When the database is on another host, unit isolation for the document
consumer and scheduler have to be disabled. This is currently enabled by
default via `PrivateNetwork = false` in defaultServiceConfig. Following
https://github.com/NixOS/nixpkgs/pull/368137#pullrequestreview-2522617890
making this conditional on the `database.createLocally` option.
Paperless includes a document exporter that can be used for e.g.
backups.
This change extends the module to provide a way to enable and configure
a timer, export settings, pre- and post-processing
scripts (e.g. to ship the backup somewhere else, clean up, ...).
It works out of the box when just enabling it but can be customized.
Includes suitable tests.
Systemd units with `PrivateUsers` set get their capabilities within the user namespace only [1].
As a result they do cannot bind to privileged ports even though they *appear* like they should be able to.
The units in this commit [2] set `PrivateUsers` unconditionally so binding to privileged ports is currently impossible.
Granting them CAP_NET_BIND_SERVICE is useless and misleading any reader of those modules.
Technically, this commit also hardens these modules ever so slightly.
(There are corner cases where this could make sense (e.g. across units, using `JoinsNamspaceOf`) but this is arcane enough to not to be present in nixpkgs.)
[1]: systemd.exec(5): PrivateUsers
[2]: found using `rg -e 'PrivateUsers.?=\s+[^f][^a]' -l | xargs rg -e '\bCAP_' -l`
With the changes introduced in #303388 tesseract would only be compiled
with the languages defined in `PAPERLESS_OCR_LANGUAGE`. However, english
is always required, making tesseract fail to build when only non-english
languages are defined in tesseract:
```
eng.traineddata must be present in tessdata for Tesseract to work
```
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This option resolves#301746 by allowing the admin to bypass the
creation of the paperless directories by systemd-tmpfiles.
This is necessary when, for example, those directories lie inside an NFS
mount that the root user does not have rw access to.
Fixes#301746
This replaces the paperless-copy-password service with the use of
systemd's LoadCredential mechanism.
It is not a breaking change since it is gated behind `cfg.passwordFile`.
paperless-web-start[658743]: kombu.exceptions.OperationalError: [Errno 24] Too many open files: '/nix/store/k6h0pihpi3ih31zjk6ragqcp4mjz4pjs-python3.11-concurrent-log-handler-0.9.24/lib/python3.11/site-packages/concurrent_log_handler-0.9.24.dist-info/entry_points.txt'
If the PAPERLESS_SECRET_KEY environment variable is left unset
paperless-ngx defaults to a well-known value, which is insecure.
Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
The upstream default for the thumbnail font is set to "Liberation Serif
Regular" located at /usr/share/fonts which is inaccessible under nix.
(2a2bf3bf55/src/paperless/settings.py (L894))
Paperless throws an error when parsing plaintext files without a valid
font. This change sets a nix default using the liberation_ttf package.
The homebrewed snippet didn't escape vars properly which is an issue because
PAPERLESS_OCR_USER_ARGS requires a JSON string. This also meant a discrepancy
between the services' env vars and paperless-manage's.
Just use the correctly functioning library function for this instead.
According to
https://github.com/NixOS/nixpkgs/issues/147599#issuecomment-1272286679
the bug that prevented this UMask directive from working has been fixed
in systemd, so it should be safe to use now.
This stops paperless-ngx from making everything world-readable on disk,
but it does not change permissions of any files previously created.
Since version 1.10.0 paperless-ngx depends on the NLTK library which is
used to pre-process data for machine learning. NLTK needs certain
data for stemming, stopword removal etc. This data has to be downloaded
first. This commit introduces a new systemd service that does the
downloading.
This causes a reindex of all documents to allow for comments made before
1.12.x to be searchable.
Also change the format of the version file to just include the version,
not the whole store path.
This simplifies version comparisons and causes migrations to run only
when the version has changed.
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
The nixOS test failed sporadically with a timeout.
This is due to a race condition in the startup of
the scheduler vs the task-queue.
The scheduler runs the migration scripts in "pre-start" and
celery isn't available, yet. The celery worker (paperless-task-queue)
was already started by systemd but was unable to connect
(as the migration scripts from "pre-start" still ran).
This fix adds the necessary "after" condition in the systemd
worker unit and adds a test to "paperless"
Signed-off-by: Florian Brandes <florian.brandes@posteo.de>
`unpaper` requires syscall 238 (`set_mempolicy`).
Add this by un-blocking the systemd syscall filter set `@resources`
which is safe in the context of paperless.
