modules: services: paperless: use 'secretKeyFile'

In preparation for the migration to agenix.
This commit is contained in:
Bruno BELANYI 2021-09-25 13:15:34 +02:00
parent ca218730ff
commit 0f2c20e51d
2 changed files with 22 additions and 5 deletions

View file

@ -103,7 +103,9 @@ in
# Insecure, I don't care # Insecure, I don't care
passwordFile = passwordFile =
builtins.toFile "paperless.env" my.secrets.paperless.password; builtins.toFile "paperless.env" my.secrets.paperless.password;
secretKey = my.secrets.paperless.secretKey; secretKeyFile = builtins.toFile "paperless-key.env" ''
PAPERLESS_SECRET_KEY=${my.secrets.paperless.secretKey}
'';
}; };
# The whole *arr software suite # The whole *arr software suite
pirate.enable = true; pirate.enable = true;

View file

@ -13,10 +13,12 @@ in
description = "Internal port for webui"; description = "Internal port for webui";
}; };
secretKey = mkOption { secretKeyFile = mkOption {
type = types.str; type = types.str;
example = "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee"; example = "/var/lib/paperless/secret-key.env";
description = "Secret key used for sessions tokens"; description = ''
Secret key as an 'EnvironmentFile' (see `systemd.exec(5)`)
'';
}; };
documentPath = mkOption { documentPath = mkOption {
@ -65,7 +67,6 @@ in
PAPERLESS_DBNAME = "paperless"; PAPERLESS_DBNAME = "paperless";
# Security settings # Security settings
PAPERLESS_SECRET_KEY = cfg.secretKey; # Insecure, I don't care
PAPERLESS_ALLOWED_HOSTS = paperlessDomain; PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
@ -81,6 +82,20 @@ in
passwordFile = cfg.passwordFile; passwordFile = cfg.passwordFile;
}; };
systemd.services = {
paperless-ng-server.serviceConfig = {
EnvironmentFile = cfg.secretKeyFile;
};
paperless-ng-consumer.serviceConfig = {
EnvironmentFile = cfg.secretKeyFile;
};
paperless-ng-web.serviceConfig = {
EnvironmentFile = cfg.secretKeyFile;
};
};
# Set-up database # Set-up database
services.postgresql = { services.postgresql = {
enable = true; enable = true;