If the PAPERLESS_SECRET_KEY environment variable is left unset
paperless-ngx defaults to a well-known value, which is insecure.
Co-authored-by: Erik Arvstedt <erik.arvstedt@gmail.com>
when using the host's openssh service (not the builtin golang one).
This enables the use of the much faster and more efficient wire protocol
version 2.
See https://git-scm.com/docs/protocol-v2
From `postgresql_15`'s release notes:
> PostgreSQL 15 also revokes the CREATE permission from all users except
a database owner from the public (or default) schema.
https://www.postgresql.org/about/news/postgresql-15-released-2526/
This directly affects `services.postgresql.ensureUsers` in NixOS,
leading to
> permission denied for schema public
`postgresql_15` is now the default for stateVersion `23.11`/`unstable`.
So until this is resolved globally, we work around this issue.
This adds a NixOS module for Soft Serve, a tasty, self-hostable Git
server for the command line. The module has a test that checks some
basic things like creating users, creating a repo and cloning it.
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Tanvir Ahmed T. reports that `services.xmr-stak.enable = true;` shows
that `23.05` ships broken `xmr-stak` module:
error: function 'anonymous lambda' called with unexpected argument 'cudaSupport'
I broke it when I removed `cudaSupport` flag in
a5ce71d4e8
I'm just removing the option without an attempt to supply the stub as
module was already broken on `23.05` release. There are probably no
users of `xmr-stak` module by now.
Closes: https://github.com/NixOS/nixpkgs/issues/256703
To those who use Jellyfin's DLNA server, it can happen that the DLNA server starts before we are connected to the LAN.
When this happens, Jellyfin only publishes the DLNA server on the local ports and is not discoverable by devices in the LAN.
In order to fix this, I'm ensuring that Jellyfin starts after we are connected to the network, making it properly discoverable by DLNA clients.
After making this change, Jellyfin's DLNA server is now working as expected on my machine. It used to be consistently undiscoverable.
I verified that this doesn't break anything in situations where the LAN is not available: I disconnected my laptop from the network and rebooted it and Jellyfin started as expected.
This change was informed by reading the suggestion in this article: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
Following a decicion from both the gitea and forgejo maintainers in
nixpkgs.
This means, that forgejo will no longer co-use the nixos/gitea module
via `services.gitea.package = pkgs.forgejo`.
The upstream default for the thumbnail font is set to "Liberation Serif
Regular" located at /usr/share/fonts which is inaccessible under nix.
(2a2bf3bf55/src/paperless/settings.py (L894))
Paperless throws an error when parsing plaintext files without a valid
font. This change sets a nix default using the liberation_ttf package.
When a dependency, like postgresql.service or redis-gitlab.service, had
been stopped and started at switch-to-configuration time, gitlab.service
and its helper units had been stopped but not started again.
`multi-user.target` only has a `Wants` relation to gitlab.target, but
once gitlab.target has been successfully started once and is not stopped/
restarted again, it does not cause all its dependencies to stay activated
the whole time.
This commit fixes this by upgrading the dependy relationship of
gitlab.service towards gitlab.target from a "Wants" to a "Requires". It
should be enough to do this for this single unit part of gitlab.target
only, as all other units wantedBy gitlab.target are pulled in by
gitlab.service as well or have bindsTo relations.
Fix for Gitea 1.20.0.
Without this being set, e.g. a `git push` (or `ssh` to `git@` in general) fails like this:
2023/07/17 09:27:05 ...s/setting/setting.go:109:LoadCommonSettings() [F] Unable to load settings from config: unable to create chunked upload directory: /nix/store/yna9nf66wl2n9hlnhxi2g7fdgawk2kxl-gitea-1.20.0/bin/data/tmp/package-upload (mkdir /nix/store/yna9nf66wl2n9hlnhxi2g7fdgawk2kxl-gitea-1.20.0/bin/data: read-only file system)
Connection to git.mbosch.me closed.
The homebrewed snippet didn't escape vars properly which is an issue because
PAPERLESS_OCR_USER_ARGS requires a JSON string. This also meant a discrepancy
between the services' env vars and paperless-manage's.
Just use the correctly functioning library function for this instead.
It is now only about the system service.
Granted, it also installs the client package, but that could be
factored out later, with actual test to support such a new type of
configuration.
Unfortunately the config is not compatible; data itself looks like it was compatible
from an up to date python ankisyncd but I wouldn't assume anything with the older
service (which didn't work for me with either ankidroid or recent desktop version)
Currently the database service (mysql/postgresql) is required by the
gitea service. If none of them exists on the same machine as gitea it
will refuse to start. With this change it is only required if
createDatabase was set to true.
According to
https://github.com/NixOS/nixpkgs/issues/147599#issuecomment-1272286679
the bug that prevented this UMask directive from working has been fixed
in systemd, so it should be safe to use now.
This stops paperless-ngx from making everything world-readable on disk,
but it does not change permissions of any files previously created.
The WEBHOOK_URL options is only able to be set through environment variables. Was considering adding a more generic "environment" parameter but wasn't sure the best way to approach this.
Support for gitlab-container-registry has been added in 014816cbe4.
However, when enabling the registry it will throw an error as it can't
find a `package` attribute.
This commit fixes the registry configuration by adding the missing
`registry` part.
Support for external container registries (namely
`pkgs.docker-distribution`) has ended in GitLab 16.0 [1] and is
scheduled for removal in a future release. [2]
This commit adds a new registry package option, defaulting to
`pkgs.docker-distribution` and `pkgs.gitlab-container-registry` for
system state versions >= 23.11.
While it is still possible to use the docker container registry, module
users should switch to gitlab's container registry fork soon. A warning
message will be added in a future commit to advise affected users to
back up their state and then switch to the new container registry
package.
[1]: https://gitlab.com/gitlab-org/gitlab/-/issues/376217
[2]: https://gitlab.com/gitlab-org/gitlab/-/issues/403322
From my understanding, procps was added to the gitlay systemd service
path in #58487 to fix gitaly-ruby's internal memory leak detection.
Now that the last ruby remnants have been removed in gitaly 16.0.0,
this should not be necessary anymore.
The pufferpanel module (#225274) was merged shortly after the tree-wide
rename f63a12f296 (#225748), so the use of
deperecated buildFHSUserEnv in the docs slipped through review 😅
Using escapeShellArg does not make sense here because (a) it turned the
list into a string, so the entire service failed and (b) because systemd
does not use the same escaping mechanism as bash.
The clientCertAuth option must be mapped to the etcd environment
variable ETCD_CLIENT_CERT_AUTH and the peerClientCertAuth option to
ETCD_PEER_CLIENT_CERT_AUTH.
Signed-off-by: Maximilian Nitsch <maximilian.nitsch@d3tn.com>
The OnCalendar systemd setting is additive. To clear the setting defined
by the pre-existing unit file, it has to be set first to an empty
string, then to the desired value.
Even if GitLab is used without Pages, some of its settings are still
used in the gitlab.yml file, resulting in errors such as
error: The option `services.gitlab.pages.settings.pages-domain' is used but not defined.
To fix this, make the settings' usage conditional on Pages being
enabled.
This makes it so that alternative packages, such as `pkgs.forgejo` are
able to be used instead of the default `pkgs.gitea`.
Also adds myself as a maintainer of the module.
The varible `gitea`, which was used instead of `cfg.package`, has been
replaced with the variable `exe`, and is instead the value of the main
executable, as gotten from `lib.getExe`. `cfg.package` is used when this
value is not appropriate.
Gitea spawns `gpg` processes for commit signing related actions.
Those `gpg` processes need `mlock` (probably to prevent secrets
in the memory to swap).
Blocking it (as part of the `@memlock` preset) causes any
commit signing related actions to error out as http/500
Since version 1.10.0 paperless-ngx depends on the NLTK library which is
used to pre-process data for machine learning. NLTK needs certain
data for stemming, stopword removal etc. This data has to be downloaded
first. This commit introduces a new systemd service that does the
downloading.
This causes a reindex of all documents to allow for comments made before
1.12.x to be searchable.
Also change the format of the version file to just include the version,
not the whole store path.
This simplifies version comparisons and causes migrations to run only
when the version has changed.
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh
since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).
also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
`autosuspend` is a daemon that periodically runs user-defined checks to
verify whether the system should be suspended. It's already available
in nixpkgs. This adds a NixOS module which starts the daemon as a
systemd service.
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
If `runtime_dir` is not set, gitaly will use `/tmp` as a place for sockets
and packed binaries like `git2go`. If the gitlab instance does not experience
much traffic and gitlay is not restarted regularly, systemd-tmpfiles will
remove the binaries. This breaks some gitlab functionality until gitaly is
restarted manually.
MD can only do the latter, so change them all over now to keeps diffs reviewable.
this also includes <literal><xref> -> <xref> where options are referenced since
the reference will implicitly add an inner literal tag.
markdown cannot represent those links. remove them all now instead of in
each chapter conversion to keep the diff for each chapter small and more
understandable.
ZM has a configuration which defaults to a file in its installaton path.
In NixOS, this means a Nix store path is persisted into the database,
which will break when e.g. ZM is upgraded.
Workaround this by doing a regular expression-based string replacement
SQL command to replace this value. The regular expression should not
match if users has changed this config to somewhere else. It will match
even if ZM isn't upgraded, in which case it'll replace the value with
itself. As such, it should be safe to run this at every ZM startup.
