From 69319ee4a6a611729e0907d6cc970201c9d2a654 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 11 Apr 2022 17:06:03 +0200 Subject: [PATCH] nixos/paperless-ng: fix /proc access for service This allows django-q to set the number of workers according to the CPU core count and to show memory stats via `manage.py qmonitor`. This also fixes a non-critical psutil error in paperless-ng-server. --- nixos/modules/services/misc/paperless-ng.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/paperless-ng.nix b/nixos/modules/services/misc/paperless-ng.nix index 159aad3504b..632e824755c 100644 --- a/nixos/modules/services/misc/paperless-ng.nix +++ b/nixos/modules/services/misc/paperless-ng.nix @@ -53,7 +53,6 @@ let PrivateNetwork = true; PrivateTmp = true; PrivateUsers = true; - ProcSubset = "pid"; ProtectClock = true; # Breaks if the home dir of the user is in /home # Also does not add much value in combination with the TemporaryFileSystem. @@ -66,6 +65,10 @@ let ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; + # Don't restrict ProcSubset because django-q requires read access to /proc/stat + # to query CPU and memory information. + # Note that /proc only contains processes of user `paperless`, so this is safe. + # ProcSubset = "pid"; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true;