commit 1df9e95ed751f9a37e7d5d9db1efc4eff242e043 · pyrox.dev/nixpkgs

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

···

       327
       327
        
             </listitem>

     

       328
       328
        
             <listitem>

     

       329
       329
        
               <para>

     

       330
       330
       +
                 <literal>services.miniflux.adminCredentialFiles</literal> is

     

       331
       331
       +
                 now required, instead of defaulting to

     

       332
       332
       +
                 <literal>admin</literal> and <literal>password</literal>.

     

       333
       333
       +
               </para>

     

       334
       334
       +
             </listitem>

     

       335
       335
       +
             <listitem>

     

       336
       336
       +
               <para>

     

       330
       337
        
                 The <literal>autorestic</literal> package has been upgraded

     

       331
       338
        
                 from 1.3.0 to 1.5.0 which introduces breaking changes in

     

       332
       339
        
                 config file, check

nixos/doc/manual/release-notes/rl-2205.section.md

···

       109
       109
        
       

     

       110
       110
        
       - opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs

     

       111
       111
        
       

     

       112
       112
       +
       - `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.

     

       113
       113
       +
       

     

       112
       114
        
       - The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.

     

       113
       115
        
       

     

       114
       116
        
       - For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`

+19 -27

nixos/modules/services/web-apps/miniflux.nix

···

       7
       7
        
         defaultAddress = "localhost:8080";

     

       8
       8
        
       

     

       9
       9
        
         dbUser = "miniflux";

     

       10
       10
       -
         dbPassword = "miniflux";

     

       11
       11
       -
         dbHost = "localhost";

     

       12
       10
        
         dbName = "miniflux";

     

       13
       11
        
       

     

       14
       14
       -
         defaultCredentials = pkgs.writeText "miniflux-admin-credentials" ''

     

       15
       15
       -
           ADMIN_USERNAME=admin

     

       16
       16
       -
           ADMIN_PASSWORD=password

     

       17
       17
       -
         '';

     

       18
       18
       -
       

     

       19
       12
        
         pgbin = "${config.services.postgresql.package}/bin";

     

       20
       13
        
         preStart = pkgs.writeScript "miniflux-pre-start" ''

     

       21
       14
        
           #!${pkgs.runtimeShell}

     

       22
       22
       -
           db_exists() {

     

       23
       23
       -
             [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]

     

       24
       24
       -
           }

     

       25
       25
       -
           if ! db_exists "${dbName}"; then

     

       26
       26
       -
             ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"

     

       27
       27
       -
             ${pgbin}/createdb --owner "${dbUser}" "${dbName}"

     

       28
       28
       -
             ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"

     

       29
       29
       -
           fi

     

       15
       15
       +
           ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"

     

       30
       16
        
         '';

     

       31
       17
        
       in

     

       32
       18
        
       

     
···

       54
       40
        
             };

     

       55
       41
        
       

     

       56
       42
        
             adminCredentialsFile = mkOption  {

     

       57
       57
       -
               type = types.nullOr types.path;

     

       58
       58
       -
               default = null;

     

       43
       43
       +
               type = types.path;

     

       59
       44
        
               description = ''

     

       60
       60
       -
                 File containing the ADMIN_USERNAME, default is "admin", and

     

       61
       61
       -
                 ADMIN_PASSWORD (length >= 6), default is "password"; in the format of

     

       45
       45
       +
                 File containing the ADMIN_USERNAME and

     

       46
       46
       +
                 ADMIN_PASSWORD (length >= 6) in the format of

     

       62
       47
        
                 an EnvironmentFile=, as described by systemd.exec(5).

     

       63
       48
        
               '';

     

       64
       49
        
               example = "/etc/nixos/miniflux-admin-credentials";

     
···

       70
       55
        
       

     

       71
       56
        
           services.miniflux.config =  {

     

       72
       57
        
             LISTEN_ADDR = mkDefault defaultAddress;

     

       73
       73
       -
             DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable";

     

       58
       58
       +
             DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";

     

       74
       59
        
             RUN_MIGRATIONS = "1";

     

       75
       60
        
             CREATE_ADMIN = "1";

     

       76
       61
        
           };

     

       77
       62
        
       

     

       78
       78
       -
           services.postgresql.enable = true;

     

       63
       63
       +
           services.postgresql = {

     

       64
       64
       +
             enable = true;

     

       65
       65
       +
             ensureUsers = [ {

     

       66
       66
       +
               name = dbUser;

     

       67
       67
       +
               ensurePermissions = {

     

       68
       68
       +
                 "DATABASE ${dbName}" = "ALL PRIVILEGES";

     

       69
       69
       +
               };

     

       70
       70
       +
             } ];

     

       71
       71
       +
             ensureDatabases = [ dbName ];

     

       72
       72
       +
           };

     

       79
       73
        
       

     

       80
       74
        
           systemd.services.miniflux-dbsetup = {

     

       81
       75
        
             description = "Miniflux database setup";

     

       82
       82
       -
             wantedBy = [ "multi-user.target" ];

     

       83
       76
        
             requires = [ "postgresql.service" ];

     

       84
       77
        
             after = [ "network.target" "postgresql.service" ];

     

       85
       78
        
             serviceConfig = {

     
···

       92
       85
        
           systemd.services.miniflux = {

     

       93
       86
        
             description = "Miniflux service";

     

       94
       87
        
             wantedBy = [ "multi-user.target" ];

     

       95
       95
       -
             requires = [ "postgresql.service" ];

     

       88
       88
       +
             requires = [ "miniflux-dbsetup.service" ];

     

       96
       89
        
             after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];

     

       97
       90
        
       

     

       98
       91
        
             serviceConfig = {

     

       99
       92
        
               ExecStart = "${pkgs.miniflux}/bin/miniflux";

     

       93
       93
       +
               User = dbUser;

     

       100
       94
        
               DynamicUser = true;

     

       101
       95
        
               RuntimeDirectory = "miniflux";

     

       102
       96
        
               RuntimeDirectoryMode = "0700";

     

       103
       103
       -
               EnvironmentFile = if cfg.adminCredentialsFile == null

     

       104
       104
       -
               then defaultCredentials

     

       105
       105
       -
               else cfg.adminCredentialsFile;

     

       97
       97
       +
               EnvironmentFile = cfg.adminCredentialsFile;

     

       106
       98
        
               # Hardening

     

       107
       99
        
               CapabilityBoundingSet = [ "" ];

     

       108
       100
        
               DeviceAllow = [ "" ];

     
···

       119
       111
        
               ProtectKernelModules = true;

     

       120
       112
        
               ProtectKernelTunables = true;

     

       121
       113
        
               ProtectProc = "invisible";

     

       122
       122
       -
               RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];

     

       114
       114
       +
               RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];

     

       123
       115
        
               RestrictNamespaces = true;

     

       124
       116
        
               RestrictRealtime = true;

     

       125
       117
        
               RestrictSUIDSGID = true;

+18 -6

nixos/tests/miniflux.nix

···

       7
       7
        
         defaultPort = 8080;

     

       8
       8
        
         defaultUsername = "admin";

     

       9
       9
        
         defaultPassword = "password";

     

       10
       10
       +
         adminCredentialsFile = pkgs.writeText "admin-credentials" ''

     

       11
       11
       +
                   ADMIN_USERNAME=${defaultUsername}

     

       12
       12
       +
                   ADMIN_PASSWORD=${defaultPassword}

     

       13
       13
       +
                 '';

     

       14
       14
       +
         customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''

     

       15
       15
       +
                   ADMIN_USERNAME=${username}

     

       16
       16
       +
                   ADMIN_PASSWORD=${password}

     

       17
       17
       +
                 '';

     

       18
       18
       +
       

     

       10
       19
        
       in

     

       11
       20
        
       with lib;

     

       12
       21
        
       {

     
···

       17
       26
        
           default =

     

       18
       27
        
             { ... }:

     

       19
       28
        
             {

     

       20
       20
       -
               services.miniflux.enable = true;

     

       29
       29
       +
               services.miniflux = {

     

       30
       30
       +
                 enable = true;

     

       31
       31
       +
                 inherit adminCredentialsFile;

     

       32
       32
       +
               };

     

       21
       33
        
             };

     

       22
       34
        
       

     

       23
       35
        
           withoutSudo =

     

       24
       36
        
             { ... }:

     

       25
       37
        
             {

     

       26
       26
       -
               services.miniflux.enable = true;

     

       38
       38
       +
               services.miniflux = {

     

       39
       39
       +
                 enable = true;

     

       40
       40
       +
                 inherit adminCredentialsFile;

     

       41
       41
       +
               };

     

       27
       42
        
               security.sudo.enable = false;

     

       28
       43
        
             };

     

       29
       44
        
       

     
···

       36
       51
        
                   CLEANUP_FREQUENCY = "48";

     

       37
       52
        
                   LISTEN_ADDR = "localhost:${toString port}";

     

       38
       53
        
                 };

     

       39
       39
       -
                 adminCredentialsFile = pkgs.writeText "admin-credentials" ''

     

       40
       40
       -
                   ADMIN_USERNAME=${username}

     

       41
       41
       -
                   ADMIN_PASSWORD=${password}

     

       42
       42
       -
                 '';

     

       54
       54
       +
                 adminCredentialsFile = customAdminCredentialsFile;

     

       43
       55
        
               };

     

       44
       56
        
             };

     

       45
       57
        
         };