refactor

modules/hosts/_parts/tahani/adguardhome.nix

@@ -0,0 +1,69 @@
+{config, ...}: {
+	services.adguardhome = {
+		enable = true;
+		host = "127.0.0.1";
+		port = 10000;
+		settings = {
+			dhcp = {
+				enabled = false;
+			};
+			dns = {
+				upstream_dns = [
+					"1.1.1.1"
+					"1.0.0.1"
+				];
+			};
+			filtering = {
+				protection_enabled = true;
+				filtering_enabled = true;
+				safe_search = {
+					enabled = false;
+				};
+				safebrowsing_enabled = true;
+				blocked_response_ttl = 10;
+				filters_update_interval = 24;
+				blocked_services = {
+					ids = [
+						"reddit"
+						"twitter"
+					];
+				};
+			};
+			filters = [
+				{
+					enabled = true;
+					url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt";
+					name = "HaGeZi Multi PRO";
+					id = 1;
+				}
+				{
+					enabled = true;
+					url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.txt";
+					name = "HaGeZi Threat Intelligence Feeds";
+					id = 2;
+				}
+				{
+					enabled = true;
+					url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/gambling.txt";
+					name = "HaGeZi Gambling";
+					id = 3;
+				}
+				{
+					enabled = true;
+					url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/nsfw.txt";
+					name = "HaGeZi NSFW";
+					id = 4;
+				}
+			];
+		};
+	};
+
+	services.caddy.virtualHosts."adguard.manticore-hippocampus.ts.net" = {
+		extraConfig = ''
+			tls {
+				get_certificate tailscale
+			}
+			reverse_proxy localhost:${toString config.services.adguardhome.port}
+		'';
+	};
+}

modules/hosts/_parts/tahani/cache.nix

@@ -0,0 +1,10 @@
+{...}: {
+	services.caddy.virtualHosts."cache.manticore-hippocampus.ts.net" = {
+		extraConfig = ''
+			tls {
+				get_certificate tailscale
+			}
+			reverse_proxy localhost:32843
+		'';
+	};
+}

modules/hosts/_parts/tahani/networking.nix

@@ -0,0 +1,38 @@
+{config, ...}: {
+	services.tailscale.extraSetFlags = ["--accept-routes=false"];
+
+	networking = {
+		useDHCP = false;
+		interfaces.eno1.ipv4.addresses = [
+			{
+				address = "192.168.1.10";
+				prefixLength = 24;
+			}
+		];
+		defaultGateway = "192.168.1.1";
+		nameservers = ["1.1.1.1"];
+		firewall = {
+			enable = true;
+			trustedInterfaces = ["eno1" "tailscale0" "docker0"];
+			allowedUDPPorts = [
+				53
+				config.services.tailscale.port
+			];
+			allowedTCPPorts = [
+				22
+				53
+			];
+			checkReversePath = "loose";
+		};
+	};
+
+	fileSystems."/" = {
+		device = "/dev/disk/by-label/NIXROOT";
+		fsType = "ext4";
+	};
+
+	fileSystems."/boot" = {
+		device = "/dev/disk/by-label/NIXBOOT";
+		fsType = "vfat";
+	};
+}

modules/hosts/_parts/tahani/paperless-gpt-prompts/tag_prompt.tmpl

@@ -0,0 +1,26 @@
+I will provide you with the content and title of a document. Your task is to select appropriate tags for the document from the available list.
+Only select tags from the provided list.
+
+Rules:
+1. Focus on WHAT the document IS (document type) and what TOPIC it relates to — not on incidental details mentioned in the content.
+   - GOOD tags for a server hosting invoice: "Invoice", "Hosting"
+   - BAD tags for a server hosting invoice: "IBAN", "VAT", "Bank account" — these are just details that appear on any invoice.
+2. Pick 1-4 tags maximum. Fewer is better. Every tag must add distinct, meaningful categorisation value.
+3. All tags must be in English.
+4. Never tag based on formatting details, payment methods, reference numbers, or boilerplate text.
+
+The content is likely in {{.Language}}, but tags must always be in English.
+
+<available_tags>
+{{.AvailableTags | join ", "}}
+</available_tags>
+
+<title>
+{{.Title}}
+</title>
+
+<content>
+{{.Content}}
+</content>
+
+Respond only with the selected tags as a comma-separated list, without any additional information.

modules/hosts/_parts/tahani/paperless-gpt-prompts/title_prompt.tmpl

@@ -0,0 +1,26 @@
+I will provide you with the content of a document that has been partially read by OCR (so it may contain errors).
+Your task is to generate a clear, consistent document title for use in paperless-ngx.
+
+Title format: "YYYY-MM-DD - Sender - Description"
+- YYYY-MM-DD: The document date (issue date, statement date, etc.). Use the most specific date available. If no date is found, omit the date prefix.
+- Sender: The company, organisation, or person who sent/issued the document. Use their common short name (e.g. "Hetzner" not "Hetzner Online GmbH").
+- Description: A brief description of what the document is (e.g. "Server hosting invoice", "Payslip January", "Employment contract", "Tax assessment 2024"). Keep it concise but specific enough to distinguish from similar documents.
+
+Examples:
+- "2025-03-01 - Hetzner - Server hosting invoice"
+- "2024-12-15 - Techniker Krankenkasse - Health insurance statement"
+- "2024-06-30 - Acme Corp - Payslip June"
+- "2024-01-10 - Finanzamt Berlin - Tax assessment 2023"
+
+Rules:
+1. Always write the title in English, regardless of the document language.
+2. Keep the description part under 6 words.
+3. If the original title contains useful information, use it to inform your suggestion.
+4. Respond only with the title, without any additional information.
+
+The content is likely in {{.Language}}.
+
+<original_title>{{.Title}}</original_title>
+<content>
+{{.Content}}
+</content>

modules/hosts/_parts/tahani/paperless.nix

@@ -0,0 +1,87 @@
+{config, ...}: {
+	services.caddy = {
+		enable = true;
+		enableReload = false;
+		globalConfig = ''
+			admin off
+		'';
+		virtualHosts."docs.manticore-hippocampus.ts.net" = {
+			extraConfig = ''
+				tls {
+					get_certificate tailscale
+				}
+				reverse_proxy localhost:${toString config.services.paperless.port}
+			'';
+		};
+		virtualHosts."docs-ai.manticore-hippocampus.ts.net" = {
+			extraConfig = ''
+				tls {
+					get_certificate tailscale
+				}
+				reverse_proxy localhost:8081
+			'';
+		};
+	};
+
+	virtualisation.oci-containers = {
+		backend = "docker";
+		containers.paperless-gpt = {
+			image = "icereed/paperless-gpt:latest";
+			autoStart = true;
+			ports = [
+				"127.0.0.1:8081:8080"
+			];
+			volumes = [
+				"paperless-gpt-data:/app/data"
+				"paperless-gpt-prompts:/app/prompts"
+				"${./paperless-gpt-prompts/tag_prompt.tmpl}:/app/prompts/tag_prompt.tmpl:ro"
+				"${./paperless-gpt-prompts/title_prompt.tmpl}:/app/prompts/title_prompt.tmpl:ro"
+			];
+			environment = {
+				PAPERLESS_BASE_URL = "http://host.docker.internal:${toString config.services.paperless.port}";
+				LLM_PROVIDER = "openai";
+				LLM_MODEL = "gpt-5.4";
+				LLM_LANGUAGE = "German";
+				VISION_LLM_PROVIDER = "openai";
+				VISION_LLM_MODEL = "gpt-5.4";
+				LOG_LEVEL = "info";
+			};
+			environmentFiles = [
+				config.sops.secrets.tahani-paperless-gpt-env.path
+			];
+			extraOptions = [
+				"--add-host=host.docker.internal:host-gateway"
+			];
+		};
+	};
+
+	services.redis.servers.paperless = {
+		enable = true;
+		port = 6379;
+		bind = "127.0.0.1";
+		settings = {
+			maxmemory = "256mb";
+			maxmemory-policy = "allkeys-lru";
+		};
+	};
+
+	services.paperless = {
+		enable = true;
+		address = "0.0.0.0";
+		consumptionDir = "/var/lib/paperless/consume";
+		passwordFile = config.sops.secrets.tahani-paperless-password.path;
+		settings = {
+			PAPERLESS_DBENGINE = "sqlite";
+			PAPERLESS_REDIS = "redis://127.0.0.1:6379";
+			PAPERLESS_CONSUMER_IGNORE_PATTERN = [
+				".DS_STORE/*"
+				"desktop.ini"
+			];
+			PAPERLESS_CONSUMER_POLLING = 30;
+			PAPERLESS_CONSUMER_RECURSIVE = true;
+			PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
+			PAPERLESS_OCR_LANGUAGE = "deu+eng";
+			PAPERLESS_CSRF_TRUSTED_ORIGINS = "https://docs.manticore-hippocampus.ts.net";
+		};
+	};
+}