diff options
| author | Leona Maroni <dev@leona.is> | 2024-04-11 22:50:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-11 22:50:30 +0200 |
| commit | fea06555b61486536f26f83e2d2f474b41e379a8 (patch) | |
| tree | ecc4d0bdae012c76f328cbc8b9258a0862fe3088 /nixos | |
| parent | 2351e89695863568884b1623e702cbe8c84b307d (diff) | |
| parent | 789684ad02f78823a485b9ff3d49db0219520ba4 (diff) | |
Merge pull request #301771 from Ramblurr/fix/nixos-paperless
nixos/paperless: refactor to use systemd LoadCredential, Switch to systemd.tmpfiles.settings
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/paperless.nix | 35 |
1 files changed, 12 insertions, 23 deletions
diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9301d1f68725..9a81fdde62af 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -220,15 +220,16 @@ in config = mkIf cfg.enable { services.redis.servers.paperless.enable = mkIf enableRedis true; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - "d '${cfg.mediaDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - (if cfg.consumptionDirIsPublic then - "d '${cfg.consumptionDir}' 777 - - - -" - else - "d '${cfg.consumptionDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" - ) - ]; + systemd.tmpfiles.settings."10-paperless" = let + defaultRule = { + inherit (cfg) user; + inherit (config.users.users.${cfg.user}) group; + }; + in { + "${cfg.dataDir}".d = defaultRule; + "${cfg.mediaDir}".d = defaultRule; + "${cfg.consumptionDir}".d = if cfg.consumptionDirIsPublic then { mode = "777"; } else defaultRule; + }; systemd.services.paperless-scheduler = { description = "Paperless Celery Beat"; @@ -238,6 +239,7 @@ in User = cfg.user; ExecStart = "${pkg}/bin/celery --app paperless beat --loglevel INFO"; Restart = "on-failure"; + LoadCredential = lib.optionalString (cfg.passwordFile != null) "PAPERLESS_ADMIN_PASSWORD:${cfg.passwordFile}"; }; environment = env; @@ -270,7 +272,7 @@ in '' + optionalString (cfg.passwordFile != null) '' export PAPERLESS_ADMIN_USER="''${PAPERLESS_ADMIN_USER:-admin}" - export PAPERLESS_ADMIN_PASSWORD=$(cat "${cfg.dataDir}/superuser-password") + export PAPERLESS_ADMIN_PASSWORD=$(cat $CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD) superuserState="$PAPERLESS_ADMIN_USER:$PAPERLESS_ADMIN_PASSWORD" superuserStateFile="${cfg.dataDir}/superuser-state" @@ -298,19 +300,6 @@ in environment = env; }; - # Reading the user-provided password file requires root access - systemd.services.paperless-copy-password = mkIf (cfg.passwordFile != null) { - requiredBy = [ "paperless-scheduler.service" ]; - before = [ "paperless-scheduler.service" ]; - serviceConfig = { - ExecStart = '' - ${pkgs.coreutils}/bin/install --mode 600 --owner '${cfg.user}' --compare \ - '${cfg.passwordFile}' '${cfg.dataDir}/superuser-password' - ''; - Type = "oneshot"; - }; - }; - systemd.services.paperless-consumer = { description = "Paperless document consumer"; # Bind to `paperless-scheduler` so that the consumer never runs |