2022-05-18 09:06:32 +02:00
|
|
|
{ stdenv
|
|
|
|
, pkgs
|
|
|
|
, lib
|
2022-05-20 05:00:12 +02:00
|
|
|
, utils
|
2022-05-18 09:06:32 +02:00
|
|
|
}:
|
2022-10-04 09:08:51 +02:00
|
|
|
{ documentRoot
|
2022-09-09 08:26:33 +02:00
|
|
|
, user
|
|
|
|
, group
|
2022-06-07 20:55:56 +02:00
|
|
|
, readOnlyPaths ? []
|
2022-05-18 09:06:32 +02:00
|
|
|
, readWritePaths ? []
|
2022-06-07 20:55:56 +02:00
|
|
|
, postgresServiceName
|
2022-05-18 09:06:32 +02:00
|
|
|
}:
|
2022-09-09 08:26:33 +02:00
|
|
|
{ ...
|
2022-05-18 09:06:32 +02:00
|
|
|
}:
|
|
|
|
|
|
|
|
# Assumptions:
|
|
|
|
# - Do not run as root.
|
|
|
|
# - Image cache should be writable.
|
|
|
|
# - Upload cache should be writable.
|
|
|
|
# - Data export cache should be writable.
|
|
|
|
# - ICONS_DIR should be writable.
|
|
|
|
# - LOCK_DIRECTORY should be writable.
|
|
|
|
|
|
|
|
let
|
2022-10-04 09:08:51 +02:00
|
|
|
fullPath = "${documentRoot}";
|
2022-05-18 09:06:32 +02:00
|
|
|
roPaths = [fullPath] ++ readOnlyPaths;
|
|
|
|
in
|
2022-06-07 20:55:56 +02:00
|
|
|
utils.systemd.mkService rec {
|
2022-05-18 09:06:32 +02:00
|
|
|
name = "ttrss-update";
|
2022-05-20 05:00:12 +02:00
|
|
|
content = ''
|
2022-05-18 09:06:32 +02:00
|
|
|
[Unit]
|
|
|
|
Description=${name}
|
2022-06-07 20:55:56 +02:00
|
|
|
After=network.target ${postgresServiceName}
|
2022-05-18 09:06:32 +02:00
|
|
|
|
|
|
|
[Service]
|
2022-09-09 08:26:33 +02:00
|
|
|
User=${user}
|
|
|
|
Group=${group}
|
2022-05-18 09:06:32 +02:00
|
|
|
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
|
|
|
|
|
2022-05-20 05:00:38 +02:00
|
|
|
RuntimeDirectory=${name}
|
|
|
|
|
2022-05-18 09:06:32 +02:00
|
|
|
PrivateDevices=true
|
|
|
|
PrivateTmp=true
|
|
|
|
ProtectKernelTunables=true
|
|
|
|
ProtectKernelModules=true
|
|
|
|
ProtectControlGroups=true
|
|
|
|
ProtectKernelLogs=true
|
|
|
|
ProtectHome=true
|
|
|
|
ProtectHostname=true
|
|
|
|
ProtectClock=true
|
|
|
|
RestrictSUIDSGID=true
|
2022-05-20 05:00:38 +02:00
|
|
|
LockPersonality=true
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
2022-05-18 09:06:32 +02:00
|
|
|
SystemCallFilter=@basic-io @file-system @process @system-service
|
|
|
|
|
|
|
|
ProtectSystem=strict
|
|
|
|
ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
|
|
|
|
ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
|
|
|
|
|
|
|
|
# NoExecPaths=/
|
|
|
|
# ExecPaths=${pkgs.php}/bin
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
'';
|
|
|
|
}
|