···

       
332
       
332
       
 
       
      # during migrations

     

       
333
       
333
       
 
       
      bindsTo = [ "paperless-scheduler.service" ];

     

       
334
       
334
       
 
       
      after = [ "paperless-scheduler.service" ];

     

       
335
       
335
       
+
       
      # Setup PAPERLESS_SECRET_KEY.

     

       
336
       
336
       
+
       
      # If this environment variable is left unset, paperless-ngx defaults

     

       
337
       
337
       
+
       
      # to a well-known value, which is insecure.

     

       
338
       
338
       
+
       
      script = let

     

       
339
       
339
       
+
       
        secretKeyFile = "${cfg.dataDir}/nixos-paperless-secret-key";

     

       
340
       
340
       
+
       
      in ''

     

       
341
       
341
       
+
       
        if [[ ! -f '${secretKeyFile}' ]]; then

     

       
342
       
342
       
+
       
          (

     

       
343
       
343
       
+
       
            umask 0377

     

       
344
       
344
       
+
       
            tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}'

     

       
345
       
345
       
+
       
          )

     

       
346
       
346
       
+
       
        fi

     

       
347
       
347
       
+
       
        export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}')

     

       
348
       
348
       
+
       
        if [[ ! $PAPERLESS_SECRET_KEY ]]; then

     

       
349
       
349
       
+
       
          echo "PAPERLESS_SECRET_KEY is empty, refusing to start."

     

       
350
       
350
       
+
       
          exit 1

     

       
351
       
351
       
+
       
        fi

     

       
352
       
352
       
+
       
        exec ${pkg.python.pkgs.gunicorn}/bin/gunicorn \

     

       
353
       
353
       
+
       
          -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application

     

       
354
       
354
       
+
       
      '';

     

       
335
       
355
       
 
       
      serviceConfig = defaultServiceConfig // {

     

       
336
       
356
       
 
       
        User = cfg.user;

     

       
337
       
337
       
-
       
        ExecStart = ''

     

       
338
       
338
       
-
       
          ${pkg.python.pkgs.gunicorn}/bin/gunicorn \

     

       
339
       
339
       
-
       
            -c ${pkg}/lib/paperless-ngx/gunicorn.conf.py paperless.asgi:application

     

       
340
       
340
       
-
       
        '';

     

       
341
       
357
       
 
       
        Restart = "on-failure";

     

       
342
       
358
       
 
       


     

       
343
       
359
       
 
       
        # gunicorn needs setuid, liblapack needs mbind

     
···

       
349
       
365
       
 
       
        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

     

       
350
       
366
       
 
       
      };

     

       
351
       
367
       
 
       
      environment = env // {

     

       
352
       
352
       
-
       
        PATH = mkForce pkg.path;

     

       
353
       
368
       
 
       
        PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/paperless-ngx/src";

     

       
354
       
369
       
 
       
      };

     

       
355
       
370
       
 
       
      # Allow the web interface to access the private /tmp directory of the server.