From 69810d9c16aa20fb92794875b573ee742f594ec3 Mon Sep 17 00:00:00 2001
From: Eric Torres <eric.torres@its-et.me>
Date: Sun, 2 Nov 2025 20:49:44 -0800
Subject: [PATCH] services: add module stirling-pdf

---
 services/services.nix     |  2 ++
 services/stirling-pdf.nix | 75 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 services/stirling-pdf.nix

diff --git a/services/services.nix b/services/services.nix
index 86ba6c7..f4a8ff6 100644
--- a/services/services.nix
+++ b/services/services.nix
@@ -20,6 +20,7 @@
     ./prometheus.nix
     ./radicale.nix
     ./searxng.nix
+    ./stirling-pdf.nix
     ./traefik.nix
     ./uptimekuma.nix
   ];
@@ -34,6 +35,7 @@
   prometheus.enable = lib.mkDefault false;
   radicale.enable = lib.mkDefault false;
   searxng.enable = lib.mkDefault false;
+  stirling-pdf.enable = lib.mkDefault false;
   traefik.enable = lib.mkDefault false;
   uptimekuma.enable = lib.mkDefault false;
 }
diff --git a/services/stirling-pdf.nix b/services/stirling-pdf.nix
new file mode 100644
index 0000000..10c95bc
--- /dev/null
+++ b/services/stirling-pdf.nix
@@ -0,0 +1,75 @@
+# Module: services/stirling-pdf
+# Enables a stirling-pdf server
+{
+  config,
+  lib,
+  pkgs,
+  pkgsUnstable,
+  inputs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.stirling-pdf;
+  stirling-pdfPort = "5233";
+  stirling-pdfAddress = "127.0.0.1";
+in
+{
+  options.stirling-pdf = {
+    enable = mkEnableOption "Enables stirling-pdf module";
+
+    environmentFiles = mkOption {
+      type = types.path;
+      default = null;
+      description = "Path of environment files containing secrets for the stirling-pdf config";
+      example = "../secrets/stirling-pdf.env";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.stirling-pdf = {
+      enable = true;
+      package = pkgsUnstable.stirling-pdf;
+      environmentFiles = cfg.environmentFiles;
+
+      environment = {
+        SECURITY_ENABLELOGIN = true;
+        SECURITY_LOGINMETHOD = "oauth2";
+        SECURITY_OAUTH2_ENABLED = true;
+        SECURITY_OAUTH2_AUTOCREATEUSER = true;
+        SECURITY_OAUTH2_BLOCKREGISTRATION = false;
+        SECURITY_OAUTH2_SCOPES = "openid, profile, email";
+        SECURITY_OAUTH2_USEASUSERNAME = "preferred_username";
+        SECURITY_OAUTH2_PROVIDER = "Authentik";
+
+        # Required for auth
+        DISABLE_ADDITIONAL_FEATURES = false;
+
+        SYSTEM_ENABLEANALYTICS = false;
+
+        # Server config
+        SERVER_PORT = stirling-pdfPort;
+        SERVER_ADDRESS = stirling-pdfAddress;
+
+        # Logging config
+        LOGGING_LEVEL_ROOT = "info";
+      };
+    };
+
+    services.traefik.dynamicConfigOptions = {
+      http.routers.stirling-pdf = {
+        entrypoints = [ "web" ];
+        rule = "Host(`pdf.its-et.me`)";
+        tls = false;
+        service = "stirling-pdf";
+      };
+      http.services.stirling-pdf.loadbalancer.servers = [
+        {
+          url = "http://127.0.0.1:${toString stirling-pdfPort}";
+        }
+      ];
+    };
+  };
+}