diff options
| author | Antoine Martin <antoine@alarsyo.net> | 2021-12-22 20:24:43 +0100 |
|---|---|---|
| committer | Antoine Martin <antoine@alarsyo.net> | 2022-01-07 16:05:18 +0100 |
| commit | 08a454873718b36c6e263ab78069ab50efb8fbcd (patch) | |
| tree | 6dc459d63cc38368f004c56e1b849fff21ffadb3 /nixos/modules/services/misc/paperless-ng.nix | |
| parent | a2aaaee3d9a46e7d9799b5e3e92d64f3d292361f (diff) | |
| download | nixpkgs-08a454873718b36c6e263ab78069ab50efb8fbcd.tar nixpkgs-08a454873718b36c6e263ab78069ab50efb8fbcd.tar.gz nixpkgs-08a454873718b36c6e263ab78069ab50efb8fbcd.tar.bz2 nixpkgs-08a454873718b36c6e263ab78069ab50efb8fbcd.tar.lz nixpkgs-08a454873718b36c6e263ab78069ab50efb8fbcd.tar.xz nixpkgs-08a454873718b36c6e263ab78069ab50efb8fbcd.tar.zst nixpkgs-08a454873718b36c6e263ab78069ab50efb8fbcd.zip | |
nixos/paperless-ng: use own redis instance
Following the changes in #142635
Diffstat (limited to 'nixos/modules/services/misc/paperless-ng.nix')
| -rw-r--r-- | nixos/modules/services/misc/paperless-ng.nix | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/nixos/modules/services/misc/paperless-ng.nix b/nixos/modules/services/misc/paperless-ng.nix index db8082f072c..44efc234a2b 100644 --- a/nixos/modules/services/misc/paperless-ng.nix +++ b/nixos/modules/services/misc/paperless-ng.nix @@ -6,12 +6,18 @@ let defaultUser = "paperless"; + hasCustomRedis = hasAttr "PAPERLESS_REDIS" cfg.extraConfig; + env = { PAPERLESS_DATA_DIR = cfg.dataDir; PAPERLESS_MEDIA_ROOT = cfg.mediaDir; PAPERLESS_CONSUMPTION_DIR = cfg.consumptionDir; GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}"; - } // lib.mapAttrs (_: toString) cfg.extraConfig; + } // ( + lib.mapAttrs (_: toString) cfg.extraConfig + ) // (optionalAttrs (!hasCustomRedis) { + PAPERLESS_REDIS = "unix://${config.services.redis.servers.paperless-ng.unixSocket}"; + }); manage = let setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env); @@ -30,7 +36,7 @@ let "-/etc/hosts" "-/etc/localtime" "-/run/postgresql" - ]; + ] ++ (optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.unixSocket); BindPaths = [ cfg.consumptionDir cfg.dataDir @@ -44,8 +50,7 @@ let NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; - # Needs to connect to redis - # PrivateNetwork = true; + PrivateNetwork = true; PrivateTmp = true; PrivateUsers = true; ProcSubset = "pid"; @@ -65,6 +70,7 @@ let RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; + SupplementaryGroups = optional (!hasCustomRedis) config.services.redis.servers.paperless-ng.user; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; # Does not work well with the temporary root @@ -190,7 +196,7 @@ in config = mkIf cfg.enable { # Enable redis if no special url is set - services.redis.enable = mkIf (!hasAttr "PAPERLESS_REDIS" env) true; + services.redis.servers.paperless-ng.enable = mkIf (!hasCustomRedis) true; systemd.tmpfiles.rules = [ "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" @@ -234,6 +240,8 @@ in echo "$superuserState" > "$superuserStateFile" fi ''; + } // optionalAttrs (!hasCustomRedis) { + after = [ "redis-paperless-ng.service" ]; }; # Password copying can't be implemented as a privileged preStart script @@ -248,6 +256,8 @@ in '${cfg.passwordFile}' '${cfg.dataDir}/superuser-password' ''; Type = "oneshot"; + # Needs to talk to mail server for automated import rules + PrivateNetwork = false; }; }; @@ -279,6 +289,8 @@ in CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; # gunicorn needs setuid SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid" ]; + # Needs to serve web page + PrivateNetwork = false; }; environment = env // { PATH = mkForce cfg.package.path; |