nixos/freshrss: fix permissions and add database test
This commit is contained in:
parent
1a6f1bfe58
commit
0e2787884e
4 changed files with 78 additions and 23 deletions
|
@ -60,7 +60,7 @@ in
|
|||
};
|
||||
|
||||
port = mkOption {
|
||||
type = with types; nullOr port;
|
||||
type = types.nullOr types.port;
|
||||
default = null;
|
||||
description = mdDoc "Database port for FreshRSS.";
|
||||
example = 3306;
|
||||
|
@ -73,7 +73,7 @@ in
|
|||
};
|
||||
|
||||
passFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = mdDoc "Database password file for FreshRSS.";
|
||||
example = "/run/secrets/freshrss";
|
||||
|
@ -116,12 +116,18 @@ in
|
|||
with default values.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "freshrss";
|
||||
description = lib.mdDoc "User under which Freshrss runs.";
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
let
|
||||
systemd-hardening = {
|
||||
defaultServiceConfig = {
|
||||
ReadWritePaths = "${cfg.dataDir}";
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
DeviceAllow = "";
|
||||
LockPersonality = true;
|
||||
|
@ -146,6 +152,11 @@ in
|
|||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
|
||||
UMask = "0007";
|
||||
Type = "oneshot";
|
||||
User = cfg.user;
|
||||
Group = config.users.users.${cfg.user}.group;
|
||||
StateDirectory = "freshrss";
|
||||
WorkingDirectory = cfg.package;
|
||||
};
|
||||
in
|
||||
mkIf cfg.enable {
|
||||
|
@ -199,12 +210,17 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
users.users.freshrss = {
|
||||
users.users."${cfg.user}" = {
|
||||
description = "FreshRSS service user";
|
||||
isSystemUser = true;
|
||||
group = "freshrss";
|
||||
group = "${cfg.user}";
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
users.groups.freshrss = { };
|
||||
users.groups."${cfg.user}" = { };
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
|
||||
];
|
||||
|
||||
systemd.services.freshrss-config =
|
||||
let
|
||||
|
@ -228,30 +244,24 @@ in
|
|||
{
|
||||
description = "Set up the state directory for FreshRSS before use";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
serviceConfig = defaultServiceConfig //{
|
||||
Type = "oneshot";
|
||||
User = "freshrss";
|
||||
Group = "freshrss";
|
||||
StateDirectory = "freshrss";
|
||||
WorkingDirectory = cfg.package;
|
||||
} // systemd-hardening;
|
||||
};
|
||||
environment = {
|
||||
FRESHRSS_DATA_PATH = cfg.dataDir;
|
||||
};
|
||||
|
||||
script = ''
|
||||
# create files with correct permissions
|
||||
mkdir -m 755 -p ${cfg.dataDir}
|
||||
|
||||
# do installation or reconfigure
|
||||
if test -f ${cfg.dataDir}/config.php; then
|
||||
# reconfigure with settings
|
||||
./cli/reconfigure.php ${settingsFlags}
|
||||
./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
|
||||
else
|
||||
# Copy the user data template directory
|
||||
cp -r ./data ${cfg.dataDir}
|
||||
|
||||
# check correct folders in data folder
|
||||
./cli/prepare.php
|
||||
# install with settings
|
||||
|
@ -269,14 +279,9 @@ in
|
|||
environment = {
|
||||
FRESHRSS_DATA_PATH = cfg.dataDir;
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "freshrss";
|
||||
Group = "freshrss";
|
||||
StateDirectory = "freshrss";
|
||||
WorkingDirectory = cfg.package;
|
||||
serviceConfig = defaultServiceConfig //{
|
||||
ExecStart = "${cfg.package}/app/actualize_script.php";
|
||||
} // systemd-hardening;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -225,7 +225,8 @@ in {
|
|||
fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
|
||||
freenet = handleTest ./freenet.nix {};
|
||||
freeswitch = handleTest ./freeswitch.nix {};
|
||||
freshrss = handleTest ./freshrss.nix {};
|
||||
freshrss-sqlite = handleTest ./freshrss-sqlite.nix {};
|
||||
freshrss-pgsql = handleTest ./freshrss-pgsql.nix {};
|
||||
frr = handleTest ./frr.nix {};
|
||||
fsck = handleTest ./fsck.nix {};
|
||||
ft2-clone = handleTest ./ft2-clone.nix {};
|
||||
|
|
48
nixos/tests/freshrss-pgsql.nix
Normal file
48
nixos/tests/freshrss-pgsql.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
import ./make-test-python.nix ({ lib, pkgs, ... }: {
|
||||
name = "freshrss";
|
||||
meta.maintainers = with lib.maintainers; [ etu stunkymonkey ];
|
||||
|
||||
nodes.machine = { pkgs, ... }: {
|
||||
services.freshrss = {
|
||||
enable = true;
|
||||
baseUrl = "http://localhost";
|
||||
passwordFile = pkgs.writeText "password" "secret";
|
||||
dataDir = "/srv/freshrss";
|
||||
database = {
|
||||
type = "pgsql";
|
||||
port = 5432;
|
||||
user = "freshrss";
|
||||
passFile = pkgs.writeText "db-password" "db-secret";
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "freshrss" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "freshrss";
|
||||
ensurePermissions = {
|
||||
"DATABASE freshrss" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
initialScript = pkgs.writeText "postgresql-password" ''
|
||||
CREATE ROLE freshrss WITH LOGIN PASSWORD 'db-secret' CREATEDB;
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services."freshrss-config" = {
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.wait_for_open_port(5432)
|
||||
machine.wait_for_open_port(80)
|
||||
response = machine.succeed("curl -vvv -s -H 'Host: freshrss' http://127.0.0.1:80/i/")
|
||||
assert '<title>Login · FreshRSS</title>' in response, "Login page didn't load successfully"
|
||||
'';
|
||||
})
|
|
@ -7,6 +7,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
|
|||
enable = true;
|
||||
baseUrl = "http://localhost";
|
||||
passwordFile = pkgs.writeText "password" "secret";
|
||||
dataDir = "/srv/freshrss";
|
||||
};
|
||||
};
|
||||
|
Loading…
Reference in a new issue