paperless service

inventories/default.nix

@@ -83,6 +83,13 @@
           };
           roles.default.machines.b4l = { };
         };
+        paperless = {
+          module = {
+            name = "paperless";
+            input = "self";
+          };
+          roles.default.machines.b4l = { };
+        };
       };
     };
   };

machines/b4l/services/paperless.nix

@@ -0,0 +1,67 @@
+{ config, pkgs, ... }:
+let
+  serviceName = "${config.networking.hostName}-paperless";
+  domain-name = "${
+    config.clan.core.vars.generators."${serviceName}".files.subdomain.value
+  }.${config.networking.fqdn}";
+in
+{
+  clan.core.vars.generators."${serviceName}" = {
+    files = {
+      subdomain.secret = false;
+      adminpassword = {
+        secret = true;
+        owner = config.services.paperless.user;
+        group = config.services.paperless.user;
+      };
+    };
+    prompts = {
+      subdomain = {
+        persist = true;
+        type = "line";
+        description = "Sub-domain for Paperless. Default:(paperless)";
+      };
+      adminpassword = {
+        persist = true;
+        type = "hidden";
+        description = "Password for the admin user. Leave empty to auto-generate.";
+      };
+    };
+
+    runtimeInputs = [
+      pkgs.xkcdpass
+      pkgs.coreutils
+    ];
+
+    script = ''
+      prompt_domain=$(cat "$prompts"/subdomain)
+      if [[ -n "''${prompt_domain-}" ]]; then
+        echo $prompt_domain | tr -d "\n" > "$out"/subdomain
+      else
+        echo -n "paperless" > "$out"/subdomain
+      fi
+
+      prompt_password=$(cat "$prompts"/adminpassword)
+      if [[ -n "''${prompt_password-}" ]]; then
+        echo "$prompt_password" | tr -d "\n" > "$out"/adminpassword
+      else
+        xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/adminpassword
+      fi
+    '';
+  };
+
+  environment.systemPackages = [ pkgs.toybox ];
+
+  services.paperless = {
+    passwordFile = config.clan.core.vars.generators."${serviceName}".files.adminpassword.path;
+  };
+
+  services.nginx.virtualHosts."${domain-name}" = {
+    forceSSL = true;
+    useACMEHost = "${config.networking.fqdn}";
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString config.services.paperless.port}";
+    };
+  };
+
+}

modules/clan/paperless/default.nix

@@ -0,0 +1,24 @@
+{ ... }:
+{
+  _class = "clan.service";
+  manifest.name = "paperless";
+  manifest.description = "A community-supported supercharged document management system: scan, index and archive all your documents";
+  manifest.categories = [ "System" ];
+
+  roles.default = {
+
+    perInstance.nixosModule =
+      {
+        lib,
+        config,
+        ...
+      }:
+      {
+        services.paperless = {
+          enable = lib.mkDefault true;
+        };
+
+        clan.core.state.paperless.folders = [ config.services.paperless.dataDir ];
+      };
+  };
+}

modules/clan/paperless/flake-module.nix

@@ -0,0 +1,19 @@
+{ lib, ... }:
+let
+  module = lib.modules.importApply ./default.nix { };
+in
+{
+  clan.modules = {
+    paperless = module;
+  };
+
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.paperless = {
+        imports = [ ./tests/vm/default.nix ];
+
+        clan.modules."@clan/paperless" = module;
+      };
+    };
+}

modules/clan/paperless/tests/vm/default.nix

@@ -0,0 +1,38 @@
+{
+  ...
+}:
+{
+  name = "service-paperless";
+
+  clan = {
+    directory = ./.;
+    inventory = {
+      machines.server = { };
+
+      instances = {
+        paperless-test = {
+          module.name = "@clan/paperless";
+          module.input = "self";
+          roles.default.machines."server".settings = { };
+        };
+      };
+    };
+  };
+
+  nodes = {
+    server = {
+      services.paperless = {
+      };
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    server.wait_for_unit("paperless-web")
+
+    server.succeed("systemctl status paperless-web")
+    server.wait_for_open_port(28981)
+    server.succeed("curl http://127.0.0.1:28981")
+  '';
+}

vars/per-machine/b4l/b4l-paperless/adminpassword/machines/b4l

@@ -0,0 +1 @@
+../../../../../../sops/machines/b4l

vars/per-machine/b4l/b4l-paperless/adminpassword/secret

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:NsbmiB/AWbAHRotImbG89mQjINxWyCYx5QJExqv9eVpnUg==,iv:VKGzSmYZkKQzG/Fvs3Lk6KBexqKzoVOCk33Lw0ovUjY=,tag:4kWuchFThyRuqIA/tpEL2A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxS3F6cmZQN0V0bXpSbnhJ\nQUVwa2U5cGVVLytJWjdKWnErN0tNNjFhaEJvCjRZMFFSNEdFMlY5Q2J2R0pURUt2\nMkpuWUNrT01waFVGSnhxeEF2VGhPT1kKLS0tIGNpdU4weCtza25kWExHVHJlTThw\ncXBEK2Z6RWs1ZVdjbjdPK051Yk5JVEEKrWBxciIubjp2CfLdSMuSoRaWoFEzh2Ni\nQgsFK4B/1k1nAt7hT6ihRHdaZLRGR3oZljD6obQuZt/CQX4XK/vhpA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMzN5cTlrdlZhaTNxaUQ4\neHhCQWR5QVBKMEVnclFtQ2dUYzZKTitJWHdJCkFOTXVldjRJSVhmb29MY0RHcEk4\ncGtYMHZUcUIzcE0zVlp6cE0rNUlYMVUKLS0tIFhuckdZb2tFcFNIcm9tQjVyckJm\nZFVleEp4cG1GMUdOT2lhcTNKanZGR0EKwAHiw87p1/k+cOlC7TdM5ba7IrQ5nGSQ\nAWPSFjc3sX86aAQzkY/SBeQulj1tC3i4ryg09xUFg+oSPDXexpGp8g==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-08-06T05:23:42Z",
+		"mac": "ENC[AES256_GCM,data:eK8RPnR3M4KUGFBtJ43UGq0F4hw+CL1NwoCJbzpX8W8i7pPJOXkIEi0Q4bi3ALMbUxHd5mYE5lKZj0VpPaV3f3t3AvcIg2zWamBYps5R108vwmIDd2UFtmCA496sOSJgpTNX13V8X5cK+3uYXYnd4fz9qAupvFpIpkqWqGl4kxU=,iv:/KOE9y1bzpCzI1jmXZ6mfh0jhVhOvpgS7GNIp2QxvhQ=,tag:e5gLfU+9SyxunVeuOVirhw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

vars/per-machine/b4l/b4l-paperless/adminpassword/users/kurogeek

@@ -0,0 +1 @@
+../../../../../../sops/users/kurogeek

vars/per-machine/b4l/b4l-paperless/subdomain/value

@@ -0,0 +1 @@
+paperless