From e0b1e724311fade0c3cb2fa2654fe0eb2aa2eda7 Mon Sep 17 00:00:00 2001
From: mjallen18 <matt.l.jallen@gmail.com>
Date: Thu, 18 Dec 2025 16:47:12 -0600
Subject: [PATCH] mkModule various + fixes

---
 .../nixos/services/code-server/default.nix    |   6 +-
 modules/nixos/services/matrix/default.nix     |   2 +-
 modules/nixos/services/ntfy/default.nix       |   4 +-
 modules/nixos/services/opencloud/default.nix  | 188 ++++++++----------
 modules/nixos/services/orca/default.nix       |  43 ++--
 modules/nixos/services/orca/options.nix       |  57 ------
 modules/nixos/services/paperless/default.nix  | 142 +++++--------
 modules/nixos/services/paperless/options.nix  |   7 -
 modules/nixos/services/traefik/default.nix    |   2 +-
 systems/x86_64-linux/jallen-nas/apps.nix      |  31 ++-
 10 files changed, 185 insertions(+), 297 deletions(-)
 delete mode 100644 modules/nixos/services/orca/options.nix
 delete mode 100644 modules/nixos/services/paperless/options.nix

diff --git a/modules/nixos/services/code-server/default.nix b/modules/nixos/services/code-server/default.nix
index f82702b..0381b97 100644
--- a/modules/nixos/services/code-server/default.nix
+++ b/modules/nixos/services/code-server/default.nix
@@ -18,13 +18,17 @@ let
       services.code-server = {
         enable = true;
         port = cfg.port;
-        user = "nix-apps";
+        user = "admin";
         group = "jallen-nas";
         host = cfg.listenAddress;
         auth = "none"; # "password"
         disableTelemetry = true;
         disableUpdateCheck = true;
         extraEnvironment = cfg.extraEnvironment;
+        extraGroups = [
+            "admin"
+            "wheel"
+        ];
       }
       // optionalAttrs (cfg.hashedPassword != null) {
         hashedPassword = cfg.hashedPassword;
diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix
index 7b8d77f..8fb8bad 100644
--- a/modules/nixos/services/matrix/default.nix
+++ b/modules/nixos/services/matrix/default.nix
@@ -87,7 +87,7 @@ let
 
           # Media settings
           max_upload_size = "50M";
-          media_store_path = "${cfg.dataDir}/media";
+          media_store_path = "${cfg.configDir}/matrix-synapse/media";
 
           # Logging
           # log_config = "/var/lib/matrix-synapse/log_config.yaml";
diff --git a/modules/nixos/services/ntfy/default.nix b/modules/nixos/services/ntfy/default.nix
index c49cb36..872ab5b 100644
--- a/modules/nixos/services/ntfy/default.nix
+++ b/modules/nixos/services/ntfy/default.nix
@@ -22,11 +22,11 @@ let
             base-url = "https://${cfg.reverseProxy.subdomain}.mjallen.dev";
             enable-login = true;
             listen-http = ":${toString cfg.port}";
-            cache-file = "${cfg.dataDir}/ntfy/cache.db";
+            cache-file = "${cfg.configDir}/ntfy/cache.db";
             attachment-cache-dir = "${cfg.dataDir}/ntfy/attachments";
             behind-proxy = true;
             auth-default-access = "deny-all";
-            auth-file = "${cfg.dataDir}/ntfy/user.db";
+            auth-file = "${cfg.configDir}/ntfy/user.db";
             auth-users = [
               "mjallen:$2a$10$g4TqI8UiKKVaKTmrwnXIw.wtajiLBM6oc3UCfJ//lPZFilJnBirn.:admin"
             ];
diff --git a/modules/nixos/services/opencloud/default.nix b/modules/nixos/services/opencloud/default.nix
index f032f82..2e513b2 100644
--- a/modules/nixos/services/opencloud/default.nix
+++ b/modules/nixos/services/opencloud/default.nix
@@ -6,127 +6,97 @@
 }:
 with lib;
 let
-  inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
-  cfg = config.${namespace}.services.opencloud;
+  name = "opencloud";
+  cfg = config.${namespace}.services.${name};
 
-  opencloudConfig = {
-    sops.templates = {
-      "opencloud.env" = {
-        content = ''
-          OC_JWT_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
-          OC_TRANSFER_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
-          OC_MACHINE_AUTH_API_KEY=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
-        '';
+  opencloudConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "opencloud";
+    options = { };
+    moduleConfig = {
+      sops.templates = {
+        "opencloud.env" = {
+          content = ''
+            OC_JWT_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
+            OC_TRANSFER_SECRET=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
+            OC_MACHINE_AUTH_API_KEY=${config.sops.placeholder."jallen-nas/onlyoffice-key"}
+          '';
+        };
       };
-    };
-    virtualisation.oci-containers.containers.opencloud = {
-      autoStart = true;
-      image = "opencloudeu/opencloud-rolling";
-      ports = [
-        "${toString cfg.port}:9200"
-      ];
-      volumes = [
-        "${cfg.dataPath}:/var/lib/opencloud"
-        "${cfg.configPath}:/etc/opencloud"
-      ];
-      environmentFiles = [ config.sops.templates."opencloud.env".path ];
-      environment = {
-        OC_ADD_RUN_SERVICES = "collaboration,app-provider";
-        OC_REVA_GATEWAY = "eu.opencloud.api.gateway";
-        APP_PROVIDER_WOPI_APP_NAME = "Collabora";
-        APP_PROVIDER_ENABLE = "true";
-        APP_PROVIDER_SERVICE_NAME = "app-provider-collabora";
-        COLLABORATION_APP_NAME = "Collabora";
-        COLLABORATION_APP_PRODUCT = "Collabora";
-        COLLABORATION_WOPI_DISCOVERY_URL = "https://office.mjallen.dev/hosting/discovery";
-        COLLABORATION_WOPI_SRC = "https://office.mjallen.dev";
-        OC_COLLABORATION_WOPI_URL = "https://office.mjallen.dev";
-        COLLABORATION_APP_ADDR = "https://office.mjallen.dev";
-        COLLABORATION_APP_INSECURE = "false";
-        COLLABORATION_APP_PROOF_DISABLE = "true";
-        COLLABORATION_WOPI_SHORTTOKENS = "false";
-        # COLLABORATION_GRPC_ADDR =  "0.0.0.0:9301";
-        # COLLABORATION_HTTP_ADDR = "0.0.0.0:9200";
-        MICRO_REGISTRY = "nats-js-kv";
-        MICRO_REGISTRY_ADDRESS = "127.0.0.1:9233";
-        OC_SYSTEM_USER_ID = cfg.puid;
+      virtualisation.oci-containers.containers.opencloud = {
+        autoStart = true;
+        image = "opencloudeu/opencloud-rolling";
+        ports = [
+          "${toString cfg.port}:9200"
+        ];
+        volumes = [
+          "${cfg.dataDir}/opencloud:/var/lib/opencloud"
+          "${cfg.configDir}/opencloud:/etc/opencloud"
+        ];
+        environmentFiles = [ config.sops.templates."opencloud.env".path ];
+        environment = {
+          OC_ADD_RUN_SERVICES = "collaboration,app-provider";
+          OC_REVA_GATEWAY = "eu.opencloud.api.gateway";
+          APP_PROVIDER_WOPI_APP_NAME = "Collabora";
+          APP_PROVIDER_ENABLE = "true";
+          APP_PROVIDER_SERVICE_NAME = "app-provider-collabora";
+          COLLABORATION_APP_NAME = "Collabora";
+          COLLABORATION_APP_PRODUCT = "Collabora";
+          COLLABORATION_WOPI_DISCOVERY_URL = "https://office.mjallen.dev/hosting/discovery";
+          COLLABORATION_WOPI_SRC = "https://office.mjallen.dev";
+          OC_COLLABORATION_WOPI_URL = "https://office.mjallen.dev";
+          COLLABORATION_APP_ADDR = "https://office.mjallen.dev";
+          COLLABORATION_APP_INSECURE = "false";
+          COLLABORATION_APP_PROOF_DISABLE = "true";
+          COLLABORATION_WOPI_SHORTTOKENS = "false";
+          # COLLABORATION_GRPC_ADDR =  "${cfg.listenAddress}:9301";
+          # COLLABORATION_HTTP_ADDR = "${cfg.listenAddress}:9200";
+          MICRO_REGISTRY = "nats-js-kv";
+          MICRO_REGISTRY_ADDRESS = "127.0.0.1:9233";
+          OC_SYSTEM_USER_ID = cfg.puid;
 
-        OC_LOG_LEVEL = "info";
-        
-        APP_PROVIDER_PROVIDERS = "collabora";
+          OC_LOG_LEVEL = "info";
+          
+          APP_PROVIDER_PROVIDERS = "collabora";
 
-        APP_PROVIDER_COLLABORA_NAME = "Collabora";
-        APP_PROVIDER_COLLABORA_PRODUCT = "Collabora Online";
+          APP_PROVIDER_COLLABORA_NAME = "Collabora";
+          APP_PROVIDER_COLLABORA_PRODUCT = "Collabora Online";
 
-        APP_PROVIDER_COLLABORA_ADDR = "https://office.mjallen.dev";
-        APP_PROVIDER_COLLABORA_ICON = "https://office.mjallen.dev/favicon.ico";
+          APP_PROVIDER_COLLABORA_ADDR = "https://office.mjallen.dev";
+          APP_PROVIDER_COLLABORA_ICON = "https://office.mjallen.dev/favicon.ico";
 
-        APP_PROVIDER_COLLABORA_MIME_TYPES = ''
-          application/vnd.openxmlformats-officedocument.wordprocessingml.document
-          application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
-          application/vnd.openxmlformats-officedocument.presentationml.presentation
-          application/msword
-          application/vnd.ms-excel
-          application/vnd.ms-powerpoint
-          text/plain
-        '';
+          APP_PROVIDER_COLLABORA_MIME_TYPES = ''
+            application/vnd.openxmlformats-officedocument.wordprocessingml.document
+            application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+            application/vnd.openxmlformats-officedocument.presentationml.presentation
+            application/msword
+            application/vnd.ms-excel
+            application/vnd.ms-powerpoint
+            text/plain
+          '';
 
-        NATS_NATS_HOST = "0.0.0.0";
-        GATEWAY_GRPC_ADDR = "0.0.0.0:9142";
+          NATS_NATS_HOST = cfg.listenAddress;
+          GATEWAY_GRPC_ADDR = "${cfg.listenAddress}:9142";
 
-        OC_DB_TYPE = "postgres";
-        OC_DB_HOST = "10.0.1.3";
-        OC_DB_PORT = "5432";
-        OC_DB_USER = "opencloud";
-        OC_DB_NAME = "opencloud";
+          OC_DB_TYPE = "postgres";
+          OC_DB_HOST = "10.0.1.3";
+          OC_DB_PORT = "5432";
+          OC_DB_USER = "opencloud";
+          OC_DB_NAME = "opencloud";
 
-        OC_INSECURE = "true";
-        PROXY_TLS = "false";
-        PROXY_HTTP_ADDR = "0.0.0.0:9200";
-        OC_URL = "https://cloud.mjallen.dev";
-        OC_PUBLIC_URL = "https://cloud.mjallen.dev";
-        PUID = cfg.puid;
-        PGID = cfg.pgid;
-        TZ = cfg.timeZone;
+          OC_INSECURE = "true";
+          PROXY_TLS = "false";
+          PROXY_HTTP_ADDR = "${cfg.listenAddress}:9200";
+          OC_URL = "https://cloud.mjallen.dev";
+          OC_PUBLIC_URL = "https://cloud.mjallen.dev";
+          PUID = cfg.puid;
+          PGID = cfg.pgid;
+          TZ = cfg.timeZone;
+        };
       };
     };
   };
-
-  # Create reverse proxy configuration using mkReverseProxy
-  reverseProxyConfig = lib.${namespace}.mkReverseProxy {
-    name = "cloud";
-    subdomain = cfg.reverseProxy.subdomain;
-    url = "http://${cfg.localAddress}:${toString cfg.port}";
-    middlewares = cfg.reverseProxy.middlewares;
-  };
-
-  fullConfig = {
-    "${namespace}".services.traefik = lib.mkIf cfg.reverseProxy.enable {
-      reverseProxies = [ reverseProxyConfig ];
-    };
-  }
-  // opencloudConfig;
 in
 {
-  options.${namespace}.services.opencloud = {
-    enable = mkEnableOption "opencloud service";
-
-    port = mkOpt types.int 9200 "Port for opencloud to be hosted on";
-
-    localAddress = mkOpt types.str "127.0.0.1" "local address of the service";
-
-    dataPath = mkOpt types.str "/media/nas/main/opencloud" "Path to the data dir";
-
-    configPath = mkOpt types.str "/media/nas/main/nix-app-data/opencloud" "Path to the data dir";
-
-    puid = mkOpt types.str "911" "puid";
-
-    pgid = mkOpt types.str "1000" "pgid";
-
-    timeZone = mkOpt types.str "America/Chicago" "container tz";
-
-    reverseProxy = mkReverseProxyOpt;
-  };
-
-  config = mkIf cfg.enable fullConfig;
+  imports = [ opencloudConfig ];
 }
diff --git a/modules/nixos/services/orca/default.nix b/modules/nixos/services/orca/default.nix
index d24c953..dadb98e 100644
--- a/modules/nixos/services/orca/default.nix
+++ b/modules/nixos/services/orca/default.nix
@@ -6,25 +6,34 @@
 }:
 with lib;
 let
-  cfg = config.${namespace}.services.orca-slicer;
-in
-{
-  imports = [ ./options.nix ];
+  inherit (lib.${namespace}) mkOpt;
+  name = "orca-slicer";
+  cfg = config.${namespace}.services.${name};
 
-  config = mkIf cfg.enable {
-    virtualisation.oci-containers.containers."${cfg.name}" = {
-      autoStart = cfg.autoStart;
-      image = cfg.image;
-      ports = [
-        "${cfg.httpPort}:3000"
-        "${cfg.httpsPort}:3001"
-      ];
-      volumes = [ "${cfg.configPath}:/config" ];
-      environment = {
-        PUID = cfg.puid;
-        PGID = cfg.pgid;
-        TZ = cfg.timeZone;
+  orcaConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "orca slicer web ui";
+    options = {
+      httpsPort = mkOpt types.int 443 "HTTPS port";
+    };
+    moduleConfig = {
+      virtualisation.oci-containers.containers."${name}" = {
+        autoStart = true;
+        image = "linuxserver/orcaslicer";
+        ports = [
+          "${toString cfg.port}:3000"
+          "${toString cfg.httpsPort}:3001"
+        ];
+        volumes = [ "${cfg.configDir}/orca-slicer:/config" ];
+        environment = {
+          PUID = cfg.puid;
+          PGID = cfg.pgid;
+          TZ = cfg.timeZone;
+        };
       };
     };
   };
+in
+{
+  imports = [ orcaConfig ];
 }
diff --git a/modules/nixos/services/orca/options.nix b/modules/nixos/services/orca/options.nix
deleted file mode 100644
index 033e97c..0000000
--- a/modules/nixos/services/orca/options.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-{ lib, namespace, ... }:
-with lib;
-{
-  options.${namespace}.services.orca-slicer = {
-    enable = mkEnableOption "orca slicer docker service";
-
-    autoStart = mkOption {
-      type = types.bool;
-      default = true;
-    };
-
-    httpPort = mkOption {
-      type = types.str;
-      default = "3000";
-    };
-
-    httpsPort = mkOption {
-      type = types.str;
-      default = "3001";
-    };
-
-    name = mkOption {
-      type = types.str;
-      default = "orca-slicer";
-    };
-
-    image = mkOption {
-      type = types.str;
-      default = "linuxserver/orcaslicer";
-    };
-
-    configPath = mkOption {
-      type = types.str;
-      default = "/media/nas/main/ssd_app_data/orca-slicer";
-    };
-
-    dataPath = mkOption {
-      type = types.str;
-      default = "/media/nas/main/3d_printer";
-    };
-
-    puid = mkOption {
-      type = types.str;
-      default = "911";
-    };
-
-    pgid = mkOption {
-      type = types.str;
-      default = "1000";
-    };
-
-    timeZone = mkOption {
-      type = types.str;
-      default = "America/Chicago";
-    };
-  };
-}
diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix
index a718523..cfaf98a 100755
--- a/modules/nixos/services/paperless/default.nix
+++ b/modules/nixos/services/paperless/default.nix
@@ -1,110 +1,62 @@
 {
   config,
   lib,
+  pkgs,
   namespace,
   ...
 }:
 with lib;
 let
-  cfg = config.${namespace}.services.paperless;
+  name = "paperless";
+  cfg = config.${namespace}.services.${name};
 
-  paperlessPort = 28981;
-  paperlessUserId = config.users.users.nix-apps.uid;
-  paperlessGroupId = config.users.groups.jallen-nas.gid;
-  paperlessPkg = pkgs.paperless-ngx;
-in
-{
-  imports = [ ./options.nix ];
+  paperlessConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "paperless";
+    options = { };
+    moduleConfig = {
+      # Enable paperless service
+      services.paperless = {
+        enable = true;
+        package = pkgs.paperless-ngx;
+        port = cfg.port;
+        # user = "nix-apps";
+        address = cfg.listenAddress;
+        dataDir = "${cfg.configDir}/paperless";
+        passwordFile = "${cfg.configDir}/paperless/paperless-password";
+        # environmentFile = paperlessEnv;
+        domain = "paperless.mjallen.dev";
+        database.createLocally = true;
+      };
+    };
+  };
 
-  config = mkIf cfg.enable {
-    containers.paperless = {
-      autoStart = true;
-      privateNetwork = true;
-      hostAddress = "10.0.1.3";
-      localAddress = "10.0.1.20";
-      hostAddress6 = "fc00::1";
-      localAddress6 = "fc00::20";
-
-      config =
-        {
-          lib,
-          ...
-        }:
-        {
-          # Enable paperless service
-          services.paperless = {
-            enable = false;
-            package = paperlessPkg;
-            port = paperlessPort;
-            user = "paperless";
-            address = "0.0.0.0";
-            # passwordFile = "/var/lib/paperless/paperless-password";
-            environmentFile = paperlessEnv;
-          };
-
-          # Create required users and groups
-          users.groups = {
-            documents = {
-              gid = lib.mkForce paperlessGroupId;
-            };
-          };
-
-          users.users.paperless = {
-            isSystemUser = true;
-            uid = lib.mkForce paperlessUserId;
-            group = lib.mkForce "documents";
-          };
-
-          # Create and set permissions for required directories
-          system.activationScripts.paperless-dirs = ''
-            mkdir -p /var/lib/paperless
-
-            chown -R paperless:documents /var/lib/paperless
-
-            chmod -R 775 /var/lib/paperless
-
-          '';
-
-          networking = {
-            firewall = {
-              enable = true;
-              allowedTCPPorts = [ paperlessPort ];
-            };
-            # Use systemd-resolved inside the container
-            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-            useHostResolvConf = lib.mkForce false;
-          };
-
-          services.resolved.enable = true;
-          system.stateVersion = "23.11";
-        };
-
-      # Bind mount directories from host
-      bindMounts = {
-        "/var/lib/paperless" = {
-          hostPath = "/media/nas/main/nix-app-data/paperless";
-          isReadOnly = false;
-        };
-        secrets = {
-          hostPath = "/run/secrets/jallen-nas/paperless";
-          isReadOnly = true;
-          mountPoint = "/run/secrets/jallen-nas/paperless";
-        };
-        secret-env = {
-          hostPath = "/run/secrets/rendered/paperless.env";
-          isReadOnly = true;
-          mountPoint = "/run/secrets/rendered/paperless.env";
+  aiCfg = config.${namespace}.services."paperless-ai";
+  paperlessAiConfig = lib.${namespace}.mkModule {
+    inherit config;
+    name = "paperless-ai";
+    description = "paperless-ai";
+    options = { };
+    moduleConfig = {
+      virtualisation.oci-containers.containers."paperless-ai" = {
+        autoStart = true;
+        image = "clusterzx/paperless-ai";
+        ports = [
+          "${toString aiCfg.port}:3000"
+        ];
+        volumes = [ "${aiCfg.configDir}/paperless-ai:/app/data" ];
+        environment = {
+          PUID = aiCfg.puid;
+          PGID = aiCfg.pgid;
+          TZ = aiCfg.timeZone;
         };
       };
     };
-
-    networking.nat = {
-      forwardPorts = [
-        {
-          destination = "10.0.1.20:28981";
-          sourcePort = paperlessPort;
-        }
-      ];
-    };
   };
+in
+{
+  imports = [
+    paperlessConfig
+    paperlessAiConfig
+  ];
 }
diff --git a/modules/nixos/services/paperless/options.nix b/modules/nixos/services/paperless/options.nix
deleted file mode 100644
index 56f29a0..0000000
--- a/modules/nixos/services/paperless/options.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ lib, namespace, ... }:
-with lib;
-{
-  options.${namespace}.services.paperless = {
-    enable = mkEnableOption "enable paperless";
-  };
-}
diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix
index f1bc8bf..19e1934 100755
--- a/modules/nixos/services/traefik/default.nix
+++ b/modules/nixos/services/traefik/default.nix
@@ -72,7 +72,7 @@ let
   # onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
   onlyofficeUrl = "http://10.0.1.3:9980";
   openWebUIUrl = "http://${serverIp}:8888";
-  paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
+  paperlessUrl = "http://${serverIp}:${toString config.services.paperless.port}";
 
   # Plugins
   traefikPlugins = {
diff --git a/systems/x86_64-linux/jallen-nas/apps.nix b/systems/x86_64-linux/jallen-nas/apps.nix
index 04f6b55..ee4cf88 100755
--- a/systems/x86_64-linux/jallen-nas/apps.nix
+++ b/systems/x86_64-linux/jallen-nas/apps.nix
@@ -56,7 +56,10 @@ in
           PROXY_DOMAIN = "code.mjallen.dev";
         };
       };
-      collabora = enabled;
+      collabora = {
+        enable = true;
+        port = 9980;
+      };
       crowdsec = {
         enable = true;
         port = 8181;
@@ -92,7 +95,10 @@ in
         enable = true;
         port = 2283;
       };
-      jellyfin = enabled;
+      jellyfin = {
+        enable = true;
+        port = 8096;
+      };
       jellyseerr = {
         enable = true;
         port = 5055;
@@ -114,7 +120,8 @@ in
       minecraft = disabled;
       mongodb = disabled;
       netbootxyz = {
-        enable = true;
+        enable = false;
+        port = 3000;
       };
       nextcloud = {
         enable = true;
@@ -126,7 +133,10 @@ in
         reverseProxy.enable = true;
       };
       ocis = disabled;
-      onlyoffice = disabled;
+      onlyoffice = {
+        enable = false;
+        port = 9200;
+      };
       opencloud = {
         enable = true;
         port = 9200;
@@ -134,10 +144,17 @@ in
       };
       orca-slicer = {
         enable = true;
-        httpPort = "3100";
-        httpsPort = "3101";
+        port = 3100;
+        httpsPort = 3101;
+      };
+      paperless = {
+        enable = true;
+        port = 28981;
+      };
+      paperless-ai = {
+        enable = true;
+        port = 28982;
       };
-      paperless = enabled;
       protonmail-bridge = {
         enable = true;
         smtpPort = 1025;