commit 0e2787884e7d6c60e51da9e1c158e75406cac7a9 · pyrox.dev/nixpkgs

+27 -22

nixos/modules/services/web-apps/freshrss.nix

···

       60
       60
        
             };

     

       61
       61
        
       

     

       62
       62
        
             port = mkOption {

     

       63
       63
       -
               type = with types; nullOr port;

     

       63
       63
       +
               type = types.nullOr types.port;

     

       64
       64
        
               default = null;

     

       65
       65
        
               description = mdDoc "Database port for FreshRSS.";

     

       66
       66
        
               example = 3306;

     
···

       73
       73
        
             };

     

       74
       74
        
       

     

       75
       75
        
             passFile = mkOption {

     

       76
       76
       -
               type = types.nullOr types.str;

     

       76
       76
       +
               type = types.nullOr types.path;

     

       77
       77
        
               default = null;

     

       78
       78
        
               description = mdDoc "Database password file for FreshRSS.";

     

       79
       79
        
               example = "/run/secrets/freshrss";

     
···

       116
       116
        
               with default values.

     

       117
       117
        
             '';

     

       118
       118
        
           };

     

       119
       119
       +
       

     

       120
       120
       +
           user = mkOption {

     

       121
       121
       +
             type = types.str;

     

       122
       122
       +
             default = "freshrss";

     

       123
       123
       +
             description = lib.mdDoc "User under which Freshrss runs.";

     

       124
       124
       +
           };

     

       119
       125
        
         };

     

       120
       120
       -
       

     

       121
       126
        
       

     

       122
       127
        
         config =

     

       123
       128
        
           let

     

       124
       124
       -
             systemd-hardening = {

     

       129
       129
       +
             defaultServiceConfig = {

     

       130
       130
       +
               ReadWritePaths = "${cfg.dataDir}";

     

       125
       131
        
               CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

     

       126
       132
        
               DeviceAllow = "";

     

       127
       133
        
               LockPersonality = true;

     
···

       146
       152
        
               SystemCallArchitectures = "native";

     

       147
       153
        
               SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];

     

       148
       154
        
               UMask = "0007";

     

       155
       155
       +
               Type = "oneshot";

     

       156
       156
       +
               User = cfg.user;

     

       157
       157
       +
               Group = config.users.users.${cfg.user}.group;

     

       158
       158
       +
               StateDirectory = "freshrss";

     

       159
       159
       +
               WorkingDirectory = cfg.package;

     

       149
       160
        
             };

     

       150
       161
        
           in

     

       151
       162
        
           mkIf cfg.enable {

     
···

       199
       210
        
               };

     

       200
       211
        
             };

     

       201
       212
        
       

     

       202
       202
       -
             users.users.freshrss = {

     

       213
       213
       +
             users.users."${cfg.user}" = {

     

       203
       214
        
               description = "FreshRSS service user";

     

       204
       215
        
               isSystemUser = true;

     

       205
       205
       -
               group = "freshrss";

     

       216
       216
       +
               group = "${cfg.user}";

     

       217
       217
       +
               home = cfg.dataDir;

     

       206
       218
        
             };

     

       207
       207
       -
             users.groups.freshrss = { };

     

       219
       219
       +
             users.groups."${cfg.user}" = { };

     

       220
       220
       +
       

     

       221
       221
       +
             systemd.tmpfiles.rules = [

     

       222
       222
       +
               "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"

     

       223
       223
       +
             ];

     

       208
       224
        
       

     

       209
       225
        
             systemd.services.freshrss-config =

     

       210
       226
        
               let

     
···

       228
       244
        
               {

     

       229
       245
        
                 description = "Set up the state directory for FreshRSS before use";

     

       230
       246
        
                 wantedBy = [ "multi-user.target" ];

     

       231
       231
       -
                 serviceConfig = {

     

       247
       247
       +
                 serviceConfig = defaultServiceConfig //{

     

       232
       248
        
                   Type = "oneshot";

     

       233
       249
        
                   User = "freshrss";

     

       234
       250
        
                   Group = "freshrss";

     

       235
       251
        
                   StateDirectory = "freshrss";

     

       236
       252
        
                   WorkingDirectory = cfg.package;

     

       237
       237
       -
                 } // systemd-hardening;

     

       253
       253
       +
                 };

     

       238
       254
        
                 environment = {

     

       239
       255
        
                   FRESHRSS_DATA_PATH = cfg.dataDir;

     

       240
       256
        
                 };

     

       241
       257
        
       

     

       242
       258
        
                 script = ''

     

       243
       243
       -
                   # create files with correct permissions

     

       244
       244
       -
                   mkdir -m 755 -p ${cfg.dataDir}

     

       245
       245
       -
       

     

       246
       259
        
                   # do installation or reconfigure

     

       247
       260
        
                   if test -f ${cfg.dataDir}/config.php; then

     

       248
       261
        
                     # reconfigure with settings

     

       249
       262
        
                     ./cli/reconfigure.php ${settingsFlags}

     

       250
       263
        
                     ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"

     

       251
       264
        
                   else

     

       252
       252
       -
                     # Copy the user data template directory

     

       253
       253
       -
                     cp -r ./data ${cfg.dataDir}

     

       254
       254
       -
       

     

       255
       265
        
                     # check correct folders in data folder

     

       256
       266
        
                     ./cli/prepare.php

     

       257
       267
        
                     # install with settings

     
···

       269
       279
        
               environment = {

     

       270
       280
        
                 FRESHRSS_DATA_PATH = cfg.dataDir;

     

       271
       281
        
               };

     

       272
       272
       -
               serviceConfig = {

     

       273
       273
       -
                 Type = "oneshot";

     

       274
       274
       -
                 User = "freshrss";

     

       275
       275
       -
                 Group = "freshrss";

     

       276
       276
       -
                 StateDirectory = "freshrss";

     

       277
       277
       -
                 WorkingDirectory = cfg.package;

     

       282
       282
       +
               serviceConfig = defaultServiceConfig //{

     

       278
       283
        
                 ExecStart = "${cfg.package}/app/actualize_script.php";

     

       279
       279
       -
               } // systemd-hardening;

     

       284
       284
       +
               };

     

       280
       285
        
             };

     

       281
       286
        
           };

     

       282
       287
        
       }

+2 -1

nixos/tests/all-tests.nix

···

       225
       225
        
         fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};

     

       226
       226
        
         freenet = handleTest ./freenet.nix {};

     

       227
       227
        
         freeswitch = handleTest ./freeswitch.nix {};

     

       228
       228
       -
         freshrss = handleTest ./freshrss.nix {};

     

       228
       228
       +
         freshrss-sqlite = handleTest ./freshrss-sqlite.nix {};

     

       229
       229
       +
         freshrss-pgsql = handleTest ./freshrss-pgsql.nix {};

     

       229
       230
        
         frr = handleTest ./frr.nix {};

     

       230
       231
        
         fsck = handleTest ./fsck.nix {};

     

       231
       232
        
         ft2-clone = handleTest ./ft2-clone.nix {};

+48

nixos/tests/freshrss-pgsql.nix

···

       1
       1
       +
       import ./make-test-python.nix ({ lib, pkgs, ... }: {

     

       2
       2
       +
         name = "freshrss";

     

       3
       3
       +
         meta.maintainers = with lib.maintainers; [ etu stunkymonkey ];

     

       4
       4
       +
       

     

       5
       5
       +
         nodes.machine = { pkgs, ... }: {

     

       6
       6
       +
           services.freshrss = {

     

       7
       7
       +
             enable = true;

     

       8
       8
       +
             baseUrl = "http://localhost";

     

       9
       9
       +
             passwordFile = pkgs.writeText "password" "secret";

     

       10
       10
       +
             dataDir = "/srv/freshrss";

     

       11
       11
       +
             database = {

     

       12
       12
       +
               type = "pgsql";

     

       13
       13
       +
               port = 5432;

     

       14
       14
       +
               user = "freshrss";

     

       15
       15
       +
               passFile = pkgs.writeText "db-password" "db-secret";

     

       16
       16
       +
             };

     

       17
       17
       +
           };

     

       18
       18
       +
       

     

       19
       19
       +
           services.postgresql = {

     

       20
       20
       +
             enable = true;

     

       21
       21
       +
             ensureDatabases = [ "freshrss" ];

     

       22
       22
       +
             ensureUsers = [

     

       23
       23
       +
               {

     

       24
       24
       +
                 name = "freshrss";

     

       25
       25
       +
                 ensurePermissions = {

     

       26
       26
       +
                   "DATABASE freshrss" = "ALL PRIVILEGES";

     

       27
       27
       +
                 };

     

       28
       28
       +
               }

     

       29
       29
       +
             ];

     

       30
       30
       +
             initialScript = pkgs.writeText "postgresql-password" ''

     

       31
       31
       +
               CREATE ROLE freshrss WITH LOGIN PASSWORD 'db-secret' CREATEDB;

     

       32
       32
       +
             '';

     

       33
       33
       +
           };

     

       34
       34
       +
       

     

       35
       35
       +
           systemd.services."freshrss-config" = {

     

       36
       36
       +
             requires = [ "postgresql.service" ];

     

       37
       37
       +
             after = [ "postgresql.service" ];

     

       38
       38
       +
           };

     

       39
       39
       +
         };

     

       40
       40
       +
       

     

       41
       41
       +
         testScript = ''

     

       42
       42
       +
           machine.wait_for_unit("multi-user.target")

     

       43
       43
       +
           machine.wait_for_open_port(5432)

     

       44
       44
       +
           machine.wait_for_open_port(80)

     

       45
       45
       +
           response = machine.succeed("curl -vvv -s -H 'Host: freshrss' http://127.0.0.1:80/i/")

     

       46
       46
       +
           assert '<title>Login · FreshRSS</title>' in response, "Login page didn't load successfully"

     

       47
       47
       +
         '';

     

       48
       48
       +
       })

nixos/tests/freshrss.nix nixos/tests/freshrss-sqlite.nix

···

       7
       7
        
             enable = true;

     

       8
       8
        
             baseUrl = "http://localhost";

     

       9
       9
        
             passwordFile = pkgs.writeText "password" "secret";

     

       10
       10
       +
             dataDir = "/srv/freshrss";

     

       10
       11
        
           };

     

       11
       12
        
         };

     

       12
       13