diff --git a/modules/erpnext.nix b/modules/erpnext.nix index 10b61dd..97befb2 100644 --- a/modules/erpnext.nix +++ b/modules/erpnext.nix @@ -212,6 +212,9 @@ in Type = "simple"; BindReadOnlyPaths = [ "/etc/hosts:/etc/hosts" + "/etc/resolv.conf:/etc/resolv.conf" + "/etc/ssl:/etc/ssl" + "/etc/static/ssl:/etc/static/ssl" "/run/agenix:/run/agenix" "${pkgs.frappe-app}:${pkgs.frappe-app}" "${pkgs.frappe-app}/share/apps/frappe:${cfg.benchDir}/apps/frappe" @@ -330,12 +333,20 @@ in description = "ERPNext web server"; confinement = { enable = true; - packages = [ pkgs.mariadb-client penv ]; + # pkgs listed here get added to the services' BindReadOnlyPaths + # The same is true for pkgs referred to in ExecStartPre, ExecStart, etc. + # Explicitily listing these pkgs here for visibility + packages = [ + penv + pkgs.coreutils + # Dependency for 'bench new-site' subcommand + pkgs.mariadb-client + pkgs.replace-secret + ]; }; environment = { PYTHON_PATH = "${penv}/${pkgs.python3.sitePackages}"; }; - path = [ pkgs.mariadb-client penv pkgs.coreutils ]; serviceConfig = defaultServiceConfig // { TimeoutStartSec = "300s"; Restart = "on-failure";