How to use CIFS mount as the consumption directory for paperless service?

nialov · November 5, 2022, 6:05pm

Background

I am creating the configuration for services.paperless with the following configuration:

  services.paperless = {
    enable = true;
    extraConfig = { PAPERLESS_OCR_LANGUAGE = "fin+eng"; };
    address = "0.0.0.0";
    port = 28981;
    consumptionDir = "/mnt/share/scanned-documents-copy";
    consumptionDirIsPublic = true;
  };

However, the “/mnt/share/” is a CIFS-mount configured as such:

let
  automount_opts =
    "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,_netdev,noperm";
  omv_ip = "***";
  hass_ip = "***";
  credentials_opt = "credentials=***";
  hass_credentials_opt =
    "credentials=***";
in _:

{
  fileSystems."/mnt/share" = {
    device = "//${omv_ip}/omvshare";
    fsType = "cifs";
    options = [ "${automount_opts},${credentials_opt}" ];
  };
}

Expected outcome

I would expect “/mnt/share/scanned-documents-copy” to be useable by the service as its consumption directory.

Outcome

The systemd service fails with the including the following messages:

Detected autofs mount point /mnt/share during canonicalization of /mnt/share/scanned-documents-copy.
Skipping /mnt/share/scanned-documents-copy
Detected autofs mount point /mnt/share during canonicalization of /mnt/share/scanned-documents-copy.
Skipping /mnt/share/scanned-documents-copy

and from paperless-scheduler.service logs:

Nov 05 19:43:21 nixosvm systemd[1475046]: paperless-scheduler.service: Failed to set up mount namespacing: /run/systemd/unit-root/mnt/share/scanned-documents-copy: No such file or directory
Nov 05 19:43:21 nixosvm systemd[1475046]: paperless-scheduler.service: Failed at step NAMESPACE spawning /nix/store/5acfclrp6klap03ikqb6q5vpp1xwql38-unit-script-paperless-scheduler-pre-start/bin/paperless-scheduler-pre-start: No such file or directory

Further info

No doubt this is related to systemd hardening (and less so to NixOS) but I found no direct solutions to this and lack the knowledge of systemd to solve it myself. I would expect similar issues might happen with other services trying to use e.g., CIFS mounts, so some documentation on the solution would be nice.

The mount works otherwise and with e.g., the syncthing service. What is different with paperless? (I suppose the consumption directory is in BindPaths?)

spock · March 15, 2023, 6:23pm

I just ran into the same issue but my mount is NFS instead of CIFS. Were you able to solve it?

nialov · March 15, 2023, 8:57pm

No I did not. I switched to using virtualisation.oci-containers to implement paperless-ngx using a container image. Mounting there is similar to docker volume mounting.

However, I believe the issue with the paperless config is using BindPaths in the systemd service config rather than e.g. ReadWritePaths (https://github.com/NixOS/nixpkgs/blob/43ae2a7a1fc3047493dc018c428bc2548c2ff38e/nixos/modules/services/misc/paperless.nix#L49). BindPaths seems to be more restrictive but I do not know enough about systemd nomenclature to know more than this.

spock · March 15, 2023, 9:12pm

Thanks for following up quickly. I’m not familiar with oci-containers so I’ll look it up but if you have a quick link to a guide handy or any shortcuts to get started I’d appreciate it!

spock · March 15, 2023, 9:28pm

Actually, I suppose I should just ask if you can post the configuration.nix snippet for your paperless-ngx setup

nialov · March 17, 2023, 7:13pm

Here you go: paperless-ngx.nix · GitHub

You will need to edit this to fit your configuration. But hopefully it is useful! What the basic idea is, is that you replicate the behaviour of docker-compose using the options provided by NixOS (that themselves wrap the command-line options of docker cli).

As noted in a comment, I supply the PAPERLESS_ADMIN_PASSWORD through an environment file. You do not need to use sops for this purpose, it is just what I use.

spock · March 18, 2023, 6:10am

Thanks, there’s lots to digest there but I’m hopeful it will get me up and running!

BTW, that’s a lot of code to replace what would otherwise be services.paperless.enable = true;

nialov · March 18, 2023, 8:23am

Agreed. Revising the systemd service for paperless would probably be a faster option as long as you know how to work with NixOS module files. As I understand, using the BindPaths is the only problem with it when using network drives. However, I have not researched if there is a reason for using BindPaths.

Learning the oci-containers options is useful when you want to duplicate a working docker-compose orchestration into nix fast.

spock · March 19, 2023, 6:10am

For reference, I got paperless-ngx running with the following configuration:

  fileSystems."/tank" = {
    device = "10.0.20.1:/tank";
    fsType = "nfs4";
    options = [ "rsize=32768,wsize=32768,noatime,async" ];
  };

and

  services.paperless = {
    enable = true;
    address = "0.0.0.0";
    dataDir = "/tank/paperless";
    consumptionDirIsPublic = true;
    extraConfig = {
      PAPERLESS_CONSUMER_POLLING = 60;
    };
  };

I think what got it working was setting (the equivalent of) no_root_squash on the NFS server. Had to set polling mode because inotify won’t work over nfs. I can’t vouch for full functionality or stability yet but it’s running and consumed a couple of documents already so I’m happy with that!