selfhostblocks/ttrss/update.nix

{ stdenv
, pkgs
, lib
, utils
}:
{ document_root
, user
, group
, readOnlyPaths ? []
, readWritePaths ? []
, postgresServiceName
}:
{ ...
}:

# Assumptions:
# - Do not run as root.
# - Image cache should be writable.
# - Upload cache should be writable.
# - Data export cache should be writable.
# - ICONS_DIR should be writable.
# - LOCK_DIRECTORY should be writable.

let
  fullPath = "${document_root}";
  roPaths = [fullPath] ++ readOnlyPaths;
in
utils.systemd.mkService rec {
  name = "ttrss-update";
  content = ''
    [Unit]
    Description=${name}
    After=network.target ${postgresServiceName}
    
    [Service]
    User=${user}
    Group=${group}
    ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php

    RuntimeDirectory=${name}

    PrivateDevices=true
    PrivateTmp=true
    ProtectKernelTunables=true
    ProtectKernelModules=true
    ProtectControlGroups=true
    ProtectKernelLogs=true
    ProtectHome=true
    ProtectHostname=true
    ProtectClock=true
    RestrictSUIDSGID=true
    LockPersonality=true
    NoNewPrivileges=true

    SystemCallFilter=@basic-io @file-system @process @system-service

    ProtectSystem=strict
    ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
    ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}

    # NoExecPaths=/
    # ExecPaths=${pkgs.php}/bin

    [Install]
    WantedBy=multi-user.target
  '';
}
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`{ stdenv`
			`, pkgs`
			`, lib`
refactor systemd-unit derivation 2022-05-20 05:00:12 +02:00			`, utils`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`}:`
refactor to move all hardcoded values to the same file 2022-06-07 20:55:56 +02:00			`{ document_root`
add caddy for ttrss 2022-09-09 08:26:33 +02:00			`, user`
			`, group`
refactor to move all hardcoded values to the same file 2022-06-07 20:55:56 +02:00			`, readOnlyPaths ? []`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`, readWritePaths ? []`
refactor to move all hardcoded values to the same file 2022-06-07 20:55:56 +02:00			`, postgresServiceName`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`}:`
add caddy for ttrss 2022-09-09 08:26:33 +02:00			`{ ...`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`}:`

			`# Assumptions:`
			`# - Do not run as root.`
			`# - Image cache should be writable.`
			`# - Upload cache should be writable.`
			`# - Data export cache should be writable.`
			`# - ICONS_DIR should be writable.`
			`# - LOCK_DIRECTORY should be writable.`

			`let`
refactor to move all hardcoded values to the same file 2022-06-07 20:55:56 +02:00			`fullPath = "${document_root}";`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`roPaths = [fullPath] ++ readOnlyPaths;`
			`in`
refactor to move all hardcoded values to the same file 2022-06-07 20:55:56 +02:00			`utils.systemd.mkService rec {`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`name = "ttrss-update";`
refactor systemd-unit derivation 2022-05-20 05:00:12 +02:00			`content = ''`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`[Unit]`
			`Description=${name}`
refactor to move all hardcoded values to the same file 2022-06-07 20:55:56 +02:00			`After=network.target ${postgresServiceName}`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00
			`[Service]`
add caddy for ttrss 2022-09-09 08:26:33 +02:00			`User=${user}`
			`Group=${group}`
add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php`

add one more security setting for ttrss update systemd service 2022-05-20 05:00:38 +02:00			`RuntimeDirectory=${name}`

add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`PrivateDevices=true`
			`PrivateTmp=true`
			`ProtectKernelTunables=true`
			`ProtectKernelModules=true`
			`ProtectControlGroups=true`
			`ProtectKernelLogs=true`
			`ProtectHome=true`
			`ProtectHostname=true`
			`ProtectClock=true`
			`RestrictSUIDSGID=true`
add one more security setting for ttrss update systemd service 2022-05-20 05:00:38 +02:00			`LockPersonality=true`
			`NoNewPrivileges=true`

add ttrss update service and dbupgrade on deploy 2022-05-18 09:06:32 +02:00			`SystemCallFilter=@basic-io @file-system @process @system-service`

			`ProtectSystem=strict`
			`ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}`
			`ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}`

			`# NoExecPaths=/`
			`# ExecPaths=${pkgs.php}/bin`

			`[Install]`
			`WantedBy=multi-user.target`
			`'';`
			`}`