Update to 1.11.0

conf/app.src

@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/paperless-ngx/paperless-ngx/releases/download/v1.9.2/paperless-ngx-v1.9.2.tar.xz
-SOURCE_SUM=7da7e355745fcc5ac837323f22f7e6d556386297a61e41f04e104fe785e85cce
+SOURCE_URL=https://github.com/paperless-ngx/paperless-ngx/releases/download/v1.11.0/paperless-ngx-v1.11.0.tar.xz
+SOURCE_SUM=6b175daf2b9c7411b9a63f747ad62661c9733d87072c16a494394a189d2e240f
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true

conf/systemd-consumer.service

@@ -1,7 +1,5 @@
 [Unit]
-Description=Paperless qcluster
-After=network.target
-Wants=network.target
+Description=Paperless consumer
 Requires=redis.service
 
 [Service]
@@ -9,8 +7,8 @@ Type=simple
 User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/src/
-ExecStart=__FINALPATH__/venv/bin/python manage.py qcluster
-StandardOutput=append:/var/log/__APP__/__APP__.log
+ExecStart=__FINALPATH__/venv/bin/python3 manage.py document_consumer
+StandardOutput=append:/var/log/__APP__/__APP__-consumer.log
 StandardError=inherit
 
 # Sandboxing options to harden security

conf/systemd-scheduler.service

@@ -0,0 +1,43 @@
+[Unit]
+Description=Paperless scheduler
+Requires=redis.service
+
+[Service]
+Type=simple
+User=__APP__
+Group=__APP__
+WorkingDirectory=__FINALPATH__/src/
+ExecStart=__FINALPATH__/venv/bin/celery --app paperless beat --loglevel INFO
+StandardOutput=append:/var/log/__APP__/__APP__-scheduler.log
+StandardError=inherit
+
+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
+[Install]
+WantedBy=multi-user.target

conf/systemd-task-queue.service

@@ -0,0 +1,44 @@
+[Unit]
+Description=Paperless task-queue
+Requires=redis.service
+
+[Service]
+Type=simple
+User=__APP__
+Group=__APP__
+WorkingDirectory=__FINALPATH__/src/
+ExecStart=__FINALPATH__/venv/bin/celery --app paperless worker --loglevel INFO
+StandardOutput=append:/var/log/__APP__/__APP__-task-queue.log
+StandardError=inherit
+
+# Sandboxing options to harden security
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+#PrivateTmp - Must be disabled for full functionality
+#PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
+[Install]
+WantedBy=multi-user.target

conf/systemd.service

@@ -16,7 +16,8 @@ StandardError=inherit
 # Sandboxing options to harden security
 # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 NoNewPrivileges=yes
-PrivateTmp=yes
+#PrivateTmp - Must be disabled for full functionality
+#PrivateTmp=yes
 PrivateDevices=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes

manifest.json

@@ -6,7 +6,7 @@
         "en": "Scan, index and archive all your physical documents",
         "fr": "Scannez, triez et archivez tous vos documents papiers"
     },
-    "version": "1.9.2~ynh1",
+    "version": "1.11.0~ynh1",
     "url": "https://paperless-ngx.com",
     "upstream": {
         "license": "GPL-3.0-or-later",

scripts/_common.sh

@@ -5,8 +5,7 @@
 #=================================================
 
 # dependencies used by the app
-#pkg_dependencies="redis-tools redis-server postgresql postgresql-contrib python3 python3-pip python3-dev python3-venv imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support"
-pkg_dependencies="build-essential postgresql postgresql-contrib python3 python3-pip python3-dev python3-venv imagemagick fonts-liberation optipng gnupg libpq-dev libmagic-dev mime-support libzbar0 poppler-utils default-libmysqlclient-dev"
+pkg_dependencies="python3 python3-pip python3-dev python3-venv default-libmysqlclient-dev fonts-liberation imagemagick gnupg libpq-dev libmagic-dev mime-support libzbar0 poppler-utils postgresql postgresql-contrib "
 ocr_pkg_dependencies="unpaper ghostscript icc-profiles-free qpdf liblept5 libxml2 pngquant zlib1g tesseract-ocr"
 raspberry_pkg_dependencies="libatlas-base-dev libxslt1-dev"
 

scripts/backup

@@ -81,7 +81,9 @@ ynh_backup --src_path="/etc/logrotate.d/$app"
 #=================================================
 
 ynh_backup --src_path="/etc/systemd/system/$app.service"
-ynh_backup --src_path="/etc/systemd/system/$app-qcluster.service"
+ynh_backup --src_path="/etc/systemd/system/$app-consumer.service"
+ynh_backup --src_path="/etc/systemd/system/$app-scheduler.service"
+ynh_backup --src_path="/etc/systemd/system/$app-task-queue.service"
 
 #=================================================
 # BACKUP VARIOUS FILES

scripts/change_url

@@ -77,7 +77,9 @@ fi
 ynh_script_progression --message="Stopping a systemd service..." --weight=1
 
 ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log"
-ynh_systemd_action --service_name="$app-qcluster" --action="stop" --log_path="/var/log/$app/$app-qcluster.log"
+ynh_systemd_action --service_name="$app-consumer" --action="stop" --log_path="/var/log/$app/$app-consumer.log"
+ynh_systemd_action --service_name="$app-scheduler" --action="stop" --log_path="/var/log/$app/$app-scheduler.log"
+ynh_systemd_action --service_name="$app-task-queue" --action="stop" --log_path="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # MODIFY URL IN NGINX CONF
@@ -131,7 +133,9 @@ chown $app:$app "$final_path/paperless.conf"
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log"
-ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log"
+ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log"
+ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log"
+ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # RELOAD NGINX

scripts/install

@@ -198,7 +198,9 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1
 
 # Create a dedicated systemd config
 ynh_add_systemd_config --service="$app" --template="systemd.service"
-ynh_add_systemd_config --service="$app-qcluster" --template="systemd-qcluster.service"
+ynh_add_systemd_config --service="$app-consumer" --template="systemd-consumer.service"
+ynh_add_systemd_config --service="$app-scheduler" --template="systemd-scheduler.service"
+ynh_add_systemd_config --service="$app-task-queue" --template="systemd-task-queue.service"
 
 #=================================================
 # GENERIC FINALIZATION
@@ -216,7 +218,9 @@ ynh_use_logrotate
 ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
 
 yunohost service add "$app" --log="/var/log/$app/$app.log"
-yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log"
+yunohost service add "$app-consumer" --log="/var/log/$app/$app-consumer.log"
+yunohost service add "$app-scheduler" --log="/var/log/$app/$app-scheduler.log"
+yunohost service add "$app-task-queue" --log="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # START SYSTEMD SERVICE
@@ -224,7 +228,9 @@ yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log"
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log"
-ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log"
+ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log"
+ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log"
+ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # SETUP FAIL2BAN

scripts/remove

@@ -36,7 +36,9 @@ if ynh_exec_warn_less yunohost service status $app >/dev/null
 then
 	ynh_script_progression --message="Removing $app service integration..." --weight=1
 	yunohost service remove "$app"
-	yunohost service remove "$app-qcluster"
+	yunohost service remove "$app-consumer"
+	yunohost service remove "$app-scheduler"
+	yunohost service remove "$app-task-queue"
 fi
 
 #=================================================
@@ -46,7 +48,9 @@ ynh_script_progression --message="Stopping and removing the systemd service..."
 
 # Remove the dedicated systemd config
 ynh_remove_systemd_config --service="$app"
-ynh_remove_systemd_config --service="$app-cluster"
+ynh_remove_systemd_config --service="$app-consumer"
+ynh_remove_systemd_config --service="$app-scheduler"
+ynh_remove_systemd_config --service="$app-task-queue"
 
 #=================================================
 # REMOVE LOGROTATE CONFIGURATION

scripts/restore

@@ -161,9 +161,13 @@ ynh_psql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./d
 ynh_script_progression --message="Restoring the systemd configuration..." --weight=1
 
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
-ynh_restore_file --origin_path="/etc/systemd/system/$app-qcluster.service"
+ynh_restore_file --origin_path="/etc/systemd/system/$app-consumer.service"
+ynh_restore_file --origin_path="/etc/systemd/system/$app-scheduler.service"
+ynh_restore_file --origin_path="/etc/systemd/system/$app-task-queue.service"
 systemctl enable "$app.service" --quiet
-systemctl enable "$app-qcluster.service" --quiet
+systemctl enable "$app-consumer.service" --quiet
+systemctl enable "$app-scheduler.service" --quiet
+systemctl enable "$app-task-queue.service" --quiet
 
 #=================================================
 # RESTORE THE LOGROTATE CONFIGURATION
@@ -181,7 +185,9 @@ ynh_restore_file --origin_path="/etc/logrotate.d/$app"
 ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
 
 yunohost service add "$app" --log="/var/log/$app/$app.log"
-yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log"
+yunohost service add "$app-consumer" --log="/var/log/$app/$app-consumer.log"
+yunohost service add "$app-scheduler" --log="/var/log/$app/$app-scheduler.log"
+yunohost service add "$app-task-queue" --log="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # START SYSTEMD SERVICE
@@ -189,7 +195,9 @@ yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log"
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log"
-ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log"
+ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log"
+ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log"
+ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # GENERIC FINALIZATION

scripts/upgrade

@@ -56,7 +56,9 @@ ynh_abort_if_errors
 ynh_script_progression --message="Stopping a systemd service..." --weight=1
 
 ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log"
-ynh_systemd_action --service_name="$app-qcluster" --action="stop" --log_path="/var/log/$app/$app-qcluster.log"
+ynh_systemd_action --service_name="$app-consumer" --action="stop" --log_path="/var/log/$app/$app-consumer.log"
+ynh_systemd_action --service_name="$app-scheduler" --action="stop" --log_path="/var/log/$app/$app-scheduler.log"
+ynh_systemd_action --service_name="$app-task-queue" --action="stop" --log_path="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
@@ -187,7 +189,9 @@ ynh_script_progression --message="Upgrading systemd configuration..." --weight=1
 
 # Create a dedicated systemd config
 ynh_add_systemd_config --service="$app" --template="systemd.service"
-ynh_add_systemd_config --service="$app-qcluster" --template="systemd-qcluster.service"
+ynh_add_systemd_config --service="$app-consumer" --template="systemd-consumer.service"
+ynh_add_systemd_config --service="$app-scheduler" --template="systemd-scheduler.service"
+ynh_add_systemd_config --service="$app-task-queue" --template="systemd-task-queue.service"
 
 #=================================================
 # GENERIC FINALIZATION
@@ -198,7 +202,9 @@ ynh_script_progression --message="Upgrading logrotate configuration..." --weight
 
 # Use logrotate to manage app-specific logfile(s)
 ynh_use_logrotate --logfile="/var/log/$app/$app.log"
-ynh_use_logrotate --logfile="/var/log/$app/$app-qcluster.log"
+ynh_use_logrotate --logfile="/var/log/$app/$app-consumer.log"
+ynh_use_logrotate --logfile="/var/log/$app/$app-scheduler.log"
+ynh_use_logrotate --logfile="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
@@ -206,7 +212,9 @@ ynh_use_logrotate --logfile="/var/log/$app/$app-qcluster.log"
 ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
 
 yunohost service add "$app" --log="/var/log/$app/$app.log"
-yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log"
+yunohost service add "$app-consumer" --log="/var/log/$app/$app-consumer.log"
+yunohost service add "$app-scheduler" --log="/var/log/$app/$app-scheduler.log"
+yunohost service add "$app-task-queue" --log="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # START SYSTEMD SERVICE
@@ -214,7 +222,9 @@ yunohost service add "$app-qcluster" --log="/var/log/$app/$app-qcluster.log"
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log"
-ynh_systemd_action --service_name="$app-qcluster" --action="start" --log_path="/var/log/$app/$app-qcluster.log"
+ynh_systemd_action --service_name="$app-consumer" --action="start" --log_path="/var/log/$app/$app-consumer.log"
+ynh_systemd_action --service_name="$app-scheduler" --action="start" --log_path="/var/log/$app/$app-scheduler.log"
+ynh_systemd_action --service_name="$app-task-queue" --action="start" --log_path="/var/log/$app/$app-task-queue.log"
 
 #=================================================
 # UPGRADE FAIL2BAN