diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-11-01 12:01:10 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-01 12:01:10 +0000 |
commit | 4a533d29ce8fa4759d9aa43e9cd0a128f0e94767 (patch) | |
tree | fc99f88643464ac109c3fbe15fdc529f76da8a16 /nixos | |
parent | 39efd75b563a62d554b229624c78a646d014923a (diff) | |
parent | 05e8361387301551045b988e30c4c926e804b739 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/misc/paperless.nix | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9b8bd62809c5b..1e0a8d0f928e0 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -332,12 +332,28 @@ in # during migrations bindsTo = [ "paperless-scheduler.service" ]; after = [ "paperless-scheduler.service" ]; + # Setup PAPERLESS_SECRET_KEY. + # If this environment variable is left unset, paperless-ngx defaults + # to a well-known value, which is insecure. + script = let + secretKeyFile = "${cfg.dataDir}/nixos-paperless-secret-key"; + in '' + if [[ ! -f '${secretKeyFile}' ]]; then + ( + umask 0377 + tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}' + ) + fi + export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}') + if [[ ! $PAPERLESS_SECRET_KEY ]]; then + echo "PAPERLESS_SECRET_KEY is empty, refusing to start." + exit 1 + fi + exec ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ + -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application + ''; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = '' - ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ - -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application - ''; Restart = "on-failure"; # gunicorn needs setuid, liblapack needs mbind @@ -349,7 +365,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; environment = env // { - PATH = mkForce pkg.path; PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/paperless-ngx/src"; }; # Allow the web interface to access the private /tmp directory of the server. |