From ce5e907ed842921af32284968acecb69e2de38d4 Mon Sep 17 00:00:00 2001
From: yuri <yuri@nekover.se>
Date: Mon, 25 Sep 2023 01:35:11 +0200
Subject: [PATCH] Setup paperless host and reverse proxy for acme http
 challange

---
 .../hosts/mail-1/simple-nixos-mailserver.nix  |  3 --
 config/hosts/paperless/configuration.nix      | 17 ++++++++++
 config/hosts/paperless/default.nix            |  9 ++++++
 .../paperless/hardware-configuration.nix      | 30 ++++++++++++++++++
 config/hosts/paperless/nginx.nix              | 31 +++++++++++++++++++
 config/hosts/paperless/paperless.nix          |  8 +++++
 config/hosts/paperless/secrets.nix            | 19 ++++++++++++
 config/hosts/web-public-1/configuration.nix   | 17 ++++++++++
 config/hosts/web-public-1/default.nix         |  7 +++++
 config/hosts/web-public-1/nginx.nix           | 10 ++++++
 .../virtualHosts/acme-challenge.nix           | 12 +++++++
 .../web-public-1/virtualHosts/default.nix     | 16 ++++++++++
 hosts.nix                                     |  8 +++++
 13 files changed, 184 insertions(+), 3 deletions(-)
 create mode 100644 config/hosts/paperless/configuration.nix
 create mode 100644 config/hosts/paperless/default.nix
 create mode 100644 config/hosts/paperless/hardware-configuration.nix
 create mode 100644 config/hosts/paperless/nginx.nix
 create mode 100644 config/hosts/paperless/paperless.nix
 create mode 100644 config/hosts/paperless/secrets.nix
 create mode 100644 config/hosts/web-public-1/configuration.nix
 create mode 100644 config/hosts/web-public-1/default.nix
 create mode 100644 config/hosts/web-public-1/nginx.nix
 create mode 100644 config/hosts/web-public-1/virtualHosts/acme-challenge.nix
 create mode 100644 config/hosts/web-public-1/virtualHosts/default.nix

diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix
index 126b0dc..81fa130 100644
--- a/config/hosts/mail-1/simple-nixos-mailserver.nix
+++ b/config/hosts/mail-1/simple-nixos-mailserver.nix
@@ -10,10 +10,7 @@
         enableImapSsl = true;
         enableSubmission = false;
         enableSubmissionSsl = true;
-<<<<<<< HEAD
         lmtpSaveToDetailMailbox = "no";
-=======
->>>>>>> 634557c (Change mail config of services to use new mail server)
         domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
         loginAccounts = {
           "fiona@grzb.de" = {
diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix
new file mode 100644
index 0000000..494f08c
--- /dev/null
+++ b/config/hosts/paperless/configuration.nix
@@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "paperless";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix
new file mode 100644
index 0000000..e6ebeed
--- /dev/null
+++ b/config/hosts/paperless/default.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./nginx.nix
+    ./paperless.nix
+  ];
+}
diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix
new file mode 100644
index 0000000..69684c1
--- /dev/null
+++ b/config/hosts/paperless/hardware-configuration.nix
@@ -0,0 +1,30 @@
+{ ... }:
+{
+  fileSystems = {
+    "/mnt/data" = {
+      device = "/dev/disk/by-label/data";
+      fsType = "ext4";
+      autoFormat = true;
+      autoResize = true;
+    };
+    "/mnt/paperless-consume" = {
+      device = "//10.201.40.10/paperless-consume";
+      fsType = "cifs";
+      options = [ 
+        "username=paperless" 
+        "credentials=/secrets/paperless-samba-credentials.secret"
+        "iocharset=utf8"
+        "vers=3.1.1"
+        "uid=paperless"
+        "gid=paperless"
+        "_netdev"
+      ];
+    };
+    "/var/lib/paperless" = {
+      depends = [ "/mnt/data" ];
+      device = "/mnt/data/paperless";
+      fsType = "none";
+      options = [ "bind" "X-mount.owner=paperless" "X-mount.group=paperless" ];
+    };
+  };
+}
diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix
new file mode 100644
index 0000000..e4a2131
--- /dev/null
+++ b/config/hosts/paperless/nginx.nix
@@ -0,0 +1,31 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."paperless.grzb.de" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 443;
+          ssl = true;
+        }
+      ];
+      locations."/" = {
+        proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          add_header Referrer-Policy "strict-origin-when-cross-origin";
+        '';
+      };
+      extraConfig = ''
+        client_max_body_size 100M;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix
new file mode 100644
index 0000000..1def83d
--- /dev/null
+++ b/config/hosts/paperless/paperless.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  services.paperless = {
+    enable = true;
+    consumptionDir = "/mnt/paperless-consume";
+    passwordFile = "/secrets/paperless-admin-password.secret";
+  };
+}
diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix
new file mode 100644
index 0000000..92a8b1d
--- /dev/null
+++ b/config/hosts/paperless/secrets.nix
@@ -0,0 +1,19 @@
+{ ... }:
+{
+  deployment.keys."paperless-admin-password.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ];
+    destDir = "/secrets";
+    user = "paperless";
+    group = "paperless";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."paperless-samba-credentials.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix
new file mode 100644
index 0000000..7f3b8fa
--- /dev/null
+++ b/config/hosts/web-public-1/configuration.nix
@@ -0,0 +1,17 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {    
+    hostName = "web-public-1";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix
new file mode 100644
index 0000000..3db73ca
--- /dev/null
+++ b/config/hosts/web-public-1/default.nix
@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+  ];
+}
diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix
new file mode 100644
index 0000000..0453a73
--- /dev/null
+++ b/config/hosts/web-public-1/nginx.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./virtualHosts
+  ];
+
+  services.nginx = {
+    enable = true;
+  };
+}
diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix
new file mode 100644
index 0000000..fd1e474
--- /dev/null
+++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix
@@ -0,0 +1,12 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."paperless.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://paperless.wg.grzb.de:80";
+    };
+  };
+}
diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix
new file mode 100644
index 0000000..e191a9c
--- /dev/null
+++ b/config/hosts/web-public-1/virtualHosts/default.nix
@@ -0,0 +1,16 @@
+{ ... }:
+{
+  imports = [
+    ./acme-challenge.nix
+  ];
+
+  services.nginx.virtualHosts."_" = {
+    listen = [{
+        addr = "0.0.0.0";
+        port = 80;
+    }];
+    locations."/" = {
+			return = "301 https://$host$request_uri";
+		};
+  };
+}
diff --git a/hosts.nix b/hosts.nix
index 195a247..ab78a2d 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -77,6 +77,10 @@ in
       site = "vs";
       environment = "proxmox";
     };
+    paperless = {
+      site = "wg";
+      environment = "proxmox";
+    };
     coturn = {
       site = "vs";
       environment = "proxmox";
@@ -89,6 +93,10 @@ in
       site = "af";
       environment = "openstack";
     };
+    web-public-1 = {
+      site = "wg";
+      environment = "proxmox";
+    };
     web-public-2 = {
       hostNixpkgs = nixpkgs-unstable;
       site = "vs";