feat: fae and paperless-ngx

flake.nix

@@ -92,7 +92,7 @@
       };
 
       flake = {
-        deploy.nodes = self.b12f-os.lib.deploy.mkDeployNodes self.nixosConfigurations {
+        deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
         #example = {
         #  hostname = "example.com:22";
         #  sshUser = "bartender";
@@ -103,15 +103,10 @@
         #    path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
         #  };
         #};
+
         fae = {
-          hostname = "fae.fritz.box:22";
+          hostname = "192.168.178.31";
           sshUser = "pub-solar";
-          fastConnect = true;
-          profilesOrder = ["system" "direnv"];
-          profiles.direnv = {
-            user = "pub-solar";
-            path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.pub-solar;
-          };
         };
         powder = {
           hostname = "80.71.153.194";

hosts/default.nix

@@ -35,15 +35,15 @@
         ];
       };
 
-      #fae = self.nixos-flake.lib.mkLinuxSystem {
-      #  nixpkgs.hostPlatform = "x86_64-linux";
-      #  imports = [
-      #    self.nixosModules.base
-      #    ./fae
-      #    self.nixosModules.teutat3s
-      #    self.nixosModules.wireguard-client
-      #  ];
-      #};
+      fae = self.nixos-flake.lib.mkLinuxSystem {
+        nixpkgs.hostPlatform = "aarch64-linux";
+        imports = [
+          self.nixosModules.base
+          inputs.nixos-hardware.nixosModules.raspberry-pi-4
+          ./fae
+          self.nixosModules.pub-solar
+        ];
+      };
 
       #powder = self.nixos-flake.lib.mkLinuxSystem {
       #  nixpkgs.hostPlatform = "aarch64-linux";

hosts/fae.nix

@@ -1,100 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  profiles,
-  ...
-}: {
-  imports = [
-    # profiles.networking
-    #profiles.core
-    "${
-      fetchTarball {
-        url = "https://github.com/NixOS/nixos-hardware/archive/8f1bf828d8606fe38a02df312cf14546ae200a72.tar.gz";
-        sha256 = "11milap153g3f63fcrcv4777vd64f7wlfkk9p3kpxi6dqd2sxvh4";
-      }
-    }/raspberry-pi/4"
-    profiles.users.root # make sure to configure ssh keys
-    profiles.users.pub-solar
-    profiles.base-user
-    profiles.pub-solar-iso
-  ];
-
-  config = {
-    pub-solar.core.iso-options.enable = true;
-
-    fileSystems = {
-      "/" = {
-        device = "/dev/disk/by-label/NIXOS_SD";
-        fsType = "ext4";
-        options = ["noatime"];
-      };
-    };
-
-    environment.systemPackages = with pkgs; [
-      (kodi-gbm.withPackages (p: with p; [jellyfin netflix youtube]))
-    ];
-
-    services.openssh.enable = true;
-
-    networking.firewall = {
-      allowedTCPPorts = [8080];
-      allowedUDPPorts = [8080];
-    };
-
-    security.sudo.extraConfig = lib.mkAfter ''
-      %wheel    ALL=(ALL) NOPASSWD:ALL
-    '';
-
-    nix = {
-      autoOptimiseStore = true;
-
-      gc.automatic = true;
-
-      optimise.automatic = true;
-
-      useSandbox = true;
-
-      allowedUsers = ["@wheel"];
-
-      trustedUsers = ["root" "@wheel"];
-
-      extraOptions = ''
-        min-free = 536870912
-        keep-outputs = true
-        keep-derivations = true
-        fallback = true
-      '';
-    };
-
-    # Enable GPU acceleration
-    hardware.raspberry-pi."4".fkms-3d.enable = true;
-
-    # Define a user account for kodi
-    users.extraUsers.kodi.isNormalUser = true;
-
-    services.xserver = {
-      enable = true;
-      desktopManager.kodi.enable = true;
-      desktopManager.kodi.package = pkgs.kodi-gbm;
-      displayManager = {
-        autoLogin.enable = true;
-        autoLogin.user = "kodi";
-      };
-    };
-
-    hardware.pulseaudio.enable = true;
-
-    # custom raspi boot loader is already present
-    boot.loader.systemd-boot.enable = lib.mkForce false;
-    boot.kernelPackages = lib.mkForce pkgs.linuxPackages_rpi4;
-
-    # This value determines the NixOS release from which the default
-    # settings for stateful data, like file locations and database versions
-    # on your system were taken. It‘s perfectly fine and recommended to leave
-    # this value at the release version of the first install of this system.
-    # Before changing this value read the documentation for this option
-    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-    system.stateVersion = "21.05"; # Did you read the comment?
-  };
-}

hosts/fae/default.nix

@@ -0,0 +1,6 @@
+{...}: {
+  imports = [
+    ./paperless.nix
+    ./fae.nix
+  ];
+}

hosts/fae/fae.nix

@@ -0,0 +1,67 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  config = {
+    pub-solar.core.disk-encryption-active = false;
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-label/NIXOS_SD";
+        fsType = "ext4";
+        options = ["noatime"];
+      };
+    };
+
+    networking.hostName = "fae";
+
+    services.openssh = {
+      enable = true;
+      openFirewall = true;
+    };
+
+    boot.kernelParams = [
+	    "boot.shell_on_fail=1"
+    ];
+
+    environment.noXlibs = true;
+
+    nix = {
+      gc.automatic = true;
+
+      optimise.automatic = true;
+
+      settings = {
+        auto-optimise-store = true;
+        sandbox = true;
+        allowed-users = ["@wheel"];
+        trusted-users = ["root" "@wheel"];
+      };
+
+      extraOptions = ''
+        min-free = 536870912
+        keep-outputs = true
+        keep-derivations = true
+        fallback = true
+      '';
+    };
+
+    # custom raspi boot loader is already present
+    boot.loader.systemd-boot.enable = false;
+    boot.loader.grub.enable = false;
+    boot.loader.generic-extlinux-compatible.enable = true;
+    boot.kernelPackages = pkgs.linuxPackages_6_6;
+
+    nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+
+    # This value determines the NixOS release from which the default
+    # settings for stateful data, like file locations and database versions
+    # on your system were taken. It‘s perfectly fine and recommended to leave
+    # this value at the release version of the first install of this system.
+    # Before changing this value read the documentation for this option
+    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+    system.stateVersion = "23.11"; # Did you read the comment?
+  };
+}

hosts/fae/paperless.nix

@@ -0,0 +1,121 @@
+{
+  flake,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+
+  dataDir = "${xdg.dataHome}/Paperless";
+  backupDir = "${xdg.dataHome}/PaperlessBackup";
+  consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir";
+
+  scan2paperless = with pkgs; writeShellScriptBin "scan2paperless" ''
+    DEVICE=$1
+    NUM_PAGES=$2
+    NAME=$3
+
+    if [ -z "''${DEVICE}" ] || [ -z "''${NUM_PAGES}" ] || [ -z "''${NAME}" ]; then
+      echo "Usage: scan2paperless <device> <num_pages> <name>"
+      exit 1
+    fi
+
+    tmpDir=$(${coreutils}/bin/mktemp -d)
+    files=()
+
+    for i in $(seq 1 $NUM_PAGES); do
+      fileName=$(${openssl}/bin/openssl rand -hex 12)
+      file="$tmpDir/$fileName.jpg"
+      echo "Start scanning page $i/$NUM_PAGES";
+      ${sane-backends}/bin/scanimage -d $DEVICE --format=jpeg --resolution 300 --progress -o $file
+      echo "Finished scanning page $i";
+      files+=($file)
+    done
+
+    pdf="${consumptionDir}/$NAME.pdf"
+    ${python3Packages.img2pdf}/bin/img2pdf --output $pdf ''${files[@]}
+
+    echo "PDF written to $pdf"
+  '';
+in {
+  services.paperless = {
+    enable = true;
+    user = psCfg.user.name;
+    consumptionDir = consumptionDir;
+    dataDir = dataDir;
+    address = "127.0.0.1";
+    extraConfig = {
+      PAPERLESS_OCR_LANGUAGE = "nld+deu";
+      PAPERLESS_ADMIN_USER = psCfg.user.name;
+      PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
+      PAPERLESS_URL = "https://paperless.local";
+    };
+  };
+
+  #hardware.sane = {
+  #  enable = true;
+  #  extraBackends = [pkgs.hplipWithPlugin];
+  #};
+
+  users.users."${psCfg.user.name}".packages = with pkgs; [
+    scan2paperless
+    python3Packages.img2pdf
+  ];
+
+  home-manager.users."${psCfg.user.name}" = {
+    home.sessionVariables = {
+      SCANNER_OUTPUT_DIR = consumptionDir;
+    };
+    systemd.user.sessionVariables = {
+      SCANNER_OUTPUT_DIR = consumptionDir;
+    };
+  };
+
+  #security.acme.certs = {
+  #  "paperless.b12f.io" = {};
+  #};
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "paperless.local" = {
+        extraConfig = ''
+          reverse_proxy :${builtins.toString config.services.paperless.port}
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.tmpfiles.rules = [
+    "d /home/${psCfg.user.name}/.local 0700 ${psCfg.user.name} users - -"
+    "d /home/${psCfg.user.name}/.local/share 0700 ${psCfg.user.name} users - -"
+    "d '${backupDir}' 0700 ${psCfg.user.name} users - -"
+  ];
+
+  #age.secrets."rclone-pie.conf" = {
+  #  file = "${flake.self}/secrets/rclone-pie.conf.age";
+  #  path = "/root/.config/rclone/rclone.conf";
+  #  mode = "400";
+  #};
+
+  #age.secrets."restic-password" = {
+  #  file = "${flake.self}/secrets/restic-password.age";
+  #  mode = "400";
+  #};
+
+  #services.restic.backups = {
+  #  paperless = {
+  #    paths = [ backupDir ];
+  #    initialize = true;
+  #    passwordFile = config.age.secrets."restic-password".path;
+  #    # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
+  #    repository = "rclone:cloud.pub.solar:/backups/Paperless";
+  #    backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
+  #    rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
+  #  };
+  #};
+}

modules/crypto/default.nix

@@ -22,7 +22,7 @@ in {
 
     services.gpg-agent = {
       enable = true;
-      pinentryFlavor = "gnome3";
+      pinentryFlavor = lib.mkDefault "gnome3";
       verbose = true;
     };
 

users/default.nix

@@ -4,6 +4,7 @@
     nixosModules = rec {
       root = import ./root;
       teutat3s = import ./teutat3s;
+      pub-solar = import ./pub-solar;
       nixos = import ./nixos;
     };
   };

users/pub-solar/default.nix

@@ -6,11 +6,14 @@
     # The rest is used for programs like git
     user = {
       name = "pub-solar";
-      # default password = pub-solar
-      password = "$6$Kv0BCLU2Jg7GN8Oa$hc2vERKCbZdczFqyHPfgCaleGP.JuOWyd.bfcIsLDNmExGXI6Rnkze.SWzVzVS311KBznN/P4uUYAUADXkVtr.";
+      password = "$6$guLp1v0G0TxGThXX$y7YeEcYjFpN6gutLCbvAkqppOVLYZjfo4DxofrMm6a9MIjVoKKaY20UzityJsHbQU4THIFfj8gLWVOjyjL.P2.";
+      passwordlessSudo = true;
       fullName = "Pub Solar";
-      email = "iso@pub.solar";
-      publicKeys = [];
+      email = "teutat3s@pub.solar";
+      publicKeys = [
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a"
+      ];
     };
   };
+  home-manager.users.pub-solar.services.gpg-agent.pinentryFlavor = "curses";
 }

users/teutat3s/home.nix

@@ -67,14 +67,14 @@ in {
         gpu-switch
         ifmetric
         ipmitool
-        keybase-gui
+        #keybase-gui
         nomad_1_4
         thunderbird
         vault
         veracrypt
         waypoint
         age-plugin-yubikey
-        cockroach-bin
+        #cockroach-bin
         obs-studio
         wlvncc
       ];