commit 16fb0b365d81329ca4f9037653aa80de007679a1 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #259056 from leona-ya/nixos-paperless-systemd-254

nixos/paperless: fix start with latest systemd

authored by Atemu and committed by GitHub 2 years ago 16fb0b36 9c3161a1

+60 -61

2 changed files

expand all

unified split

nixos

modules

services

misc

paperless.nix

tests

paperless.nix

+2 -26

nixos/modules/services/misc/paperless.nix

··· 36 37 # Secure the services 38 defaultServiceConfig = { 39 - TemporaryFileSystem = "/:ro"; 40 - BindReadOnlyPaths = [ 41 - "/nix/store" 42 - "-/etc/resolv.conf" 43 - "-/etc/nsswitch.conf" 44 - "-/etc/hosts" 45 - "-/etc/localtime" 46 - "-/etc/ssl/certs" 47 - "-/etc/static/ssl/certs" 48 - "-/run/postgresql" 49 - ] ++ (optional enableRedis redisServer.unixSocket); 50 - BindPaths = [ 51 cfg.consumptionDir 52 cfg.dataDir 53 cfg.mediaDir ··· 66 PrivateUsers = true; 67 ProtectClock = true; 68 # Breaks if the home dir of the user is in /home 69 - # Also does not add much value in combination with the TemporaryFileSystem. 70 # ProtectHome = true; 71 ProtectHostname = true; 72 - # Would re-mount paths ignored by temporary root 73 - #ProtectSystem = "strict"; 74 ProtectControlGroups = true; 75 ProtectKernelLogs = true; 76 ProtectKernelModules = true; ··· 319 Type = "oneshot"; 320 # Enable internet access 321 PrivateNetwork = false; 322 - # Restrict write access 323 - BindPaths = []; 324 - BindReadOnlyPaths = [ 325 - "/nix/store" 326 - "-/etc/resolv.conf" 327 - "-/etc/nsswitch.conf" 328 - "-/etc/ssl/certs" 329 - "-/etc/static/ssl/certs" 330 - "-/etc/hosts" 331 - "-/etc/localtime" 332 - ]; 333 ExecStart = let pythonWithNltk = pkg.python.withPackages (ps: [ ps.nltk ]); in '' 334 ${pythonWithNltk}/bin/python -m nltk.downloader -d '${nltkDir}' punkt snowball_data stopwords 335 '';

··· 36 37 # Secure the services 38 defaultServiceConfig = { 39 + ReadWritePaths = [ 40 cfg.consumptionDir 41 cfg.dataDir 42 cfg.mediaDir ··· 55 PrivateUsers = true; 56 ProtectClock = true; 57 # Breaks if the home dir of the user is in /home 58 # ProtectHome = true; 59 ProtectHostname = true; 60 + ProtectSystem = "strict"; 61 ProtectControlGroups = true; 62 ProtectKernelLogs = true; 63 ProtectKernelModules = true; ··· 306 Type = "oneshot"; 307 # Enable internet access 308 PrivateNetwork = false; 309 ExecStart = let pythonWithNltk = pkg.python.withPackages (ps: [ ps.nltk ]); in '' 310 ${pythonWithNltk}/bin/python -m nltk.downloader -d '${nltkDir}' punkt snowball_data stopwords 311 '';

+58 -35

nixos/tests/paperless.nix

··· 2 name = "paperless"; 3 meta.maintainers = with lib.maintainers; [ erikarvstedt Flakebi ]; 4 5 - nodes.machine = { pkgs, ... }: { 6 - environment.systemPackages = with pkgs; [ imagemagick jq ]; 7 - services.paperless = { 8 - enable = true; 9 - passwordFile = builtins.toFile "password" "admin"; 10 }; 11 - }; 12 13 testScript = '' 14 import json 15 16 - machine.wait_for_unit("paperless-consumer.service") 17 18 - with subtest("Add a document via the file system"): 19 - machine.succeed( 20 - "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 21 - "-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png" 22 ) 23 24 - with subtest("Web interface gets ready"): 25 - machine.wait_for_unit("paperless-web.service") 26 # Wait until server accepts connections 27 - machine.wait_until_succeeds("curl -fs localhost:28981") 28 29 - # Required for consuming documents via the web interface 30 - with subtest("Task-queue gets ready"): 31 - machine.wait_for_unit("paperless-task-queue.service") 32 33 - with subtest("Add a png document via the web interface"): 34 - machine.succeed( 35 - "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 36 - "-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png" 37 ) 38 - machine.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.png -fs localhost:28981/api/documents/post_document/") 39 40 - with subtest("Add a txt document via the web interface"): 41 - machine.succeed( 42 - "echo 'hello web 16-10-2005' > /tmp/webdoc.txt" 43 ) 44 - machine.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.txt -fs localhost:28981/api/documents/post_document/") 45 46 - with subtest("Documents are consumed"): 47 - machine.wait_until_succeeds( 48 - "(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 3))" 49 ) 50 - docs = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/"))['results'] 51 assert "2005-10-16" in docs[0]['created'] 52 assert "2005-10-16" in docs[1]['created'] 53 assert "2005-10-16" in docs[2]['created'] 54 55 - # Detects gunicorn issues, see PR #190888 56 - with subtest("Document metadata can be accessed"): 57 - metadata = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/1/metadata/")) 58 assert "original_checksum" in metadata 59 60 - metadata = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/2/metadata/")) 61 assert "original_checksum" in metadata 62 63 - metadata = json.loads(machine.succeed("curl -u admin:admin -fs localhost:28981/api/documents/3/metadata/")) 64 assert "original_checksum" in metadata 65 ''; 66 })

··· 2 name = "paperless"; 3 meta.maintainers = with lib.maintainers; [ erikarvstedt Flakebi ]; 4 5 + nodes = let self = { 6 + simple = { pkgs, ... }: { 7 + environment.systemPackages = with pkgs; [ imagemagick jq ]; 8 + services.paperless = { 9 + enable = true; 10 + passwordFile = builtins.toFile "password" "admin"; 11 + }; 12 + }; 13 + postgres = { config, pkgs, ... }: { 14 + imports = [ self.simple ]; 15 + services.postgresql = { 16 + enable = true; 17 + ensureDatabases = [ "paperless" ]; 18 + ensureUsers = [ 19 + { name = config.services.paperless.user; 20 + ensurePermissions = { "DATABASE \"paperless\"" = "ALL PRIVILEGES"; }; 21 + } 22 + ]; 23 + }; 24 + services.paperless.extraConfig = { 25 + PAPERLESS_DBHOST = "/run/postgresql"; 26 + }; 27 }; 28 + }; in self; 29 30 testScript = '' 31 import json 32 33 + def test_paperless(node): 34 + node.wait_for_unit("paperless-consumer.service") 35 36 + with subtest("Add a document via the file system"): 37 + node.succeed( 38 + "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 39 + "-annotate +5+20 'hello world 16-10-2005' /var/lib/paperless/consume/doc.png" 40 ) 41 42 + with subtest("Web interface gets ready"): 43 + node.wait_for_unit("paperless-web.service") 44 # Wait until server accepts connections 45 + node.wait_until_succeeds("curl -fs localhost:28981") 46 47 + # Required for consuming documents via the web interface 48 + with subtest("Task-queue gets ready"): 49 + node.wait_for_unit("paperless-task-queue.service") 50 51 + with subtest("Add a png document via the web interface"): 52 + node.succeed( 53 + "convert -size 400x40 xc:white -font 'DejaVu-Sans' -pointsize 20 -fill black " 54 + "-annotate +5+20 'hello web 16-10-2005' /tmp/webdoc.png" 55 ) 56 + node.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.png -fs localhost:28981/api/documents/post_document/") 57 58 + with subtest("Add a txt document via the web interface"): 59 + node.succeed( 60 + "echo 'hello web 16-10-2005' > /tmp/webdoc.txt" 61 ) 62 + node.wait_until_succeeds("curl -u admin:admin -F document=@/tmp/webdoc.txt -fs localhost:28981/api/documents/post_document/") 63 64 + with subtest("Documents are consumed"): 65 + node.wait_until_succeeds( 66 + "(($(curl -u admin:admin -fs localhost:28981/api/documents/ | jq .count) == 3))" 67 ) 68 + docs = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/"))['results'] 69 assert "2005-10-16" in docs[0]['created'] 70 assert "2005-10-16" in docs[1]['created'] 71 assert "2005-10-16" in docs[2]['created'] 72 73 + # Detects gunicorn issues, see PR #190888 74 + with subtest("Document metadata can be accessed"): 75 + metadata = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/1/metadata/")) 76 assert "original_checksum" in metadata 77 78 + metadata = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/2/metadata/")) 79 assert "original_checksum" in metadata 80 81 + metadata = json.loads(node.succeed("curl -u admin:admin -fs localhost:28981/api/documents/3/metadata/")) 82 assert "original_checksum" in metadata 83 + 84 + test_paperless(simple) 85 + simple.send_monitor_command("quit") 86 + simple.wait_for_shutdown() 87 + test_paperless(postgres) 88 ''; 89 })