diff options
| author | Matthias Riße <matthias.risze@t-online.de> | 2023-10-18 18:01:34 +0200 |
|---|---|---|
| committer | Matthias Riße <matthias.risze@t-online.de> | 2023-10-27 21:11:01 +0200 |
| commit | 63ef0339923bb33aba54301d83ad7f047ee9a2f8 (patch) | |
| tree | 57127b7774dafb4fd0809afcdc1218d777cc22f5 /nixos/modules/services/misc/paperless.nix | |
| parent | 6d0c07733d98d0afdd03bc500abf860edd81200d (diff) | |
nixos/paperless: set PAPERLESS_SECRET_KEY
If the PAPERLESS_SECRET_KEY environment variable is left unset paperless-ngx defaults to a well-known value, which is insecure. Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
Diffstat (limited to 'nixos/modules/services/misc/paperless.nix')
| -rw-r--r-- | nixos/modules/services/misc/paperless.nix | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9b8bd62809c5b..1e0a8d0f928e0 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -332,12 +332,28 @@ in # during migrations bindsTo = [ "paperless-scheduler.service" ]; after = [ "paperless-scheduler.service" ]; + # Setup PAPERLESS_SECRET_KEY. + # If this environment variable is left unset, paperless-ngx defaults + # to a well-known value, which is insecure. + script = let + secretKeyFile = "${cfg.dataDir}/nixos-paperless-secret-key"; + in '' + if [[ ! -f '${secretKeyFile}' ]]; then + ( + umask 0377 + tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}' + ) + fi + export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}') + if [[ ! $PAPERLESS_SECRET_KEY ]]; then + echo "PAPERLESS_SECRET_KEY is empty, refusing to start." + exit 1 + fi + exec ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ + -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application + ''; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = '' - ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ - -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application - ''; Restart = "on-failure"; # gunicorn needs setuid, liblapack needs mbind @@ -349,7 +365,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; environment = env // { - PATH = mkForce pkg.path; PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/paperless-ngx/src"; }; # Allow the web interface to access the private /tmp directory of the server. |