diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-10-20 22:09:03 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-10-20 22:09:03 +0000 |
commit | 50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e (patch) | |
tree | f2556b911180125ccbb7ed0e78a54e92da89adce /nixpkgs/nixos/modules/services/misc/paperless.nix | |
parent | 4c16d4548a98563c9d9ad76f4e5b2202864ccd54 (diff) | |
parent | cfc75eec4603c06503ae750f88cf397e00796ea8 (diff) | |
download | nixlib-50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e.tar nixlib-50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e.tar.gz nixlib-50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e.tar.bz2 nixlib-50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e.tar.lz nixlib-50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e.tar.xz nixlib-50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e.tar.zst nixlib-50c21d167f7114fa1dbd95e5c4fb30eeb1a2d02e.zip |
Merge commit 'cfc75eec4603c06503ae750f88cf397e00796ea8'
Conflicts: nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix
Diffstat (limited to 'nixpkgs/nixos/modules/services/misc/paperless.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/misc/paperless.nix | 28 |
1 files changed, 2 insertions, 26 deletions
diff --git a/nixpkgs/nixos/modules/services/misc/paperless.nix b/nixpkgs/nixos/modules/services/misc/paperless.nix index 74a3b49ac9a6..9b8bd62809c5 100644 --- a/nixpkgs/nixos/modules/services/misc/paperless.nix +++ b/nixpkgs/nixos/modules/services/misc/paperless.nix @@ -36,18 +36,7 @@ let # Secure the services defaultServiceConfig = { - TemporaryFileSystem = "/:ro"; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/hosts" - "-/etc/localtime" - "-/etc/ssl/certs" - "-/etc/static/ssl/certs" - "-/run/postgresql" - ] ++ (optional enableRedis redisServer.unixSocket); - BindPaths = [ + ReadWritePaths = [ cfg.consumptionDir cfg.dataDir cfg.mediaDir @@ -66,11 +55,9 @@ let PrivateUsers = true; ProtectClock = true; # Breaks if the home dir of the user is in /home - # Also does not add much value in combination with the TemporaryFileSystem. # ProtectHome = true; ProtectHostname = true; - # Would re-mount paths ignored by temporary root - #ProtectSystem = "strict"; + ProtectSystem = "strict"; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectKernelModules = true; @@ -319,17 +306,6 @@ in Type = "oneshot"; # Enable internet access PrivateNetwork = false; - # Restrict write access - BindPaths = []; - BindReadOnlyPaths = [ - "/nix/store" - "-/etc/resolv.conf" - "-/etc/nsswitch.conf" - "-/etc/ssl/certs" - "-/etc/static/ssl/certs" - "-/etc/hosts" - "-/etc/localtime" - ]; ExecStart = let pythonWithNltk = pkg.python.withPackages (ps: [ ps.nltk ]); in '' ${pythonWithNltk}/bin/python -m nltk.downloader -d '${nltkDir}' punkt snowball_data stopwords ''; |