diff options
| author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2023-11-01 12:33:23 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-01 12:33:23 +0100 |
| commit | 05e8361387301551045b988e30c4c926e804b739 (patch) | |
| tree | c7008186cc975c310963532ef7f96bf15cd21950 /nixos/modules/services/misc | |
| parent | 4be2d0ba3e43534ad23217d66d3abd60613f08ce (diff) | |
| parent | 63ef0339923bb33aba54301d83ad7f047ee9a2f8 (diff) | |
| download | nixlib-05e8361387301551045b988e30c4c926e804b739.tar nixlib-05e8361387301551045b988e30c4c926e804b739.tar.gz nixlib-05e8361387301551045b988e30c4c926e804b739.tar.bz2 nixlib-05e8361387301551045b988e30c4c926e804b739.tar.lz nixlib-05e8361387301551045b988e30c4c926e804b739.tar.xz nixlib-05e8361387301551045b988e30c4c926e804b739.tar.zst nixlib-05e8361387301551045b988e30c4c926e804b739.zip | |
Merge pull request #261867 from matrss/set-paperless-secret-key
nixos/paperless: set PAPERLESS_SECRET_KEY
Diffstat (limited to 'nixos/modules/services/misc')
| -rw-r--r-- | nixos/modules/services/misc/paperless.nix | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9b8bd62809c5..1e0a8d0f928e 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -332,12 +332,28 @@ in # during migrations bindsTo = [ "paperless-scheduler.service" ]; after = [ "paperless-scheduler.service" ]; + # Setup PAPERLESS_SECRET_KEY. + # If this environment variable is left unset, paperless-ngx defaults + # to a well-known value, which is insecure. + script = let + secretKeyFile = "${cfg.dataDir}/nixos-paperless-secret-key"; + in '' + if [[ ! -f '${secretKeyFile}' ]]; then + ( + umask 0377 + tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}' + ) + fi + export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}') + if [[ ! $PAPERLESS_SECRET_KEY ]]; then + echo "PAPERLESS_SECRET_KEY is empty, refusing to start." + exit 1 + fi + exec ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ + -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application + ''; serviceConfig = defaultServiceConfig // { User = cfg.user; - ExecStart = '' - ${pkg.python.pkgs.gunicorn}/bin/gunicorn \ - -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application - ''; Restart = "on-failure"; # gunicorn needs setuid, liblapack needs mbind @@ -349,7 +365,6 @@ in CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; environment = env // { - PATH = mkForce pkg.path; PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/paperless-ngx/src"; }; # Allow the web interface to access the private /tmp directory of the server. |