updates and nixifying

hosts/desktop/gnome/home.nix

@@ -21,7 +21,7 @@
       "org/gnome/tweaks".show-extensions-notice = false;
       "org/gnome/shell".enabled-extensions = [
         "appindicatorsupport@rgcjonas.gmail.com"
-        "arcmenu@arcmenu.com"
+        # "arcmenu@arcmenu.com"
         "user-theme@gnome-shell-extensions.gcampax.github.com"
         "tiling-assistant@leleat-on-github"
         "dash-to-dock@micxgx.gmail.com"

hosts/nas/apps.nix

@@ -1,11 +1,13 @@
 { config, ... }:
 {
   imports = [
+    ./apps/arrs
+    ./apps/jellyfin/jellyfin.nix
+    ./apps/jellyseerr/jellyseerr.nix
+    ./apps/paperless
     ../../modules
-    # ../../modules/apps/caddy
-    ../../modules/apps/jellyfin/jellyfin.nix
-    ../../modules/apps/paperless
-    ../../modules/apps/jellyseerr/jellyseerr.nix
+
+    # ./apps/nextcloud
   ];
 
   nas-apps = {

hosts/nas/apps/arrs/default.nix

@@ -0,0 +1,172 @@
+{ config, pkgs, lib, ... }:
+
+let
+  radarrPort = 7878;
+  sonarrPort = 8989;
+  sabnzbdPort = 8080;
+  radarrDataDir = "/var/lib/radarr";
+  downloadDir = "/downloads";
+  incompleteDir = "/downloads-incomplete";
+  sonarrDataDir = "/var/lib/sonarr";
+  sabnzbdConfig = "/var/lib/sabnzbd";
+  mediaDir = "/media";
+  arrUserId = config.users.users.nix-apps.uid;
+  arrGroupId = config.users.groups.jallen-nas.gid;
+  sonarrPkg = pkgs.unstable.sonarr;
+in
+{
+
+  containers.arrs = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "10.0.1.18";
+    localAddress = "10.0.1.51";
+    
+    config = { config, pkgs, lib, ... }: {
+      nixpkgs.config.permittedInsecurePackages = [
+        "aspnetcore-runtime-6.0.36"
+        "aspnetcore-runtime-wrapped-6.0.36"
+        "dotnet-sdk-6.0.428"
+        "dotnet-sdk-wrapped-6.0.428"
+      ];
+
+      nixpkgs.config.allowUnfree = true;
+      
+      # Enable radarr service
+      services.radarr = {
+        enable = true;
+        openFirewall = true;
+        user = "arrs";
+        group = "media";
+        dataDir = radarrDataDir;
+      };
+
+      # Enable Sonarr service
+      services.sonarr = {
+        enable = true;
+        openFirewall = true;
+        user = "arrs";
+        group = "media";
+        dataDir = sonarrDataDir;
+        package = sonarrPkg;
+      };
+
+      # Enable Sabnzbd service
+      services.sabnzbd = {
+        enable = true;
+        openFirewall = true;
+        user = "arrs";
+        group = "media";
+        configFile = "${sabnzbdConfig}/sabnzbd.ini";
+      };
+
+      # Create required users and groups
+      users.users.arrs = {
+        isSystemUser = true;
+        uid = lib.mkForce arrUserId;
+        group = "media";
+        extraGroups = [ "downloads" ];
+      };
+
+      users.groups = {
+        media = { gid = lib.mkForce arrGroupId; };
+        downloads = {};
+      };
+
+      # System packages
+      environment.systemPackages = with pkgs; [
+        sqlite
+        mono
+        mediainfo
+        protonvpn-cli
+      ];
+
+      # Create and set permissions for required directories
+      system.activationScripts.radarr-dirs = ''
+        mkdir -p ${radarrDataDir}
+        mkdir -p ${sonarrDataDir}
+        mkdir -p ${sabnzbdConfig}
+        mkdir -p ${downloadDir}
+        mkdir -p ${incompleteDir}
+        mkdir -p ${mediaDir}
+
+        chown -R arrs:media ${radarrDataDir}
+        chown -R arrs:media ${sonarrDataDir}
+        chown -R arrs:media ${sabnzbdConfig}
+        chown -R arrs:media ${downloadDir}
+        chown -R arrs:media ${incompleteDir}
+        chown -R arrs:media ${mediaDir}
+        
+        chmod -R 775 ${radarrDataDir}
+        chmod -R 775 ${sonarrDataDir}
+        chmod -R 775 ${sabnzbdConfig}
+        chmod -R 775 ${downloadDir}
+        chmod -R 775 ${incompleteDir}
+        chmod -R 775 ${mediaDir}
+        
+      '';
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ radarrPort sonarrPort sabnzbdPort ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        services.resolved.enable = true;
+        system.stateVersion = "23.11";
+      };
+
+    # Bind mount directories from host
+    bindMounts = {
+      "${radarrDataDir}" = {
+        hostPath = "/media/nas/ssd/nix-app-data/radarr";
+        isReadOnly = false;
+      };
+      "${sonarrDataDir}" = {
+        hostPath = "/media/nas/ssd/nix-app-data/sonarr";
+        isReadOnly = false;
+      };
+      "${sabnzbdConfig}" = {
+        hostPath = "/media/nas/ssd/nix-app-data/sabnzbd";
+        isReadOnly = false;
+      };
+      "${downloadDir}" = {
+        hostPath = "/media/nas/ssd/ssd_app_data/downloads";
+        isReadOnly = false;
+      };
+      "${incompleteDir}" = {
+        hostPath = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
+        isReadOnly = false;
+      };
+      "/media/movies" = {
+        hostPath = "/media/nas/main/movies";
+        isReadOnly = false;
+      };
+      "/media/tv" = {
+        hostPath = "/media/nas/main/tv";
+        isReadOnly = false;
+      };
+    };
+  };
+
+  networking.nat = {
+    forwardPorts = [
+      {
+        destination = "10.0.1.51:7878";
+        sourcePort = radarrPort;
+      }
+      {
+        destination = "10.0.1.51:8989";
+        sourcePort = sonarrPort;
+      }
+      {
+        destination = "10.0.1.51:8080";
+        sourcePort = sabnzbdPort;
+      }
+    ];
+  };
+}

hosts/nas/apps/collabora/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services.collabora-online = {
+    enable = true;
+    port = 9980;
+  };
+}

hosts/nas/apps/jellyfin/default.nix

@@ -0,0 +1,30 @@
+{ lib, config, ... }:
+with lib;
+let
+  cfg = config.nas-apps.jellyfin;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+
+    virtualisation.oci-containers.containers.${cfg.name} = {
+      autoStart = true;
+      image = cfg.image;
+      extraOptions = [ "--device=nvidia.com/gpu=0" ];
+      volumes = [
+        "${cfg.configPath}:/config"
+        "${cfg.moviesPath}:/data/movies"
+        "${cfg.tvPath}:/data/tv"
+      ];
+      ports = [ "${cfg.port}:8096" ];
+      environment = {
+        NVIDIA_VISIBLE_DEVICES = "all";
+        NVIDIA_DRIVER_CAPABILITIES = "all";
+        PUID = cfg.puid;
+        PGID = cfg.pgid;
+        TZ = cfg.timeZone;
+      };
+    };
+  };
+}

hosts/nas/apps/jellyfin/jellyfin.nix

@@ -0,0 +1,168 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+# let
+#   jellyfinPort = 8096;
+#   jellyfinUserId = config.users.users.nix-apps.uid;
+#   jellyfinGroupId = config.users.groups.jallen-nas.gid;
+#   package = pkgs.jellyfin;
+# in {
+#   containers.jellyfin = {
+#     autoStart = true;
+#     privateNetwork = true;
+#     hostAddress = "10.0.1.18";
+#     localAddress = "10.0.2.25";
+
+#     config = { config, pkgs, lib, ... }: {
+#       # Enable jellyfin service
+#       nixpkgs.config.allowUnfree = true;
+#         hardware = {
+#         # Nvidia
+#         nvidia = {
+#           package = config.boot.kernelPackages.nvidiaPackages.latest;
+#           # Modesetting is required.
+#           modesetting.enable = true;
+#           # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
+#           powerManagement.enable = true;
+#           # Fine-grained power management. Turns off GPU when not in use.
+#           # Experimental and only works on modern Nvidia GPUs (Turing or newer).
+#           powerManagement.finegrained = false;
+#           # Use the NVidia open source kernel module (not to be confused with the
+#           # independent third-party "nouveau" open source driver).
+#           # Support is limited to the Turing and later architectures. Full list of 
+#           # supported GPUs is at: 
+#           # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus 
+#           # Only available from driver 515.43.04+
+#           # Currently alpha-quality/buggy, so false is currently the recommended setting.
+#           open = true;
+
+#           # Enable the Nvidia settings menu,
+#           # accessible via `nvidia-settings`.
+#           nvidiaSettings = true;
+#         };
+
+#         # Enable graphics
+#         graphics = {
+#           enable = true;
+#           enable32Bit = true;
+#         };
+#       };
+
+#       # Services configs
+#       services.xserver = {
+#         # Load nvidia driver for Xorg and Wayland
+#         videoDrivers = [ "nvidia" ];
+#       };
+
+#       services.jellyfin = {
+#         enable = true;
+#         openFirewall = true;
+#         user = "jellyfin";
+#         group = "media";
+#         dataDir = "/data";
+#         configDir = "/config";
+#         # cacheDir = "/cache";
+#       };
+
+#       # Create required users and groups
+#       users.users.jellyfin = {
+#         isSystemUser = true;
+#         uid = lib.mkForce jellyfinUserId;
+#         group = "media";
+#         extraGroups = [ "downloads" ];
+#       };
+
+#       users.groups = {
+#         media = { gid = lib.mkForce jellyfinGroupId; };
+#         downloads = { };
+#       };
+
+#       networking = {
+#         firewall = {
+#           enable = true;
+#           allowedTCPPorts = [ jellyfinPort ];
+#         };
+#         # Use systemd-resolved inside the container
+#         # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+#         useHostResolvConf = lib.mkForce false;
+#       };
+
+#       # System packages
+#       environment.systemPackages = with pkgs; [ 
+#         sqlite 
+#         mono 
+#         mediainfo 
+#         # ffmpeg 
+#         # nvidiaPackages.gpu
+#         # nvidiaPackages.nvidia-settings
+#         # nvidiaPackages.nvidia-x11
+#       ];
+
+#       services.resolved.enable = true;
+#       system.stateVersion = "23.11";
+#     };
+
+#     # Bind mount directories from host
+#     bindMounts = {
+#       "/data" = {
+#         hostPath = "/media/nas/ssd/nix-app-data/jellyfin";
+#         isReadOnly = false;
+#       };
+#       "/tv" = {
+#         hostPath = "/media/nas/main/tv";
+#         isReadOnly = false;
+#       };
+#       "/movies" = {
+#         hostPath = "/media/nas/main/movies";
+#         isReadOnly = false;
+#       };
+#       "/dev/nvidia0" = { hostPath = "/dev/nvidia0"; };  # GPU device
+#       "/dev/nvidiactl" = { hostPath = "/dev/nvidiactl"; }; # NVIDIA control
+#       "/dev/nvidia-modeset" = { hostPath = "/dev/nvidia-modeset"; }; # modesetting
+#     };
+
+#     # allowedDevices = [
+#     #   {
+#     #     modifier = "rw";
+#     #     node = "/dev/nvidia0";
+#     #   }
+#     #   {
+#     #     modifier = "rw";
+#     #     node = "/dev/nvidiactl";
+#     #   } 
+#     #   {
+#     #     modifier = "rw";
+#     #     node = "/dev/nvidia-modeset";
+#     #   } 
+#     #   {
+#     #     modifier = "rw";
+#     #     node = "/dev/nvidia-uvm";
+#     #   }
+#     #   {
+#     #     modifier = "rw";
+#     #     node = "/dev/nvidia-uvm-tools";
+#     #   }
+#     # ];
+#   };
+
+#   networking.nat = {
+#     forwardPorts = [{
+#       destination = "10.0.2.25:8096";
+#       sourcePort = jellyfinPort;
+#     }];
+#   };
+# }
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    user = "nix-apps";
+    group = "jallen-nas";
+    dataDir = "/media/nas/ssd/nix-app-data/jellyfin";
+    # cacheDir = "/cache";
+  };
+}

hosts/nas/apps/jellyfin/options.nix

@@ -0,0 +1,57 @@
+{ lib, ... }:
+with lib;
+{
+  options.nas-apps.jellyfin = {
+    enable = mkEnableOption "jellyfin docker service";
+
+    autoStart = mkOption {
+      type = types.bool;
+      default = true;
+    };
+
+    port = mkOption {
+      type = types.str;
+      default = "8096";
+    };
+
+    name = mkOption {
+      type = types.str;
+      default = "jellyfin";
+    };
+
+    image = mkOption {
+      type = types.str;
+      default = "lscr.io/linuxserver/jellyfin";
+    };
+
+    configPath = mkOption {
+      type = types.str;
+      default = "/media/nas/ssd/nix-app-data/jellyfin";
+    };
+
+    moviesPath = mkOption {
+      type = types.str;
+      default = "/media/nas/main/movies";
+    };
+
+    tvPath = mkOption {
+      type = types.str;
+      default = "/media/nas/main/tv";
+    };
+
+    puid = mkOption {
+      type = types.str;
+      default = "911";
+    };
+
+    pgid = mkOption {
+      type = types.str;
+      default = "1000";
+    };
+
+    timeZone = mkOption {
+      type = types.str;
+      default = "America/Chicago";
+    };
+  };
+}

hosts/nas/apps/jellyseerr/default.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }:
+with lib;
+let
+  cfg = config.nas-apps.jellyseerr;
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    virtualisation.oci-containers.containers."${cfg.name}" = {
+      autoStart = cfg.autoStart;
+      image = cfg.image;
+      ports = [ "${cfg.port}:5055" ];
+      volumes = [ "${cfg.configPath}:/app/config" ];
+      environment = {
+        PUID = cfg.puid;
+        PGID = cfg.pgid;
+        TZ = cfg.timeZone;
+      };
+    };
+  };
+}

hosts/nas/apps/jellyseerr/jellyseerr.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  jellyseerrPort = 5055;
+  dataDir = "/var/lib/jellyseerr";
+  downloadDir = "/downloads";
+  mediaDir = "/media";
+  jellyseerrUserId = config.users.users.nix-apps.uid;
+  jellyseerrGroupId = config.users.groups.jallen-nas.gid;
+  package = pkgs.jellyseerr;
+in
+{
+  containers.jellyseerr = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "10.0.1.18";
+    localAddress = "10.0.1.52";
+    hostAddress6 = "fc00::1";
+    localAddress6 = "fc00::4";
+
+    config =
+      {
+        config,
+        pkgs,
+        lib,
+        ...
+      }:
+      {
+        # Enable jellyseerr service
+        services.jellyseerr = {
+          enable = true;
+          port = jellyseerrPort;
+          # package = package;
+          openFirewall = true;
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ jellyseerrPort ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        services.resolved.enable = true;
+        system.stateVersion = "23.11";
+      };
+  };
+
+  networking.nat = {
+    forwardPorts = [
+      {
+        destination = "10.0.1.52:5055";
+        sourcePort = jellyseerrPort;
+      }
+    ];
+  };
+}

hosts/nas/apps/jellyseerr/options.nix

@@ -0,0 +1,47 @@
+{ lib, ... }:
+with lib;
+{
+  options.nas-apps.jellyseerr = {
+    enable = mkEnableOption "jellyseerr docker service";
+
+    autoStart = mkOption {
+      type = types.bool;
+      default = true;
+    };
+
+    port = mkOption {
+      type = types.str;
+      default = "5055";
+    };
+
+    name = mkOption {
+      type = types.str;
+      default = "jellyseerr";
+    };
+
+    image = mkOption {
+      type = types.str;
+      default = "fallenbagel/jellyseerr";
+    };
+
+    configPath = mkOption {
+      type = types.str;
+      default = "/media/nas/ssd/ssd_app_data/jellyseerr";
+    };
+
+    puid = mkOption {
+      type = types.str;
+      default = "911";
+    };
+
+    pgid = mkOption {
+      type = types.str;
+      default = "1000";
+    };
+
+    timeZone = mkOption {
+      type = types.str;
+      default = "America/Chicago";
+    };
+  };
+}

hosts/nas/apps/nextcloud/default.nix

@@ -0,0 +1,143 @@
+{ config, ... }:
+let
+  adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
+  dbpass = config.sops.secrets."jallen-nas/nextcloud/dbpassword".path;
+  smtppassword = config.sops.templates."nextcloud-smtp".content;
+  nextcloudUserId = config.users.users.nix-apps.uid;
+  nextcloudGroupId = config.users.groups.jallen-nas.gid;
+in
+{
+  containers.nextcloud = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "10.0.1.18";
+    localAddress = "10.0.2.18";
+
+    bindMounts = {
+      secrets = {
+        hostPath = "/run/secrets/jallen-nas/nextcloud";
+        isReadOnly = true;
+        mountPoint = "/run/secrets/jallen-nas/nextcloud";
+      };
+
+      data = {
+        hostPath = "/media/nas/main/nextcloud";
+        isReadOnly = false;
+        mountPoint = "/data";
+      };
+    };
+
+    config =
+    { pkgs, lib, ... }:
+    {
+      services = {
+        nextcloud = {
+          enable = true;
+          package = pkgs.nextcloud30;
+          # datadir = "/data";
+          hostName = "localhost";
+          appstoreEnable = true;
+          caching.redis = true;
+          configureRedis = true;
+          config = {
+            adminuser = "mjallen";
+            adminpassFile = adminpass;
+            dbhost = "10.0.1.18:3306";
+            dbtype = "mysql";
+            dbname = "jallen_nextcloud";
+            dbuser = "nextcloud";
+            dbpassFile = dbpass;
+          };
+          settings = {
+            datadirectory = "/data";
+            trusted_domains = [
+              "10.0.1.18:9988"
+              "10.0.1.18:9943"
+              "10.0.2.18:80"
+              "10.0.2.18:443"
+              "cloud.mjallen.dev"
+            ];
+            trusted_proxies = [ "10.0.1.18" ];
+            maintenance_window_start = 6;
+            default_phone_region = "US";
+            mail_from_address = "matt.l.jallen";
+            mail_smtpmode = "smtp";
+            mail_sendmailmode = "smtp";
+            mail_domain = "gmail.com";
+            mail_smtpauth = 1;
+            mail_smtpname = "matt.l.jallen";
+            mail_smtppassword = smtppassword;
+            mail_smtpsecure = "ssl";
+            mail_smtphost = "smtp.gmail.com";
+            mail_smtpport = 465;
+            enable_previews = true;
+            enabledPreviewProviders = [
+              "OC\\\\Preview\\\\PNG"
+              "OC\\\\Preview\\\\JPEG"
+              "OC\\\\Preview\\\\GIF"
+              "OC\\\\Preview\\\\BMP"
+              "OC\\\\Preview\\\\XBitmap"
+              "OC\\\\Preview\\\\MP3"
+              "OC\\\\Preview\\\\TXT"
+              "OC\\\\Preview\\\\MarkDown"
+              "OC\\\\Preview\\\\OpenDocument"
+              "OC\\\\Preview\\\\Krita"
+              "OC\\\\Preview\\\\HEIC"
+            ];
+            installed = true;
+            # config_is_read_only = true;
+          };
+        };
+
+      };
+
+      # Create required users and groups
+      users.users.nextcloud = {
+        isSystemUser = true;
+        uid = lib.mkForce nextcloudUserId;
+        group = "nextcloud";
+      };
+
+      users.groups = {
+        nextcloud = { gid = lib.mkForce nextcloudGroupId; };
+        downloads = {};
+      };
+
+      # Create and set permissions for required directories
+      system.activationScripts.radarr-dirs = ''
+        mkdir -p /data
+
+        chown -R nextcloud:nextcloud /data
+        
+        chmod -R 775 /data
+        
+      '';
+
+      system.stateVersion = "23.11";
+      networking = {
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [ 80 443 ];
+        };
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = lib.mkForce false;
+      };
+      services.resolved.enable = true;
+
+    };
+  };
+
+  networking.nat = {
+    forwardPorts = [
+      {
+        destination = "10.0.2.18:443";
+        sourcePort = 9943;
+      }
+      {
+        destination = "10.0.2.18:80";
+        sourcePort = 9988;
+      }
+    ];
+  };
+}

hosts/nas/apps/paperless/default.nix

@@ -0,0 +1,106 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  paperlessPort = 28981;
+  paperlessUserId = config.users.users.nix-apps.uid;
+  paperlessGroupId = config.users.groups.jallen-nas.gid;
+  passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
+in
+{
+  containers.paperless = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "10.0.1.18";
+    localAddress = "10.0.1.20";
+    hostAddress6 = "fc00::1";
+    localAddress6 = "fc00::20";
+
+    config =
+      {
+        config,
+        pkgs,
+        lib,
+        ...
+      }:
+      {
+        # Enable paperless service
+        services.paperless = {
+          enable = true;
+          port = paperlessPort;
+          user = "paperless";
+          address = "0.0.0.0";
+          passwordFile = "/var/lib/paperless/paperless-password";
+          # settings = {
+          #   PAPERLESS_APPS="allauth.socialaccount.providers.openid_connect";
+          #   PAPERLESS_SOCIALACCOUNT_PROVIDERS = {
+          #     "openid_connect" = {
+          #       "OAUTH_PKCE_ENABLED":true,
+          #       "APPS":[
+          #         {"provider_id":"authentik","name":"Authentik","client_id":"<Client ID>","secret":<Client Secret>","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
+          # }
+        };
+
+        # Create required users and groups
+        users.groups = {
+          documents = {
+            gid = lib.mkForce paperlessGroupId;
+          };
+        };
+
+        users.users.paperless = {
+          isSystemUser = true;
+          uid = lib.mkForce paperlessUserId;
+          group = lib.mkForce "documents";
+        };
+
+        # Create and set permissions for required directories
+        system.activationScripts.paperless-dirs = ''
+          mkdir -p /var/lib/paperless
+
+          chown -R paperless:documents /var/lib/paperless
+
+          chmod -R 775 /var/lib/paperless
+
+        '';
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ paperlessPort ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        services.resolved.enable = true;
+        system.stateVersion = "23.11";
+      };
+
+    # Bind mount directories from host
+    bindMounts = {
+      "/var/lib/paperless" = {
+        hostPath = "/media/nas/ssd/nix-app-data/paperless";
+        isReadOnly = false;
+      };
+      # "/run/keys/paperless-password" = {
+      #   hostPath = passwordFile;
+      #   isReadOnly = true;
+      # };
+    };
+  };
+
+  networking.nat = {
+    forwardPorts = [
+      {
+        destination = "10.0.1.20:28981";
+        sourcePort = paperlessPort;
+      }
+    ];
+  };
+}

hosts/nas/services.nix

@@ -6,24 +6,6 @@ in
   # Services configs
   services = {
 
-    caddy = {
-      enable = false;
-      email = "jalle008@proton.me";
-      enableReload = true;
-      user = "nix-apps";
-      group = "jallen-nas";
-      dataDir = "/media/nas/ssd/nix-app-data/caddy";
-
-      virtualHosts = {
-        "authentik.mjallen.dev".extraConfig = ''
-          reverse_proxy http://10.0.1.18:9000
-        '';
-        "jellyfin.mjallen.dev".extraConfig = ''
-          reverse_proxy http://10.0.1.18:8096
-        '';
-      };
-    };
-
     minecraft-server = {
       enable = true;
       eula = true;