commit 16fb0b365d81329ca4f9037653aa80de007679a1 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #259056 from leona-ya/nixos-paperless-systemd-254

nixos/paperless: fix start with latest systemd

authored by Atemu and committed by GitHub 2 years ago 16fb0b36 9c3161a1

+60 -61

2 changed files

expand all

unified split

nixos

modules

services

misc

paperless.nix

tests

paperless.nix

+2 -26

nixos/modules/services/misc/paperless.nix

··· 36 36 37 37 # Secure the services 38 38 defaultServiceConfig = { 39 - TemporaryFileSystem = "/:ro"; 40 - BindReadOnlyPaths = [ 41 - "/nix/store" 42 - "-/etc/resolv.conf" 43 - "-/etc/nsswitch.conf" 44 - "-/etc/hosts" 45 - "-/etc/localtime" 46 - "-/etc/ssl/certs" 47 - "-/etc/static/ssl/certs" 48 - "-/run/postgresql" 49 - ] ++ (optional enableRedis redisServer.unixSocket); 50 - BindPaths = [ 39 + ReadWritePaths = [ 51 40 cfg.consumptionDir 52 41 cfg.dataDir 53 42 cfg.mediaDir ··· 66 55 PrivateUsers = true; 67 56 ProtectClock = true; 68 57 # Breaks if the home dir of the user is in /home 69 - # Also does not add much value in combination with the TemporaryFileSystem. 70 58 # ProtectHome = true; 71 59 ProtectHostname = true; 72 - # Would re-mount paths ignored by temporary root 73 - #ProtectSystem = "strict"; 60 + ProtectSystem = "strict"; 74 61 ProtectControlGroups = true; 75 62 ProtectKernelLogs = true; 76 63 ProtectKernelModules = true; ··· 319 306 Type = "oneshot"; 320 307 # Enable internet access 321 308 PrivateNetwork = false; 322 - # Restrict write access 323 - BindPaths = []; 324 - BindReadOnlyPaths = [ 325 - "/nix/store" 326 - "-/etc/resolv.conf" 327 - "-/etc/nsswitch.conf" 328 - "-/etc/ssl/certs" 329 - "-/etc/static/ssl/certs" 330 - "-/etc/hosts" 331 - "-/etc/localtime" 332 - ]; 333 309 ExecStart = let pythonWithNltk = pkg.python.withPackages (ps: [ ps.nltk ]); in '' 334 310 ${pythonWithNltk}/bin/python -m nltk.downloader -d '${nltkDir}' punkt snowball_data stopwords 335 311 '';

+58 -35

nixos/tests/paperless.nix

··· 2 2 name = "paperless"; 3 3 meta.maintainers = with lib.maintainers; [ erikarvstedt Flakebi ]; 4 4 5 - nodes.machine = { pkgs, ... }: { 6 - environment.systemPackages = with pkgs; [ imagemagick jq ]; 7 - services.paperless = { 8 - enable = true; 9 - passwordFile = builtins.toFile "password" "admin"; 5 + nodes = let self = { 6 + simple = { pkgs, ... }: { 7 + environment.systemPackages = with pkgs; [ imagemagick jq ]; 8 + services.paperless = { 9 + enable = true; 10 + passwordFile = builtins.toFile "password" "admin"; 11 + }; 12 + }; 13 + postgres = { config, pkgs, ... }: { 14 + imports = [ self.simple ]; 15 + services.postgresql = { 16 + enable = true; 17 + ensureDatabases = [ "paperless" ]; 18 + ensureUsers = [ 19 + { name = config.services.paperless.user; 20 + ensurePermissions = { "DATABASE \"paperless\"" = "ALL PRIVILEGES"; }; 21 + } 22 + ]; 23 + }; 24 + services.paperless.extraConfig = { 25 + PAPERLESS_DBHOST = "/run/postgresql"; 26 + }; 10 27 }; 11 - }; 28 + }; in self; 12 29 13 30 testScript = '' 14 31 import json 15 32 16 - machine.wait_for_unit("paperless-consumer.service") 33 + def test_paperless(node): 34 + node.wait_for_unit("paperless-consumer.service") 17 35 18 - with subtest("Add a document via the file system"): 19 - machine.succeed( 20 - "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 21 - "-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png" 36 + with subtest("Add a document via the file system"): 37 + node.succeed( 38 + "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 39 + "-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png" 22 40 ) 23 41 24 - with subtest("Web interface gets ready"): 25 - machine.wait_for_unit("paperless-web.service") 42 + with subtest("Web interface gets ready"): 43 + node.wait_for_unit("paperless-web.service") 26 44 # Wait until server accepts connections 27 - machine.wait_until_succeeds("curl -fs localhost:28981") 45 + node.wait_until_succeeds("curl -fs localhost:28981") 28 46 29 - # Required for consuming documents via the web interface 30 - with subtest("Task-queue gets ready"): 31 - machine.wait_for_unit("paperless-task-queue.service") 47 + # Required for consuming documents via the web interface 48 + with subtest("Task-queue gets ready"): 49 + node.wait_for_unit("paperless-task-queue.service") 32 50 33 - with subtest("Add a png document via the web interface"): 34 - machine.succeed( 35 - "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 36 - "-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png" 51 + with subtest("Add a png document via the web interface"): 52 + node.succeed( 53 + "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 54 + "-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png" 37 55 ) 38 - machine.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.png -fs localhost:28981/api/documents/post_document/") 56 + node.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.png -fs localhost:28981/api/documents/post_document/") 39 57 40 - with subtest("Add a txt document via the web interface"): 41 - machine.succeed( 42 - "echo 'hello web 16-10-2005' > /tmp/webdoc.txt" 58 + with subtest("Add a txt document via the web interface"): 59 + node.succeed( 60 + "echo 'hello web 16-10-2005' > /tmp/webdoc.txt" 43 61 ) 44 - machine.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.txt -fs localhost:28981/api/documents/post_document/") 62 + node.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.txt -fs localhost:28981/api/documents/post_document/") 45 63 46 - with subtest("Documents are consumed"): 47 - machine.wait_until_succeeds( 48 - "(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 3))" 64 + with subtest("Documents are consumed"): 65 + node.wait_until_succeeds( 66 + "(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 3))" 49 67 ) 50 - docs = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/"))['results'] 68 + docs = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/"))['results'] 51 69 assert "2005-10-16" in docs[0]['created'] 52 70 assert "2005-10-16" in docs[1]['created'] 53 71 assert "2005-10-16" in docs[2]['created'] 54 72 55 - # Detects gunicorn issues, see PR #190888 56 - with subtest("Document metadata can be accessed"): 57 - metadata = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/1/metadata/")) 73 + # Detects gunicorn issues, see PR #190888 74 + with subtest("Document metadata can be accessed"): 75 + metadata = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/1/metadata/")) 58 76 assert "original_checksum" in metadata 59 77 60 - metadata = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/2/metadata/")) 78 + metadata = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/2/metadata/")) 61 79 assert "original_checksum" in metadata 62 80 63 - metadata = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/3/metadata/")) 81 + metadata = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/3/metadata/")) 64 82 assert "original_checksum" in metadata 83 + 84 + test_paperless(simple) 85 + simple.send_monitor_command("quit") 86 + simple.wait_for_shutdown() 87 + test_paperless(postgres) 65 88 ''; 66 89 })