Move nspawn containers into nspawn directory

2026-01-21 23:11:34 +01:00 · 2024-09-16 20:41:43 +02:00 · 2024-09-16 20:41:43 +02:00 · 5b1fc56176
commit 5b1fc56176
parent be488a91a7
14 changed files with 2 additions and 1 deletions
--- a/hosts/stratus/containers/nspawn/paperless/backup.nix
+++ b/hosts/stratus/containers/nspawn/paperless/backup.nix
@ -0,0 +1,43 @@
+{
+  config,
+  pkgs,
+  lib,
+  dataDir,
+  ...
+}:
+{
+  systemd.tmpfiles.rules = [ "d ${dataDir}/backup 700 paperless paperless -" ];
+
+  users.users.paperless.extraGroups = [ "redis-paperless" ];
+
+  myConfig.resticBackup.paperless = {
+    enable = true;
+    user = config.users.users.paperless.name;
+    healthchecks.enable = true;
+
+    extraConfig = {
+      backupPrepareCommand = ''
+        ${dataDir}/paperless-manage document_exporter ${dataDir}/backup ${
+          lib.concatStringsSep " " [
+            "--compare-checksums"
+            "--delete"
+            "--split-manifest"
+            "--use-filename-format"
+            "--no-progress-bar"
+          ]
+        }
+      '';
+      paths = [ "${dataDir}/backup" ];
+    };
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellApplication {
+      name = "paperless-restore";
+      text = ''
+        sudo -u paperless restic-paperless restore --target / latest
+        sudo -u paperless ${dataDir}/paperless-manage document_importer ${dataDir}/backup
+      '';
+    })
+  ];
+}
--- a/hosts/stratus/containers/nspawn/paperless/default.nix
+++ b/hosts/stratus/containers/nspawn/paperless/default.nix
@ -0,0 +1,22 @@
+{
+  containers.paperless.config =
+    {
+      config,
+      dataDir,
+      ...
+    }:
+    {
+      imports = [ ./backup.nix ];
+
+      sops.secrets."paperless-admin-password" = { };
+
+      services.paperless = {
+        enable = true;
+        inherit dataDir;
+        passwordFile = config.sops.secrets."paperless-admin-password".path;
+        settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
+      };
+
+      myConfig.tailscale.serve = "28981";
+    };
+}
--- a/hosts/stratus/containers/nspawn/paperless/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/paperless/secrets.yaml
@ -0,0 +1,35 @@
+tailscale-auth-key: ENC[AES256_GCM,data:qXVu6U3gcDUq0+eWAtgFn8CZja9Dc4r3z7qZoaAqDm7r8uqpZsZ7JaX3AIBeipvRrBG11IDabP5DM38D8PQ=,iv:FKf7duFw+cV1wH2fd2oDNkbuokuQxgOW0gHgR+oSc7U=,tag:1aOb8XOL61cn/ESW3I/ocQ==,type:str]
+paperless-admin-password: ENC[AES256_GCM,data:7xjn0fXEFZCYDvzjP7P5R5reZR8=,iv:jMIJNbqEo7IcHDYwvTmQnArYdt2PR9tp8coOXCZHkQw=,tag:kCejUFStTuosRblkbQMdew==,type:str]
+restic:
+  environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str]
+  password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str]
+healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts
+        WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK
+        WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT
+        dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I
+        8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g==
+        -----END AGE ENCRYPTED FILE-----
+    - recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj
+        UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF
+        VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs
+        cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
+        tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-14T10:14:08Z"
+  mac: ENC[AES256_GCM,data:f4Qi8ES+cZG9dBwVnOErmZ5FQZOpQ5aoU60CEvD/TlLpdnQ/V/ZbiAq0xCP8VT1Jxas6szZaFaArxWrRWeFQsdhYUn+4CyNhABCe6MXllMHIN9gfmKAvE9LCz2UzgbCZkjprPFsGIKusSzDZhSaNe5azI9TQaHdqG2T0eLKrkpc=,iv:L5tBbbOC3/3YQJqFSZk/SpaYll89bWXb1pdE2eAF2G0=,tag:8FbE7yrdlo/d1NXnwAuArQ==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0