From 5701d95e645d13d4d67ad31696f9603d035451cb Mon Sep 17 00:00:00 2001
From: fwastring <fredrik@wastring.com>
Date: Mon, 19 Jan 2026 08:55:12 +0100
Subject: [PATCH] added paperless

---
 maskiner/node/configuration.nix        |  4 ++
 moduler/services/paperless/default.nix | 61 ++++++++++++++++++++++++++
 secrets/sops.yaml                      |  5 ++-
 3 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 moduler/services/paperless/default.nix

diff --git a/maskiner/node/configuration.nix b/maskiner/node/configuration.nix
index b5261ff..57df68a 100644
--- a/maskiner/node/configuration.nix
+++ b/maskiner/node/configuration.nix
@@ -34,6 +34,7 @@ in
     (modulesDirectory + /services/gotify)
     (modulesDirectory + /services/kanboard)
     (modulesDirectory + /services/immich)
+    (modulesDirectory + /services/paperless)
   ];
 
   sops.defaultSopsFile = ../../secrets/sops.yaml;
@@ -78,6 +79,9 @@ in
   immich = {
     enable = true;
   };
+  paperless = {
+    enable = true;
+  };
   kanboard = {
     enable = true;
     host = "127.0.0.1";
diff --git a/moduler/services/paperless/default.nix b/moduler/services/paperless/default.nix
new file mode 100644
index 0000000..f00c1dc
--- /dev/null
+++ b/moduler/services/paperless/default.nix
@@ -0,0 +1,61 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib;
+{
+  options = {
+    paperless = {
+      enable = mkEnableOption "enables paperless";
+      port = lib.mkOption {
+        type = lib.types.int;
+        default = 8089;
+        description = "The port that paperless is served on.";
+      };
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        default = "127.0.0.1";
+        description = "The hostname that paperless is served on.";
+      };
+      domain = lib.mkOption {
+        type = lib.types.str;
+        default = "paperless.wastring.com";
+        description = "The domain that paperless is served on.";
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf config.paperless.enable {
+      sops.secrets.paperless-admin-password = { };
+      services.nginx.virtualHosts.${config.paperless.domain} = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://${toString config.paperless.hostname}:${toString config.paperless.port}";
+          proxyWebsockets = true;
+        };
+      };
+      services.paperless = {
+        enable = true;
+        passwordFile = config.sops.secrets.paperless-admin-password.path;
+		address = config.paperless.hostname;
+		port = config.paperless.port;
+        consumptionDirIsPublic = true;
+        settings = {
+          PAPERLESS_CONSUMER_IGNORE_PATTERN = [
+            ".DS_STORE/*"
+            "desktop.ini"
+          ];
+          PAPERLESS_OCR_LANGUAGE = "swe+eng";
+          PAPERLESS_OCR_USER_ARGS = {
+            optimize = 1;
+            pdfa_image_compression = "lossless";
+          };
+          PAPERLESS_URL = "https://${toString config.paperless.domain}";
+        };
+      };
+    })
+  ];
+}
diff --git a/secrets/sops.yaml b/secrets/sops.yaml
index 0c88372..6ba2171 100644
--- a/secrets/sops.yaml
+++ b/secrets/sops.yaml
@@ -8,6 +8,7 @@ forgejo-runner-token: ENC[AES256_GCM,data:1AUeTy5Sqoa4u5L/TGjt/v69p2xF/mp0oXVv08
 gotify_password: ENC[AES256_GCM,data:Tl9T9yxKSyiemmc5B7kCdwYYHB9anenBg8epFNGqu7sa8YfaZNH9HfTdBtqELIcAkkyfoJUj9tOhxcfa1lDasahJC/8VF0jx6tjsgmTJORAwQa/8,iv:bEtG/ICTqqK3E+YXysDLV/uyawoeILKH+mQXTLOcWpk=,tag:dPqm74eH/Gt9Eg0lv2ptEw==,type:str]
 user-password: ENC[AES256_GCM,data:cngHqB2IQXVvSMwm5KJeq6wOQMQ4z/DWap3YMyahq2fz8R2CKHackaNY4K3dltXKSLv5zdelyHMf4u7gzuPTMO1yNRIG99C9Yg==,iv:6WZ/dUQwn6+TPXnSEvDVS0DZz0oz7vMvKAioqYzvf0c=,tag:xVoCF0L490nZi/xYTI0klw==,type:str]
 immich-secrets-file: ENC[AES256_GCM,data:aUSQr5k7uqZzBvpSAFgpfStcuEPbf3U2GED+biU56UBi02MgQzckmK4kKJ7XIF6UyBvxLw==,iv:mep3JNp86YjsIJSONYNLeEYsSN/ERao7hs7O5cnHF9s=,tag:m6sulZTYMnTpxgPGFXITTg==,type:str]
+paperless-admin-password: ENC[AES256_GCM,data:Aup5T7pMptHT6z7Uqzd9I4EMaG4sbPNC9bVj+muTowkNKAr3nMOOXaAL4wgy00UI9u4KdZzQ/hyrYMMT,iv:VaR7OK8CEC3VlSbGvLIihX15fQQ7H/PyWZcp7nifOAg=,tag:G4DNgqjbZYaeSmj8vmT5IA==,type:str]
 build-service: ENC[AES256_GCM,data:4I1iPfdc5mbzGIYCVEtTZW0/MvLwUyEb2uaDERaApYMOVB3iSVNx+fyhxRokaQ==,iv:zAfFGFJdj6TvkS4D9qtRhYtPcvhNqv98Dmzp0TKVp+4=,tag:bWrUbEleOVq01eeKYvq7rw==,type:str]
 sops:
     age:
@@ -56,7 +57,7 @@ sops:
             dFZ3T3VUeHVnVThadHVQaVJCNkdZeDQK99L7CbBbklUUtanyFIOiCzO3hZP1mh3z
             ZZhhr6BCcHBbqzLaRLbT27BTCoNuGsXxyzW6tpXYacYuITkcFq9bOQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-04T11:59:48Z"
-    mac: ENC[AES256_GCM,data:rQgkqcpNZkTA8yaJHaD1L3d28e8Z4FP/Ox0Rm5zoJLAPj86roW7UmH8TxtmNbzvjmtohmwZG+HrFJCQfVnlwqjDG1ZTdTqgzg2tklD4pDiUKaU899u97919MTEJHGLqhBpjfSKuR7Ja3CuZjToDWKk3h2ooUNgXSqCIhtFoonxw=,iv:UpYGtYD5FMTxf84sp03My21p0KNHELjNcKszUoiR0dU=,tag:yd2aU5e/SexivsNNfu2VhQ==,type:str]
+    lastmodified: "2025-12-30T12:32:36Z"
+    mac: ENC[AES256_GCM,data:4uQBw966lOw1/NBi5LCuKEs5chGQvRtbVjJijF/504go5GsGVcrCOvoedwZzM2ui5GYecrmIKWThjRxT9DLYkzb+8BOF7sWKRwjQq2g/3Ew1UnqDJC+uiTvHSq2QzB/B5tD3astQyo8Y7JryHDZDVIvYano+gijIzQgFNeAVgQU=,iv:xucBautLNDbMD/KXryRdcW1I8Ui30ANloShQ3OjKFLI=,tag:estaWlGhl9R+vlSWxa79jA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0