Closes#249767
Before we only created the admin user when passwordFile was set.
Now it is possible to set PAPERLESS_ADMIN_USER and
PAPERLESS_ADMIN_PASSWORD directly to create the admin user, like in the
upstream Docker image.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
When the database is on another host, unit isolation for the document
consumer and scheduler have to be disabled. This is currently enabled by
default via `PrivateNetwork = false` in defaultServiceConfig. Following
https://github.com/NixOS/nixpkgs/pull/368137#pullrequestreview-2522617890
making this conditional on the `database.createLocally` option.
Paperless includes a document exporter that can be used for e.g.
backups.
This change extends the module to provide a way to enable and configure
a timer, export settings, pre- and post-processing
scripts (e.g. to ship the backup somewhere else, clean up, ...).
It works out of the box when just enabling it but can be customized.
Includes suitable tests.
Systemd units with `PrivateUsers` set get their capabilities within the user namespace only [1].
As a result they do cannot bind to privileged ports even though they *appear* like they should be able to.
The units in this commit [2] set `PrivateUsers` unconditionally so binding to privileged ports is currently impossible.
Granting them CAP_NET_BIND_SERVICE is useless and misleading any reader of those modules.
Technically, this commit also hardens these modules ever so slightly.
(There are corner cases where this could make sense (e.g. across units, using `JoinsNamspaceOf`) but this is arcane enough to not to be present in nixpkgs.)
[1]: systemd.exec(5): PrivateUsers
[2]: found using `rg -e 'PrivateUsers.?=\s+[^f][^a]' -l | xargs rg -e '\bCAP_' -l`
With the changes introduced in #303388 tesseract would only be compiled
with the languages defined in `PAPERLESS_OCR_LANGUAGE`. However, english
is always required, making tesseract fail to build when only non-english
languages are defined in tesseract:
```
eng.traineddata must be present in tessdata for Tesseract to work
```
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
This option resolves#301746 by allowing the admin to bypass the
creation of the paperless directories by systemd-tmpfiles.
This is necessary when, for example, those directories lie inside an NFS
mount that the root user does not have rw access to.
Fixes#301746
This replaces the paperless-copy-password service with the use of
systemd's LoadCredential mechanism.
It is not a breaking change since it is gated behind `cfg.passwordFile`.
paperless-web-start[658743]: kombu.exceptions.OperationalError: [Errno 24] Too many open files: '/nix/store/k6h0pihpi3ih31zjk6ragqcp4mjz4pjs-python3.11-concurrent-log-handler-0.9.24/lib/python3.11/site-packages/concurrent_log_handler-0.9.24.dist-info/entry_points.txt'
If the PAPERLESS_SECRET_KEY environment variable is left unset
paperless-ngx defaults to a well-known value, which is insecure.
Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
The upstream default for the thumbnail font is set to "Liberation Serif
Regular" located at /usr/share/fonts which is inaccessible under nix.
(2a2bf3bf55/src/paperless/settings.py (L894))
Paperless throws an error when parsing plaintext files without a valid
font. This change sets a nix default using the liberation_ttf package.
The homebrewed snippet didn't escape vars properly which is an issue because
PAPERLESS_OCR_USER_ARGS requires a JSON string. This also meant a discrepancy
between the services' env vars and paperless-manage's.
Just use the correctly functioning library function for this instead.
According to
https://github.com/NixOS/nixpkgs/issues/147599#issuecomment-1272286679
the bug that prevented this UMask directive from working has been fixed
in systemd, so it should be safe to use now.
This stops paperless-ngx from making everything world-readable on disk,
but it does not change permissions of any files previously created.
Since version 1.10.0 paperless-ngx depends on the NLTK library which is
used to pre-process data for machine learning. NLTK needs certain
data for stemming, stopword removal etc. This data has to be downloaded
first. This commit introduces a new systemd service that does the
downloading.
