tjh.dev
nixos/paperless: set PAPERLESS_SECRET_KEY
If the PAPERLESS_SECRET_KEY environment variable is left unset
paperless-ngx defaults to a well-known value, which is insecure.
Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
+20
-5
nixos/modules/services/misc/paperless.nix
+20
-5
nixos/modules/services/misc/paperless.nix
···
332
332
# during migrations
333
333
bindsTo = [ "paperless-scheduler.service" ];
334
334
after = [ "paperless-scheduler.service" ];
335
+
# Setup PAPERLESS_SECRET_KEY.
336
+
# If this environment variable is left unset, paperless-ngx defaults
337
+
# to a well-known value, which is insecure.
338
+
script = let
339
+
secretKeyFile = "${cfg.dataDir}/nixos-paperless-secret-key";
340
+
in ''
341
+
if [[ ! -f '${secretKeyFile}' ]]; then
342
+
(
343
+
umask 0377
344
+
tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}'
345
+
)
346
+
fi
347
+
export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}')
348
+
if [[ ! $PAPERLESS_SECRET_KEY ]]; then
349
+
echo "PAPERLESS_SECRET_KEY is empty, refusing to start."
350
+
exit 1
351
+
fi
352
+
exec ${pkg.python.pkgs.gunicorn}/bin/gunicorn \
353
+
-c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application
354
+
'';
335
355
serviceConfig = defaultServiceConfig // {
336
356
User = cfg.user;
337
-
ExecStart = ''
338
-
${pkg.python.pkgs.gunicorn}/bin/gunicorn \
339
-
-c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application
340
-
'';
341
357
Restart = "on-failure";
342
358
343
359
# gunicorn needs setuid, liblapack needs mbind
···
349
365
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
350
366
};
351
367
environment = env // {
352
-
PATH = mkForce pkg.path;
353
368
PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/paperless-ngx/src";
354
369
};
355
370
# Allow the web interface to access the private /tmp directory of the server.