Everything changed - major rewrite

modules/services/paperless.nix

@@ -12,6 +12,12 @@
 #
 # Requires a Redis sidecar for Celery task workers.
 #
+# iOS Shortcut upload: POST /api/documents/post_document/ with
+# Authorization: Token <token>. Generate a dedicated token in the Paperless
+# web UI (Profile → API Auth Token) and use it only for the Shortcut so it
+# can be revoked independently. The /api/documents/post_document/ path bypasses
+# Authelia (see accessControlRules below) — all other paths remain behind one_factor.
+#
 # Volume layout:
 #   <dataDir>/paperless/data/     → /usr/src/paperless/data    (DB, index)
 #   <dataDir>/paperless/media/    → /usr/src/paperless/media   (document files)
@@ -124,6 +130,16 @@ in
       requires = lib.mkAfter [ "mnt-data.mount" "podman-paperless-redis.service" "podman-homey-network.service" ];
     };
 
+    # -----------------------------------------------------------------------
+    # Authelia access control — bypass the upload API so token-authenticated
+    # clients (e.g. iOS Shortcut) can POST without an Authelia session;
+    # all other paths require one_factor.
+    # -----------------------------------------------------------------------
+    homey.authelia.accessControlRules = [
+      { priority = 70; domain = [ "paperless.${domain}" ]; resources = [ "^/api/documents/post_document/$" ]; policy = "bypass"; }
+      { priority = 71; domain = [ "paperless.${domain}" ]; policy = "one_factor"; }
+    ];
+
     # -----------------------------------------------------------------------
     # Caddy virtual host — forward_auth; Remote-User passed to Paperless for SSO
     # -----------------------------------------------------------------------