Tandoor Recipes with Nginx Proxy Serving Media?

Smithoo4 · December 29, 2023, 11:13pm

Has anyone had some luck getting the tandoor-recipes.nix to work with a Nginx reverse proxy and have Nginx serve media?

No mater what I try, I get the following warning and images are not loading:

Media Serving Warning

Serving media files directly using gunicorn/python isnot recommend! Please follow the steps describedhereto update your installation.

I think the issue is with where the staticfiles and mediafiles are located on the file system, as I am not able to find these directories. Below is my best guess on what the .nix would look like based on this Manual - Tandoor Recipes and nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix at d02d818f22c777aa4e854efc3242ec451e5d462a · NixOS/nixpkgs · GitHub.

  services.tandoor-recipes = {
    enable = true;
    port = 8888;
    address = "127.0.0.1";
    extraConfig = {
      SECRET_KEY = "Sectet_key used for testing";
      ENABLE_SIGNUP = "1";
    };
  };  

  services.nginx.virtualHosts."tandoor.example.com" = {
    enableACME = true;
    forceSSL = true;

    locations."/static/".alias = "/var/lib/tandoor-recipes/recipes/staticfiles";

    locations."/media/".alias = "/var/lib/tandoor-recipes/recipes/mediafiles";

    locations."/" = {
      proxyPass = "http://127.0.0.1:8888";
      proxyWebsockets = true;
    };
  };

Any suggestion on how to get this working?

Thank you

FlakM · April 23, 2024, 11:42am

Hi, I’ve been bitten by the same issue. I was able to pinpoint the issue by looking into nginx logs:

journalctl -u nginx.service

I was able to find the following line:

Apr 23 13:23:48 odroid nginx[577544]: 2024/04/23 13:23:48 [error] 577544#577544: *3442 open() "/var/lib/tandoor-recipes/recipes/91463ea6-4fad-4b90-b9e1-67230ebd20d7_18.jpg" failed (13: Permission denied), client: 192.168.0.128, server: tandoor.house.flakm.com, request: "GET /media/recipes/91463ea6-4fad-4b90-b9e1-67230ebd20d7_18.jpg HTTP/2.0", host: "tandoor.house.flakm.com", referrer: "https://tandoor.house.flakm.com/search/"

The line might be different for you, but it shows that Nginx does not have permission to file files in the expected location. You can check this by issuing:

sudo su - nginx -s $(which bash)
# and now you can test:
[nginx@odroid:~]$ cd /var/lib/tandoor-recipes/                                
-bash: cd: /var/lib/tandoor-recipes/: Permission denied 
[nginx@odroid:~]$ cd /var/lib/private/                                
-bash: cd: /var/lib/private/: Permission denied

Systemd configuration for the service uses DynamicUser as you can see here: systemd.exec

So, to fix this, I had to add nginx into relevant groups:

  users.groups.tandoor-recipes.members = [ "nginx" ];

Add nginx alias for media in locations:

          "/media/".alias = "/var/lib/tandoor-recipes/";

And issue the following commands:

# allow users to enter into this directory
sudo chmod o+x /var/lib/private/tandoor-recipes
sudo chmod o+x /var/lib/private/

You can read all the configuration here: tandoor.nix

l33tname · May 5, 2024, 3:25pm

Isn’t adding the nginx group to tandoor a bit pointless if you add +x for other and not group?

eg. I would expect chmod g+x

FlakM · May 15, 2024, 3:00pm

I’m adding +x so the nginx user can enter the directory owned by the root:root.

Having execute permission on a directory authorizes you to look at extended information on files in the directory (using ls -l, for instance) but also allows you to change your working directory (using cd) or pass through this directory on your way to a subdirectory underneath.

And nginx to group tandoor-receipes so it can read the files owned by the tandoor’s dynamic user.

cubezucker · May 27, 2025, 6:57pm

Hi, I’m using NixOS 24.11 and tried installing tandoor. Despite having to add a postgresql part in my tandoor.nix to get a DB and user ready, I still have the problem of not being able to get nginx access /var/lib/tandoor-recipes as it is a link to a private folder.

When I try using FlakM’s idea of adding nginx to the tandoor-recipes group and changing the folder rights I get an error. /var/lib/private as well as /var/lib/tandoor-recipes won’t let me change their rights as they are generated by PrivateTmp or ProtectSystem.

Is there any idea how to fix this and why both this issue and the necessary DB not being generated by the module?

I saw 25.05 adds options for user and group to services.tandoor-recipes, but I’m not sure this would change anything for this issue at hand.