nixos/paperless: move paperless-manage to proper systemPackage

[SuperSandro2000]

Closes #343961

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[erikarvstedt]

This doesn't work on systems that use doas instead of sudo.
Ways to solve this:

• Add a simple runtime warning in paperless-manage that asks users to manually run the command with doas.

• Enable sudo in the paperless module. Unsafe and intrusive, not viable.

• Add doas support. I've implemented this here, feel free to squash.
  Because doas doesn't support sudo option --preserve-env, we sudo/doas-exec the whole paperless-manage script to run the env setup after sudo/doas.

  Note: Module btrbk has a similar sudo/doas check. It probably doesn't make sense yet to extract this to a common lib function.

[leona-ya]

I think this also breaks with sudo-rs, as it doesn't implement --preserve-env.

[erikarvstedt]

Running manage under the wrong user is indeed a pitfall we should remove, so I'ld like to see this merged.
My above patch makes it work for all sudo implementations.

[SuperSandro2000]

This doesn't work on systems that use doas instead of sudo.

Then don't use doas or the sudo shim, they are none standard anyway and break basic things as you noted and the project is abandonware anyway since 3 to 4 year depending on how you count https://github.com/Duncaen/OpenDoas

Add a simple runtime warning in paperless-manage that asks users to manually run the command with doas.

It needs to be a hard error as the linked issue demonstrates and if we turn it into an hard error then we might as well just sudo to the correct user to not get in our way.

Enable sudo in the paperless module. Unsafe and intrusive, not viable.

Not necessary as it is enabled by default but we can easily exit the script if people are not using sudo and the script is run as the wrong user.

we sudo/doas-exec the whole paperless-manage script to run the env setup after sudo/doas.

That could be a solution but since EnvironmentFile from systemd allows us to have the secret file 400 for root:root we would be loosing that.

Note: Module btrbk has a similar sudo/doas check. It probably doesn't make sense yet to extract this to a common lib function.

I am not doing that since I am aware of the pitfalls it has with the shared nginx module and to my knowledge it cannot easily be done correct on a module level.

[SuperSandro2000]

Add doas support. I've implemented this here, feel free to squash.

regarding The `paperless` module requires `sudo` or `doas` to be enabled: that is not true, you just then need to figure out how to run the script as the paperless user on your own which IMO is a fine solution and puts people not using the standard sudo back to where we are right now but with a hard error.

Also having a throw in the module system is forbidden as that halts the entire evaluation on the first error. It must be an assertion.

[SuperSandro2000]

I pushed a solution which I think is the easiest one here to keep doas compatibility: people not running sudo just need to use runuser/doas -u paperless/or anything similar to change the user of the script.

[erikarvstedt]

This line of the test needs to be changed to

assert cmdline.strip() == "paperless-manage document_exporter /var/lib/paperless/export --compare-checksums --delete --no-progress-bar --no-thumbnail", "Unexpected exporter command line"

This PR needs a changelog entry.

[eclairevoyant]

Also why in the world are we running sudo in a systemd service that can arbitrarily set the user? Shouldn't we figure out why it's running as root in the first place when serviceConfig.User is already set?

[SuperSandro2000]

Also why in the world are we running sudo in a systemd service that can arbitrarily set the user? Shouldn't we figure out why it's running as root in the first place when serviceConfig.User is already set?

We are not doing that. Please check the code correctly. We are switching the user if it doesn't match what we expect which is only the case when running interactively. Also sudo will fail because we don't have a pty.

[SuperSandro2000]

Run the tests locally. Going to merge this to avoid more merge conflicts with the other two paperless PRs open by me and we have done a good review on this one.

[erikarvstedt]

Couldn't run test due to paperless build failures (log), but diff looks fine.

[SuperSandro2000]

that's probably just another occurrence of 361006