diff options
| author | Sefa Eyeoglu <contact@scrumplex.net> | 2026-01-18 22:08:10 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-01-18 22:08:10 +0000 |
| commit | 815c3bf1d2019b7b2e5fe2d625059dd9dca54a81 (patch) | |
| tree | 473079d57a7c345efde24744c793ae59a546d756 | |
| parent | 2886ed5b12cece8d1f653ff299d24614b244b4ae (diff) | |
| parent | dafae86e9d939750eb9bf60d0e2c6383be1be8cd (diff) | |
nixos/tandoor-recipes: update MEDIA_ROOT remediation docs (#481134)
| -rw-r--r-- | nixos/doc/manual/redirects.json | 9 | ||||
| -rw-r--r-- | nixos/modules/services/misc/tandoor-recipes.md | 46 |
2 files changed, 47 insertions, 8 deletions
diff --git a/nixos/doc/manual/redirects.json b/nixos/doc/manual/redirects.json index d35b554cbff8..a7e2010fe10e 100644 --- a/nixos/doc/manual/redirects.json +++ b/nixos/doc/manual/redirects.json @@ -65,12 +65,17 @@ "module-services-keycloak-unix-socket": [ "index.html#module-services-keycloak-unix-socket" ], - "module-services-tandoor-recipes-migrating-media-option-1": [ + "module-services-tandoor-recipes-migrating-media-option-move": [ + "index.html#module-services-tandoor-recipes-migrating-media-option-move", "index.html#module-services-tandoor-recipes-migrating-media-option-1" ], - "module-services-tandoor-recipes-migrating-media-option-2": [ + "module-services-tandoor-recipes-migrating-media-option-postgresql": [ + "index.html#module-services-tandoor-recipes-migrating-media-option-postgresql", "index.html#module-services-tandoor-recipes-migrating-media-option-2" ], + "module-services-tandoor-recipes-migrating-media-option-disallow-access": [ + "index.html#module-services-tandoor-recipes-migrating-media-option-disallow-access" + ], "sec-override-nixos-test": [ "index.html#sec-override-nixos-test" ], diff --git a/nixos/modules/services/misc/tandoor-recipes.md b/nixos/modules/services/misc/tandoor-recipes.md index 762ab56c5c6d..7888805eff70 100644 --- a/nixos/modules/services/misc/tandoor-recipes.md +++ b/nixos/modules/services/misc/tandoor-recipes.md @@ -1,19 +1,53 @@ # Tandoor Recipes {#module-services-tandoor-recipes} -## Dealing with `MEDIA_ROOT` for installations prior 26.05 {#module-services-tandoor-recipes-migrating-media} +## Remediating insecure `MEDIA_ROOT` for installations prior to 26.05 {#module-services-tandoor-recipes-migrating-media} -See https://github.com/NixOS/nixpkgs/issues/338339 for some background. +Tandoor Recipes installations initialized with `system.stateVersion < 26.05` +may suffer from a security vulnerability. To remediate this issue, apply one of +the recommendations below. -### Option 1: Migrate media to new `MEDIA_ROOT` {#module-services-tandoor-recipes-migrating-media-option-1} +See [NixOS/nixpkgs#338339](https://github.com/NixOS/nixpkgs/issues/338339) and +[GHSA-g8w3-p77x-mmxh](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-g8w3-p77x-mmxh) +for some background. + +### Recommended: Move `MEDIA_ROOT` into a subdirectory {#module-services-tandoor-recipes-migrating-media-option-move} + +The issue is only present when `MEDIA_ROOT` is the same as the data directory. Moving it into a subdirectory of `/var/lib/tandoor-recipes` remediates this and any similar issues in the future. 1. Stop the currently running service: `systemctl stop tandoor-recipes.service` 2. Create a media folder. NixOS `26.05` creates the media path at `/var/lib/tandoor-recipes/media` by default, but you may choose any other path as well. `mkdir -p /var/lib/tandoor-recipes/media` 3. Move existing media to the new path: `mv /var/lib/tandoor-recipes/{files,recipes} /var/lib/tandoor-recipes/media` 4. Set `services.tandoor-recipes.extraConfig.MEDIA_ROOT = "/var/lib/tandoor-recipes/media";` in your NixOS configuration (not needed if `system.stateVersion >= 26.05`). -5. Rebuild and switch! +5. If not using `GUNICORN_MEDIA`, update your reverse proxy / web server configuration accordingly. +6. Rebuild and switch! These changes can be reverted by moving the files back into the state directory. -### Option 2: Keep existing directory (may be insecure) {#module-services-tandoor-recipes-migrating-media-option-2} +### Not recommended: Switch to PostgreSQL {#module-services-tandoor-recipes-migrating-media-option-postgresql} + +When using an external database like PostgreSQL (the only other option available in Tandoor Recipes) this issue does not manifest. + +A simple PostgreSQL configuration can be enabled using the option +[`services.tandoor-recipes.database.createLocally`](https://search.nixos.org/options?channel=unstable&show=services.tandoor-recipes.database.createLocally). + +Note that this will require migrating the existing database to PostgreSQL. Refer to the [upstream documentation](https://docs.tandoor.dev/system/migration_sqlite-postgres/) for this procedure. It is important to delete or move the `db.sqlite3` file out of the media path, after this has been done. + +More information on configuring PostgreSQL can be found in the [upstream documentation](https://docs.tandoor.dev/system/configuration/#database). + +Set the following option to ignore the evaluation warnings once `db.sqlite3` has been deleted. + +```nix +{ + services.tandoor-recipes.extraConfig.MEDIA_ROOT = "/var/lib/tandoor-recipes"; +} +``` + +As future releases of Tandoor Recipes could add additional files to the data +directory, this is not a future-proof solution. + +### Not recommended: Disallow access to `db.sqlite3` {#module-services-tandoor-recipes-migrating-media-option-disallow-access} + +When using a web server like nginx, access to this file can be disabled. -To keep the existing directory, set `services.tandoor-recipes.extraConfig.MEDIA_ROOT = "/var/lib/tandoor-recipes";`. +As future releases of Tandoor Recipes could add additional files to the data +directory, this is not a future-proof solution. |