add ttrss update service and dbupgrade on deploy

2022-05-18 00:06:32 -07:00 · 2022-05-18 00:06:32 -07:00 · a35170e3bb
commit a35170e3bb
parent e0c1af94da
4 changed files with 121 additions and 10 deletions
--- a/Ttrss/dbupgrade.nix
+++ b/Ttrss/dbupgrade.nix
@ -0,0 +1,42 @@
+{ stdenv
+, pkgs
+}:
+{ binDir
+, user
+}:
+{ TtrssPostgresDB
+, TtrssService
+}:
+
+stdenv.mkDerivation {
+  name = "dbupgrade";
+
+  src = pkgs.writeTextDir "wrapper" ''
+  #!/bin/bash -e
+
+  sudo -u ${user} bash <<HERE
+  case "$1" in
+    activate)
+      ${pkgs.php}/bin/php ${binDir}/update.php --update-schema=force-yes
+      ;;
+    lock)
+        if [ -f /tmp/wrapper.lock ]
+        then
+            exit 1
+        else
+            echo "1" > /tmp/wrapper.lock
+        fi
+        ;;
+    unlock)
+        rm -f /tmp/wrapper.lock
+        ;;
+  esac
+  HERE
+  '';
+
+  installPhase = ''
+  mkdir -p $out/bin
+  cp $src/wrapper $out/bin
+  chmod +x $out/bin/*
+  '';
+}
--- a/Ttrss/default.nix
+++ b/Ttrss/default.nix
@ -3,8 +3,12 @@
 , lib
 }:
 { documentRoot
+, name ? "ttrss"
 , user ? "http"
 , group ? "http"
+, lock_directory ? "/run/${name}/lock"
+, cache_dir ? "/run/${name}/cache"
+, icons_dir ? "${documentRoot}/feed-icons"
 }:
 { TtrssPostgresDB
 }:
@ -28,11 +32,11 @@ let
    self_url_path = self_url_path;
    single_user_mode = "true";
    simple_update_mode = "false";
-    php_executable = pkgs.php;
+    php_executable = "${pkgs.php}/bin/php";

-    lock_directory = "/run/ttrss/lock";
-    cache_dir = "/run/ttrss/cache";
-    icons_dir = "feed-icons";
+    lock_directory = "${lock_directory}";
+    cache_dir = "${cache_dir}";
+    icons_dir = "${icons_dir}";
    icons_url = "feed-icons";

    auth_auto_create = "true";
@ -56,14 +60,9 @@ let

    log_destination = "syslog";
  };
-
-  outputDirs = [
-    config.cache_dir
-    config.lock_directory
-  ];
 in
 stdenv.mkDerivation rec {
-  name = "ttrss";
+  inherit name;
  src = pkgs.tt-rss;

  buildCommand =
--- a/Ttrss/update.nix
+++ b/Ttrss/update.nix
@ -0,0 +1,68 @@
+{ stdenv
+, pkgs
+, lib
+}:
+{ readOnlyPaths ? []
+, readWritePaths ? []
+}:
+{ TtrssService
+, TtrssPostgresDB
+, ...
+}:
+
+# Assumptions:
+# - Do not run as root.
+# - Image cache should be writable.
+# - Upload cache should be writable.
+# - Data export cache should be writable.
+# - ICONS_DIR should be writable.
+# - LOCK_DIRECTORY should be writable.
+
+let
+  fullPath = "${TtrssService.documentRoot}/${TtrssService.documentName}";
+  roPaths = [fullPath] ++ readOnlyPaths;
+in
+stdenv.mkDerivation rec {
+  name = "ttrss-update";
+  src = pkgs.writeTextDir "${name}.service" ''
+    [Unit]
+    Description=${name}
+    After=network.target ${TtrssPostgresDB.postgresServiceName}
+    
+    [Service]
+    User=${TtrssService.user}
+    Group=${TtrssService.group}
+    ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
+
+    PrivateDevices=true
+    PrivateTmp=true
+    ProtectKernelTunables=true
+    ProtectKernelModules=true
+    ProtectControlGroups=true
+    ProtectKernelLogs=true
+    ProtectHome=true
+    ProtectHostname=true
+    ProtectClock=true
+    RestrictSUIDSGID=true
+    SystemCallFilter=@basic-io @file-system @process @system-service
+
+    ProtectSystem=strict
+    ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
+    ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
+
+    # NoExecPaths=/
+    # ExecPaths=${pkgs.php}/bin
+
+    NoNewPrivileges=true
+
+    RuntimeDirectory=${name}
+    
+    [Install]
+    WantedBy=multi-user.target
+  '';
+
+  installPhase = ''
+    mkdir -p $out/etc/systemd/system
+    cp $src/*.service $out/etc/systemd/system
+  '';
+}
--- a/all-packages.nix
+++ b/all-packages.nix
@ -11,6 +11,8 @@ let
    PostgresDB = callPackage ./PostgresDB {};

    TtrssService = callPackage ./Ttrss {};
+    TtrssUpdateService = callPackage ./Ttrss/update.nix {};
+    TtrssUpgradeDBService = callPackage ./Ttrss/dbupgrade.nix {};
  };
 in
 self