diff --git a/modules/_hosts/tahani/networking.nix b/modules/_hosts/tahani/networking.nix index b816ffc..ac675be 100644 --- a/modules/_hosts/tahani/networking.nix +++ b/modules/_hosts/tahani/networking.nix @@ -13,7 +13,7 @@ nameservers = ["1.1.1.1"]; firewall = { enable = true; - trustedInterfaces = ["eno1" "tailscale0"]; + trustedInterfaces = ["eno1" "tailscale0" "docker0"]; allowedUDPPorts = [ 53 config.services.tailscale.port diff --git a/modules/_hosts/tahani/paperless.nix b/modules/_hosts/tahani/paperless.nix index 044baa9..baaf6a9 100644 --- a/modules/_hosts/tahani/paperless.nix +++ b/modules/_hosts/tahani/paperless.nix @@ -18,30 +18,35 @@ tls { get_certificate tailscale } - reverse_proxy localhost:3000 + reverse_proxy localhost:8080 ''; }; }; virtualisation.oci-containers = { backend = "docker"; - containers.paperless-ai = { - image = "clusterzx/paperless-ai:3.0.9"; + containers.paperless-gpt = { + image = "icereed/paperless-gpt:latest"; autoStart = true; ports = [ - "127.0.0.1:3000:3000" + "127.0.0.1:8080:8080" ]; volumes = [ - "paperless-ai-data:/app/data" + "paperless-gpt-data:/app/data" + "paperless-gpt-prompts:/app/prompts" ]; environment = { - PUID = "1000"; - PGID = "1000"; - PAPERLESS_AI_PORT = "3000"; - # Initial setup wizard will configure the rest - PAPERLESS_AI_INITIAL_SETUP = "yes"; - PAPERLESS_API_URL = "http://host.docker.internal:${toString config.services.paperless.port}/api"; + PAPERLESS_BASE_URL = "http://host.docker.internal:${toString config.services.paperless.port}"; + LLM_PROVIDER = "openai"; + LLM_MODEL = "gpt-5.4"; + LLM_LANGUAGE = "German"; + VISION_LLM_PROVIDER = "openai"; + VISION_LLM_MODEL = "gpt-5.4"; + LOG_LEVEL = "info"; }; + environmentFiles = [ + config.sops.secrets.tahani-paperless-gpt-env.path + ]; extraOptions = [ "--add-host=host.docker.internal:host-gateway" ]; @@ -60,7 +65,7 @@ services.paperless = { enable = true; - address = "127.0.0.1"; + address = "0.0.0.0"; consumptionDir = "/var/lib/paperless/consume"; passwordFile = config.sops.secrets.tahani-paperless-password.path; settings = { diff --git a/modules/tahani.nix b/modules/tahani.nix index 08defe0..48ccf8b 100644 --- a/modules/tahani.nix +++ b/modules/tahani.nix @@ -12,6 +12,7 @@ den.aspects.ai-tools den.aspects.zellij den.aspects.zk + den.aspects.secrets ]; den.aspects.tahani.nixos = {...}: { @@ -30,6 +31,11 @@ format = "binary"; path = "/run/secrets/tahani-paperless-password"; }; + tahani-paperless-gpt-env = { + sopsFile = ../secrets/tahani-paperless-gpt-env; + format = "binary"; + path = "/run/secrets/tahani-paperless-gpt-env"; + }; tahani-email-password = { sopsFile = ../secrets/tahani-email-password; format = "binary"; diff --git a/secrets/tahani-paperless-gpt-env b/secrets/tahani-paperless-gpt-env new file mode 100644 index 0000000..80dac5a --- /dev/null +++ b/secrets/tahani-paperless-gpt-env @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:0VWwVEBsCRhTzkF+ee9sEvmPBaMOrC00NgWx6qAj5DchVlulQPQzCHHSMQoNhKSKq3bP2wwZ2XTYEWmJDhQwDaz+zbLKk8Suc7RBFZ8b3iRhn2dTf+Cv9gltnPK24Xqe8XZywO/u7gxWlxSNAY8leLa5U7F7iZ5jweqCls/KjSySFS4XKMsWQrV19frzHEyh2KiAXnkdq3YLrm1aYPTltXuZQR/sCaH6KTnB87mYtRJQU4UsaHBhvVCvAb3/dk65uXDT79fl6+tOKb6PrAOiAwBWvY83C6XTufAFeM7UUh/evbBvYvDfuFsLyOgRQY4xV7s=,iv:EsR+SHYm7na2XIVvcTwmxwMOLy5W/Mtxc9FhbYVmo9I=,tag:HO5pXRFvXM323+uO2PRTGQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZEFOb3FBdWVlWCtHZy95\nM0dlbU0wdk5MQkwvR2poa2FMNmowSkxFNlV3CjZ0SENCUXk1ZU9HL252bGpOU1FW\nZEpOejdsa29KVy9yejVrODFMQzBENWsKLS0tIGVKYXNPZ2dkMUR4c29ONG95UWVC\nQWdzcW1QZWltK0JaSDRPa3BtR0NOZGcKkzny9HFJeLR8l7ohnqyGSFKoMgl2SR8p\nTxxkQ6hpwu6TmxH3Bbx2nbZ7i+JBjrqNQqZSHO5i3URsDwjpRLxm6w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSM2o3V2NPWWtQamJNRitI\nb3RsVTV6SG9weXl2eE5SRmlKL0pQZUF3blM4CmV5Nm1IZFZyQkE2WXJETTVmTlcx\nZG5RbGYyZTJTbmIzWllnWEs3RCtlNmcKLS0tICsrWHdwVlYwRXc3TUJ4eEw0a0V4\nRTRlSjNLRDMwaUhIQ01uckRqSE5IcUkKO+yVAhRWZ5nT2JMxdm/8CBwXK0kONXVD\n58lfNVcRsl+GsA7qg3UL4afEi18XiKMZFAxQUxeY3dzG49W3fMjiMg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkKzN5UHg1YTlyTlBTVmxa\ncTZjM0NpN0J3MWRmUFJ3RmR2VTAxUkQ0N0djCkY2aUtGSkRZKzhoOUNSTHpoS3ZT\nRHdsdzkvcm5hOVpOd0JhdDhxVTg2OHcKLS0tIG1ITExXQXR6c2svdWlLM05RTWxq\ndG5KQy9GdWg3VlJkNEIvSExhOTB2eEkK47OqnTj8vX00b7E0+d2KgVGbhI1yyay3\nZN4+HdZwf3BLz4L03bUp96D4O06QejeANHT0xmjc8xOGsPjznqSkSQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tlymdmaukhwupzrhszspp26lgd8s64rw4vu9lwc7gsgrjm78095s9fe9l3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQkhwckJueGt6dVNRRDFQ\nL3VKTy9ucFVLN1RnM05LV3kzR3RsK0NaY0VRCko1NmxQbE10OWgyRHFhZ0F3QTRM\nUmdnMElqWmlneFJUL01SQ2R1TGtRbTQKLS0tIHR3RjFxS0RsNFJGZmM1SmV5aTlK\nM1prTmxWNVFRM3Z1b3RLYzl2RDByWHcK/My/c/sQADZmbPOYhoEXpiG2FQ41Cbih\nthHGvRyF3lk9vcN/9cWQeiayzlgrwLsiEe1naOxpSuS+gvl3BySLzw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-03-13T16:55:58Z", + "mac": "ENC[AES256_GCM,data:cVPUe+6fb3Kw2sbjG7cOIi/4aIZHuZHcnaZtfCw6VyQpLCfJScNmVJ64050S2Sk0032MYNCJGwYYritK22HBoPioELhYP6hyDSHKMBo+kxrkOcAiNd/I841hEKwZk8nvhAbu4mMdhpJGdTMCKqwYS1LIMIeiL/KRMFdgf0QGmvU=,iv:HUuMaA7c11gOQi4Co8XYiATUTX+be73ua+D7SwBAtL0=,tag:J6VkolgwqkgglWHWwGAEXQ==,type:str]", + "version": "3.12.1" + } +}