NixOS · fricklerhandwerk · May 30, 2025 · May 13, 2025
diff --git a/default.nix b/default.nix
@@ -137,6 +137,7 @@ rec {
           GH_ISSUES_REPO = "sectracker-testing";
           GH_SECURITY_TEAM = "setracker-testing-security";
           GH_COMMITTERS_TEAM = "sectracker-testing-committers";
+          STATIC_ROOT = "${toString ./src/website/static}";
         };
       };
 

diff --git a/nix/web-security-tracker.nix b/nix/web-security-tracker.nix
@@ -108,9 +108,16 @@ in
       type = types.nullOr types.str;
       default = null;
     };
-    env = mkOption {
+    env = mkOption rec {
+      description = ''
+        Django configuration via environment variables, see `settings.py` for options.
+      '';
       type = types.attrsOf types.anything;
-      default = { };
+      default = {
+        STATIC_ROOT = "/var/lib/web-security-tracker/static/"; # trailing slash is required!
+      };
+      # only override defaults with explicit values
+      apply = lib.recursiveUpdate default;
     };
     settings = mkOption {
       type = types.attrsOf types.anything;
@@ -152,7 +159,6 @@ in
     services = {
       # TODO(@fricklerhandwerk): move all configuration over to pydantic-settings
       web-security-tracker.settings = {
-        STATIC_ROOT = mkDefault "/var/lib/web-security-tracker/static";
         DEBUG = mkDefault false;
         ALLOWED_HOSTS = mkDefault [
           (with cfg; if production then domain else "*")
@@ -174,7 +180,7 @@ in
           {
             locations = {
               "/".proxyPass = "http://localhost:${toString cfg.wsgi-port}";
-              "/static/".alias = "/var/lib/web-security-tracker/static/";
+              "/static/".alias = cfg.env.STATIC_ROOT;
             };
           }
           // lib.optionalAttrs cfg.production {

diff --git a/src/website/tracker/settings.py b/src/website/tracker/settings.py
@@ -38,6 +38,11 @@ class Settings(BaseSettings):
     class DjangoSettings(BaseModel):
         # SECURITY WARNING: don't run with debug turned on in production!
         DEBUG: bool = False
+        STATIC_ROOT: Path = Field(
+            description="""
+            Writeable directory for compilimg static files, such as stylesheets, when running `manage collectstatic`.
+            """
+        )
         SYNC_GITHUB_STATE_AT_STARTUP: bool = Field(
             description="""
             Connect to GitHub when the service is started and update