nixos/paperless-ng: fix /proc access for service
This allows django-q to set the number of workers according to the CPU core count and to show memory stats via `manage.py qmonitor`. This also fixes a non-critical psutil error in paperless-ng-server.
This commit is contained in:
parent
308c4bf0f7
commit
69319ee4a6
|
@ -53,7 +53,6 @@ let
|
||||||
PrivateNetwork = true;
|
PrivateNetwork = true;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
ProcSubset = "pid";
|
|
||||||
ProtectClock = true;
|
ProtectClock = true;
|
||||||
# Breaks if the home dir of the user is in /home
|
# Breaks if the home dir of the user is in /home
|
||||||
# Also does not add much value in combination with the TemporaryFileSystem.
|
# Also does not add much value in combination with the TemporaryFileSystem.
|
||||||
|
@ -66,6 +65,10 @@ let
|
||||||
ProtectKernelModules = true;
|
ProtectKernelModules = true;
|
||||||
ProtectKernelTunables = true;
|
ProtectKernelTunables = true;
|
||||||
ProtectProc = "invisible";
|
ProtectProc = "invisible";
|
||||||
|
# Don't restrict ProcSubset because django-q requires read access to /proc/stat
|
||||||
|
# to query CPU and memory information.
|
||||||
|
# Note that /proc only contains processes of user `paperless`, so this is safe.
|
||||||
|
# ProcSubset = "pid";
|
||||||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
|
|
Loading…
Reference in a new issue