diff options
author | Atemu <atemu.main@gmail.com> | 2023-10-11 13:15:24 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-11 13:15:24 +0200 |
commit | 16fb0b365d81329ca4f9037653aa80de007679a1 (patch) | |
tree | a03aed9586304b43740b121f1c4611ba103dbc1d /nixos/modules | |
parent | 9c3161a1b5b7724abe2c922736a117e262624c2f (diff) | |
parent | 65209cbc21eec0036df655b3960093cb240fb689 (diff) | |
download | nixlib-16fb0b365d81329ca4f9037653aa80de007679a1.tar nixlib-16fb0b365d81329ca4f9037653aa80de007679a1.tar.gz nixlib-16fb0b365d81329ca4f9037653aa80de007679a1.tar.bz2 nixlib-16fb0b365d81329ca4f9037653aa80de007679a1.tar.lz nixlib-16fb0b365d81329ca4f9037653aa80de007679a1.tar.xz nixlib-16fb0b365d81329ca4f9037653aa80de007679a1.tar.zst nixlib-16fb0b365d81329ca4f9037653aa80de007679a1.zip |
Merge pull request #259056 from leona-ya/nixos-paperless-systemd-254
nixos/paperless: fix start with latest systemd
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/misc/paperless.nix | 28 |
1 files changed, 2 insertions, 26 deletions
diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 74a3b49ac9a6..9b8bd62809c5 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -36,18 +36,7 @@ let # Secure the services defaultServiceConfig = { - TemporaryFileSystem = "/:ro"; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/hosts" - "-/etc/localtime" - "-/etc/ssl/certs" - "-/etc/static/ssl/certs" - "-/run/postgresql" - ] ++ (optional enableRedis redisServer.unixSocket); - BindPaths = [ + ReadWritePaths = [ cfg.consumptionDir cfg.dataDir cfg.mediaDir @@ -66,11 +55,9 @@ let PrivateUsers = true; ProtectClock = true; # Breaks if the home dir of the user is in /home - # Also does not add much value in combination with the TemporaryFileSystem. # ProtectHome = true; ProtectHostname = true; - # Would re-mount paths ignored by temporary root - #ProtectSystem = "strict"; + ProtectSystem = "strict"; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectKernelModules = true; @@ -319,17 +306,6 @@ in Type = "oneshot"; # Enable internet access PrivateNetwork = false; - # Restrict write access - BindPaths = []; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/ssl/certs" - "-/etc/static/ssl/certs" - "-/etc/hosts" - "-/etc/localtime" - ]; ExecStart = let pythonWithNltk = pkg.python.withPackages (ps: [ ps.nltk ]); in '' ${pythonWithNltk}/bin/python -m nltk.downloader -d '${nltkDir}' punkt snowball_data stopwords ''; |