pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #209254 from Stunkymonkey/freshrss-srv-pgsql

nixos/freshrss: fix permissions and add database test

authored by

Felix Bühler and committed by
GitHub a4eb1b11 716cab14

+78 -23
unified split
+27 -22
nixos/modules/services/web-apps/freshrss.nix
··· 60 60 }; 61 61 62 62 port = mkOption { 63 - type = with types; nullOr port; 63 + type = types.nullOr types.port; 64 64 default = null; 65 65 description = mdDoc "Database port for FreshRSS."; 66 66 example = 3306; ··· 73 73 }; 74 74 75 75 passFile = mkOption { 76 - type = types.nullOr types.str; 76 + type = types.nullOr types.path; 77 77 default = null; 78 78 description = mdDoc "Database password file for FreshRSS."; 79 79 example = "/run/secrets/freshrss"; ··· 116 116 with default values. 117 117 ''; 118 118 }; 119 + 120 + user = mkOption { 121 + type = types.str; 122 + default = "freshrss"; 123 + description = lib.mdDoc "User under which Freshrss runs."; 124 + }; 119 125 }; 120 - 121 126 122 127 config = 123 128 let 124 - systemd-hardening = { 129 + defaultServiceConfig = { 130 + ReadWritePaths = "${cfg.dataDir}"; 125 131 CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; 126 132 DeviceAllow = ""; 127 133 LockPersonality = true; ··· 146 152 SystemCallArchitectures = "native"; 147 153 SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; 148 154 UMask = "0007"; 155 + Type = "oneshot"; 156 + User = cfg.user; 157 + Group = config.users.users.${cfg.user}.group; 158 + StateDirectory = "freshrss"; 159 + WorkingDirectory = cfg.package; 149 160 }; 150 161 in 151 162 mkIf cfg.enable { ··· 199 210 }; 200 211 }; 201 212 202 - users.users.freshrss = { 213 + users.users."${cfg.user}" = { 203 214 description = "FreshRSS service user"; 204 215 isSystemUser = true; 205 - group = "freshrss"; 216 + group = "${cfg.user}"; 217 + home = cfg.dataDir; 206 218 }; 207 - users.groups.freshrss = { }; 219 + users.groups."${cfg.user}" = { }; 220 + 221 + systemd.tmpfiles.rules = [ 222 + "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" 223 + ]; 208 224 209 225 systemd.services.freshrss-config = 210 226 let ··· 228 244 { 229 245 description = "Set up the state directory for FreshRSS before use"; 230 246 wantedBy = [ "multi-user.target" ]; 231 - serviceConfig = { 247 + serviceConfig = defaultServiceConfig //{ 232 248 Type = "oneshot"; 233 249 User = "freshrss"; 234 250 Group = "freshrss"; 235 251 StateDirectory = "freshrss"; 236 252 WorkingDirectory = cfg.package; 237 - } // systemd-hardening; 253 + }; 238 254 environment = { 239 255 FRESHRSS_DATA_PATH = cfg.dataDir; 240 256 }; 241 257 242 258 script = '' 243 - # create files with correct permissions 244 - mkdir -m 755 -p ${cfg.dataDir} 245 - 246 259 # do installation or reconfigure 247 260 if test -f ${cfg.dataDir}/config.php; then 248 261 # reconfigure with settings 249 262 ./cli/reconfigure.php ${settingsFlags} 250 263 ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})" 251 264 else 252 - # Copy the user data template directory 253 - cp -r ./data ${cfg.dataDir} 254 - 255 265 # check correct folders in data folder 256 266 ./cli/prepare.php 257 267 # install with settings ··· 269 279 environment = { 270 280 FRESHRSS_DATA_PATH = cfg.dataDir; 271 281 }; 272 - serviceConfig = { 273 - Type = "oneshot"; 274 - User = "freshrss"; 275 - Group = "freshrss"; 276 - StateDirectory = "freshrss"; 277 - WorkingDirectory = cfg.package; 282 + serviceConfig = defaultServiceConfig //{ 278 283 ExecStart = "${cfg.package}/app/actualize_script.php"; 279 - } // systemd-hardening; 284 + }; 280 285 }; 281 286 }; 282 287 }
+2 -1
nixos/tests/all-tests.nix
··· 225 225 fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {}; 226 226 freenet = handleTest ./freenet.nix {}; 227 227 freeswitch = handleTest ./freeswitch.nix {}; 228 - freshrss = handleTest ./freshrss.nix {}; 228 + freshrss-sqlite = handleTest ./freshrss-sqlite.nix {}; 229 + freshrss-pgsql = handleTest ./freshrss-pgsql.nix {}; 229 230 frr = handleTest ./frr.nix {}; 230 231 fsck = handleTest ./fsck.nix {}; 231 232 ft2-clone = handleTest ./ft2-clone.nix {};
+48
nixos/tests/freshrss-pgsql.nix
··· 1 + import ./make-test-python.nix ({ lib, pkgs, ... }: { 2 + name = "freshrss"; 3 + meta.maintainers = with lib.maintainers; [ etu stunkymonkey ]; 4 + 5 + nodes.machine = { pkgs, ... }: { 6 + services.freshrss = { 7 + enable = true; 8 + baseUrl = "http://localhost"; 9 + passwordFile = pkgs.writeText "password" "secret"; 10 + dataDir = "/srv/freshrss"; 11 + database = { 12 + type = "pgsql"; 13 + port = 5432; 14 + user = "freshrss"; 15 + passFile = pkgs.writeText "db-password" "db-secret"; 16 + }; 17 + }; 18 + 19 + services.postgresql = { 20 + enable = true; 21 + ensureDatabases = [ "freshrss" ]; 22 + ensureUsers = [ 23 + { 24 + name = "freshrss"; 25 + ensurePermissions = { 26 + "DATABASE freshrss" = "ALL PRIVILEGES"; 27 + }; 28 + } 29 + ]; 30 + initialScript = pkgs.writeText "postgresql-password" '' 31 + CREATE ROLE freshrss WITH LOGIN PASSWORD 'db-secret' CREATEDB; 32 + ''; 33 + }; 34 + 35 + systemd.services."freshrss-config" = { 36 + requires = [ "postgresql.service" ]; 37 + after = [ "postgresql.service" ]; 38 + }; 39 + }; 40 + 41 + testScript = '' 42 + machine.wait_for_unit("multi-user.target") 43 + machine.wait_for_open_port(5432) 44 + machine.wait_for_open_port(80) 45 + response = machine.succeed("curl -vvv -s -H 'Host: freshrss' http://127.0.0.1:80/i/") 46 + assert '<title>Login · FreshRSS</title>' in response, "Login page didn't load successfully" 47 + ''; 48 + })
+1
nixos/tests/freshrss.nix nixos/tests/freshrss-sqlite.nix
··· 7 7 enable = true; 8 8 baseUrl = "http://localhost"; 9 9 passwordFile = pkgs.writeText "password" "secret"; 10 + dataDir = "/srv/freshrss"; 10 11 }; 11 12 }; 12 13