modules: services: paperless: use 'secretKeyFile'
In preparation for the migration to agenix.
This commit is contained in:
parent
ca218730ff
commit
0f2c20e51d
|
@ -103,7 +103,9 @@ in
|
|||
# Insecure, I don't care
|
||||
passwordFile =
|
||||
builtins.toFile "paperless.env" my.secrets.paperless.password;
|
||||
secretKey = my.secrets.paperless.secretKey;
|
||||
secretKeyFile = builtins.toFile "paperless-key.env" ''
|
||||
PAPERLESS_SECRET_KEY=${my.secrets.paperless.secretKey}
|
||||
'';
|
||||
};
|
||||
# The whole *arr software suite
|
||||
pirate.enable = true;
|
||||
|
|
|
@ -13,10 +13,12 @@ in
|
|||
description = "Internal port for webui";
|
||||
};
|
||||
|
||||
secretKey = mkOption {
|
||||
secretKeyFile = mkOption {
|
||||
type = types.str;
|
||||
example = "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee";
|
||||
description = "Secret key used for sessions tokens";
|
||||
example = "/var/lib/paperless/secret-key.env";
|
||||
description = ''
|
||||
Secret key as an 'EnvironmentFile' (see `systemd.exec(5)`)
|
||||
'';
|
||||
};
|
||||
|
||||
documentPath = mkOption {
|
||||
|
@ -65,7 +67,6 @@ in
|
|||
PAPERLESS_DBNAME = "paperless";
|
||||
|
||||
# Security settings
|
||||
PAPERLESS_SECRET_KEY = cfg.secretKey; # Insecure, I don't care
|
||||
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
|
||||
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
|
||||
|
||||
|
@ -81,6 +82,20 @@ in
|
|||
passwordFile = cfg.passwordFile;
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
paperless-ng-server.serviceConfig = {
|
||||
EnvironmentFile = cfg.secretKeyFile;
|
||||
};
|
||||
|
||||
paperless-ng-consumer.serviceConfig = {
|
||||
EnvironmentFile = cfg.secretKeyFile;
|
||||
};
|
||||
|
||||
paperless-ng-web.serviceConfig = {
|
||||
EnvironmentFile = cfg.secretKeyFile;
|
||||
};
|
||||
};
|
||||
|
||||
# Set-up database
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
|
Loading…
Reference in a new issue