nixos/paperless: Support remote databases #368137
Conversation
github-actions
bot
added
6.topic: nixos
|
@ofborg test paperless |
github-actions
bot
added
10.rebuild-darwin: 0
|
Presumably this is incompatible with |
There was a problem hiding this comment.
I won't accept a new option for this.
How about we make it conditional on the local database option added in #359563 ?
gefla
force-pushed
the
db-is-remote
branch
2 times, most recently
from
32811fb to
519a7a7
Compare
When the database is on another host, unit isolation for the document consumer and scheduler have to be disabled. Following NixOS#368137 (review) making this conditional on the `database.createLocally` option.
Updated. PTAL. |
Atemu
changed the title
|
Am I missing something or does the code not reflect the intention? This only adds hardening when ran locally rather than loosen it when not local. This also doesn't really make much sense to me; why does it need private networking? Local DB connections are made using unix sockets, not networking, right? |
wegank
added
the
12.approvals: 1
If the option is not sec, aka no private networking, then it is open to connect via TCP to other things.
yeah and none local DBs are done via networking. |
There was a problem hiding this comment.
If the option is not sec, aka no private networking, then it is open to connect via TCP to other things.
Right but that's not the stated intention. Currently, networking doesn't appear to be restricted at all, so what this really does is add hardening?
It's extremely confusing. The intention should be re-stated and explained in the commit message to remove this confusion.
yeah and none local DBs are done via networking.
The correct hardening to apply would be to block networking entirely then.
No. If you check the default service config that's underlying all unit definitions in the module, it sets
That won't work since networking is required at least for the web frontend and the task queue to function. For the scheduler and consumer to work with a remote database, they also need to disable the default I believe the commit message concisely explains that. Of course I'd welcome specific proposals for a better message. Do you have any? |
There was a problem hiding this comment.
That clears it up, thanks.
You should put into the commit message a description or explanation of your changes when it's not obvious why they were done in a certain way or what the intention is.
Actually, you should do this even if you think it's obvious because reviewers aswell as future us looking at the history won't necessarily be familiar with how this specific part works, so an explanation is extremely helpful in any case.
What you wrote in reply to me is basically that; you could just reword that slightly.
wegank
added
12.approvals: 2
When the database is on another host, unit isolation for the document consumer and scheduler have to be disabled. This is currently enabled by default via `PrivateNetwork = false` in defaultServiceConfig. Following NixOS#368137 (review) making this conditional on the `database.createLocally` option.
Reworded the commit message accordingly. |
When the database is on another host, unit isolation for the document consumer has to be disabled.
Things done
Using this in a local setup.
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)@leona @SuperSandro2000 @erikarvstedt