Tandoor Recipes with Nginx Proxy Serving Media?

Has anyone had some luck getting the tandoor-recipes.nix to work with a Nginx reverse proxy and have Nginx serve media?

No mater what I try, I get the following warning and images are not loading:

Media Serving Warning

Serving media files directly using gunicorn/python isnot recommend! Please follow the steps describedhereto update your installation.

I think the issue is with where the staticfiles and mediafiles are located on the file system, as I am not able to find these directories. Below is my best guess on what the .nix would look like based on this Manual - Tandoor Recipes and https://github.com/NixOS/nixpkgs/blob/d02d818f22c777aa4e854efc3242ec451e5d462a/nixos/modules/services/misc/tandoor-recipes.nix.

  services.tandoor-recipes = {
    enable = true;
    port = 8888;
    address = "";
    extraConfig = {
      SECRET_KEY = "Sectet_key used for testing";
      ENABLE_SIGNUP = "1";

  services.nginx.virtualHosts."tandoor.example.com" = {
    enableACME = true;
    forceSSL = true;

    locations."/static/".alias = "/var/lib/tandoor-recipes/recipes/staticfiles";

    locations."/media/".alias = "/var/lib/tandoor-recipes/recipes/mediafiles";

    locations."/" = {
      proxyPass = "";
      proxyWebsockets = true;

Any suggestion on how to get this working?

Thank you

Hi, I’ve been bitten by the same issue. I was able to pinpoint the issue by looking into nginx logs:

journalctl -u nginx.service

I was able to find the following line:

Apr 23 13:23:48 odroid nginx[577544]: 2024/04/23 13:23:48 [error] 577544#577544: *3442 open() "/var/lib/tandoor-recipes/recipes/91463ea6-4fad-4b90-b9e1-67230ebd20d7_18.jpg" failed (13: Permission denied), client:, server: tandoor.house.flakm.com, request: "GET /media/recipes/91463ea6-4fad-4b90-b9e1-67230ebd20d7_18.jpg HTTP/2.0", host: "tandoor.house.flakm.com", referrer: "https://tandoor.house.flakm.com/search/"

The line might be different for you, but it shows that Nginx does not have permission to file files in the expected location. You can check this by issuing:

sudo su - nginx -s $(which bash)
# and now you can test:
[nginx@odroid:~]$ cd /var/lib/tandoor-recipes/                                
-bash: cd: /var/lib/tandoor-recipes/: Permission denied 
[nginx@odroid:~]$ cd /var/lib/private/                                
-bash: cd: /var/lib/private/: Permission denied 

Systemd configuration for the service uses DynamicUser as you can see here: systemd.exec

So, to fix this, I had to add nginx into relevant groups:

  users.groups.tandoor-recipes.members = [ "nginx" ];

Add nginx alias for media in locations:

          "/media/".alias = "/var/lib/tandoor-recipes/";

And issue the following commands:

# allow users to enter into this directory
sudo chmod o+x /var/lib/private/tandoor-recipes
sudo chmod o+x /var/lib/private/

You can read all the configuration here: tandoor.nix

Isn’t adding the nginx group to tandoor a bit pointless if you add +x for other and not group?

eg. I would expect chmod g+x

I’m adding +x so the nginx user can enter the directory owned by the root:root.

Having execute permission on a directory authorizes you to look at extended information on files in the directory (using ls -l, for instance) but also allows you to change your working directory (using cd) or pass through this directory on your way to a subdirectory underneath.

And nginx to group tandoor-receipes so it can read the files owned by the tandoor’s dynamic user.