1
0
Fork 0
selfhostblocks/ttrss/update.nix

75 lines
1.5 KiB
Nix
Raw Normal View History

{ stdenv
, pkgs
, lib
2022-05-20 05:00:12 +02:00
, utils
}:
2023-01-17 06:39:20 +01:00
{ name
2022-09-09 08:26:33 +02:00
, user
, group
2023-01-17 06:39:20 +01:00
, documentRoot
, readOnlyPaths ? []
, readWritePaths ? []
, postgresServiceName
2023-01-17 06:39:20 +01:00
, dependsOn ? {}
}:
# Assumptions:
# - Do not run as root.
# - Image cache should be writable.
# - Upload cache should be writable.
# - Data export cache should be writable.
# - ICONS_DIR should be writable.
# - LOCK_DIRECTORY should be writable.
let
2022-10-04 09:08:51 +02:00
fullPath = "${documentRoot}";
roPaths = [fullPath] ++ readOnlyPaths;
in
2023-01-17 06:39:20 +01:00
{
inherit name;
pkg = {...}: utils.systemd.mkService rec {
name = "ttrss-update";
content = ''
[Unit]
Description=${name}
After=network.target ${postgresServiceName}
[Service]
User=${user}
Group=${group}
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
RuntimeDirectory=${name}
2023-01-17 06:39:20 +01:00
PrivateDevices=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectHome=true
ProtectHostname=true
ProtectClock=true
RestrictSUIDSGID=true
LockPersonality=true
NoNewPrivileges=true
2023-01-17 06:39:20 +01:00
SystemCallFilter=@basic-io @file-system @process @system-service
2023-01-17 06:39:20 +01:00
ProtectSystem=strict
ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
2023-01-17 06:39:20 +01:00
# NoExecPaths=/
# ExecPaths=${pkgs.php}/bin
2023-01-17 06:39:20 +01:00
[Install]
WantedBy=multi-user.target
'';
};
2023-01-17 06:39:20 +01:00
inherit dependsOn;
type = "systemd-unit";
}