From 9532793d59f929073f8ed4cf61d1580f5b75fe02 Mon Sep 17 00:00:00 2001 From: Casey Link Date: Fri, 5 Apr 2024 09:38:19 +0200 Subject: [PATCH 1/2] nixos/paperless: refactor to use systemd LoadCredential This replaces the paperless-copy-password service with the use of systemd's LoadCredential mechanism. It is not a breaking change since it is gated behind `cfg.passwordFile`. --- nixos/modules/services/misc/paperless.nix | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9301d1f68725..1a2b5f45b2f7 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -238,6 +238,7 @@ in User = cfg.user; ExecStart = "${pkg}/bin/celery --app paperless beat --loglevel INFO"; Restart = "on-failure"; + LoadCredential = lib.optionalString (cfg.passwordFile != null) "PAPERLESS_ADMIN_PASSWORD:${cfg.passwordFile}"; }; environment = env; @@ -270,7 +271,7 @@ in '' + optionalString (cfg.passwordFile != null) '' export PAPERLESS_ADMIN_USER="''${PAPERLESS_ADMIN_USER:-admin}" - export PAPERLESS_ADMIN_PASSWORD=$(cat "${cfg.dataDir}/superuser-password") + export PAPERLESS_ADMIN_PASSWORD=$(cat $CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD) superuserState="$PAPERLESS_ADMIN_USER:$PAPERLESS_ADMIN_PASSWORD" superuserStateFile="${cfg.dataDir}/superuser-state" @@ -298,19 +299,6 @@ in environment = env; }; - # Reading the user-provided password file requires root access - systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) { - requiredBy = [ "paperless-scheduler.service" ]; - before = [ "paperless-scheduler.service" ]; - serviceConfig = { - ExecStart = '' - ${pkgs.coreutils}/bin/install --mode 600 --owner '${cfg.user}' --compare \ - '${cfg.passwordFile}' '${cfg.dataDir}/superuser-password' - ''; - Type = "oneshot"; - }; - }; - systemd.services.paperless-consumer = { description = "Paperless document consumer"; # Bind to `paperless-scheduler` so that the consumer never runs From 789684ad02f78823a485b9ff3d49db0219520ba4 Mon Sep 17 00:00:00 2001 From: Casey Link Date: Wed, 10 Apr 2024 17:30:55 +0200 Subject: [PATCH 2/2] nixos/paperless: Switch to `systemd.tmpfiles.settings` This option resolves #301746 by allowing the admin to bypass the creation of the paperless directories by systemd-tmpfiles. This is necessary when, for example, those directories lie inside an NFS mount that the root user does not have rw access to. Fixes #301746 --- nixos/modules/services/misc/paperless.nix | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 1a2b5f45b2f7..9a81fdde62af 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -220,15 +220,16 @@ in config = mkIf cfg.enable { services.redis.servers.paperless.enable = mkIf enableRedis true; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - "d '${cfg.mediaDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - (if cfg.consumptionDirIsPublic then - "d '${cfg.consumptionDir}' 777 - - - -" - else - "d '${cfg.consumptionDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ) - ]; + systemd.tmpfiles.settings."10-paperless" = let + defaultRule = { + inherit (cfg) user; + inherit (config.users.users.${cfg.user}) group; + }; + in { + "${cfg.dataDir}".d = defaultRule; + "${cfg.mediaDir}".d = defaultRule; + "${cfg.consumptionDir}".d = if cfg.consumptionDirIsPublic then { mode = "777"; } else defaultRule; + }; systemd.services.paperless-scheduler = { description = "Paperless Celery Beat";