paperless-secrets.env" ];
+
+      volumes = [
+        "${dataDir}/paperless/data:/usr/src/paperless/data"
+        "${dataDir}/paperless/media:/usr/src/paperless/media"
+        "${dataDir}/paperless/consume:/usr/src/paperless/consume"
+        "${dataDir}/paperless/export:/usr/src/paperless/export"
+      ];
+
+      extraOptions = [ "--network=homey" ];
+    };
+
+    # -----------------------------------------------------------------------
+    # ExecStartPre: write ephemeral secrets env file
+    # -----------------------------------------------------------------------
+    systemd.services."podman-paperless" = {
+      serviceConfig = {
+        ExecStartPre = [
+          (pkgs.writeShellScript "paperless-write-secrets" ''
+            set -euo pipefail
+            install -m 600 /dev/null /run/paperless-secrets.env
+            printf '%s\n' \
+              "PAPERLESS_SECRET_KEY=$(cat ${config.sops.secrets."paperless/secret_key".path})" \
+              >> /run/paperless-secrets.env
+          '')
+        ];
+      };
+      postStop = "rm -f /run/paperless-secrets.env";
+      after    = lib.mkAfter [ "mnt-data.mount" "podman-paperless-redis.service" "podman-homey-network.service" ];
+      requires = lib.mkAfter [ "mnt-data.mount" "podman-paperless-redis.service" "podman-homey-network.service" ];
+    };
+
+    # -----------------------------------------------------------------------
+    # Uptime Kuma monitor
+    # -----------------------------------------------------------------------
+    homey.monitoring.monitors = [{
+      name     = "Paperless";
+      url      = "https://paperless.${domain}";
+      interval = 60;
+    }];
+  };
+}

modules/storage.nix

@@ -110,6 +110,14 @@ in
       "d ${cfg.mountPoint}/uptime-kuma                  0750 root    root    -"
       "d ${cfg.mountPoint}/ntfy                         0750 ntfy-sh ntfy-sh -"
       "d ${cfg.mountPoint}/ntfy/attachments             0750 ntfy-sh ntfy-sh -"
+      "d ${cfg.mountPoint}/paperless                     0750 root root -"
+      # Paperless runs as UID 1000 (configured via USERMAP_UID)
+      "d ${cfg.mountPoint}/paperless/data               0750 1000 1000 -"
+      "d ${cfg.mountPoint}/paperless/media              0750 1000 1000 -"
+      "d ${cfg.mountPoint}/paperless/consume            0750 1000 1000 -"
+      "d ${cfg.mountPoint}/paperless/export             0750 1000 1000 -"
+      "d ${cfg.mountPoint}/mealie                       0750 root root -"
+      "d ${cfg.mountPoint}/mealie/data                  0755 root root -"
       "d ${cfg.mountPoint}/restic-cache                  0700 root root -"
     ];
   };