diff --git a/Ttrss/dbupgrade.nix b/Ttrss/dbupgrade.nix new file mode 100644 index 0000000..33cca61 --- /dev/null +++ b/Ttrss/dbupgrade.nix @@ -0,0 +1,42 @@ +{ stdenv +, pkgs +}: +{ binDir +, user +}: +{ TtrssPostgresDB +, TtrssService +}: + +stdenv.mkDerivation { + name = "dbupgrade"; + + src = pkgs.writeTextDir "wrapper" '' + #!/bin/bash -e + + sudo -u ${user} bash < /tmp/wrapper.lock + fi + ;; + unlock) + rm -f /tmp/wrapper.lock + ;; + esac + HERE + ''; + + installPhase = '' + mkdir -p $out/bin + cp $src/wrapper $out/bin + chmod +x $out/bin/* + ''; +} diff --git a/Ttrss/default.nix b/Ttrss/default.nix index 559f259..6c5f66a 100644 --- a/Ttrss/default.nix +++ b/Ttrss/default.nix @@ -3,8 +3,12 @@ , lib }: { documentRoot +, name ? "ttrss" , user ? "http" , group ? "http" +, lock_directory ? "/run/${name}/lock" +, cache_dir ? "/run/${name}/cache" +, icons_dir ? "${documentRoot}/feed-icons" }: { TtrssPostgresDB }: @@ -28,11 +32,11 @@ let self_url_path = self_url_path; single_user_mode = "true"; simple_update_mode = "false"; - php_executable = pkgs.php; + php_executable = "${pkgs.php}/bin/php"; - lock_directory = "/run/ttrss/lock"; - cache_dir = "/run/ttrss/cache"; - icons_dir = "feed-icons"; + lock_directory = "${lock_directory}"; + cache_dir = "${cache_dir}"; + icons_dir = "${icons_dir}"; icons_url = "feed-icons"; auth_auto_create = "true"; @@ -56,14 +60,9 @@ let log_destination = "syslog"; }; - - outputDirs = [ - config.cache_dir - config.lock_directory - ]; in stdenv.mkDerivation rec { - name = "ttrss"; + inherit name; src = pkgs.tt-rss; buildCommand = diff --git a/Ttrss/update.nix b/Ttrss/update.nix new file mode 100644 index 0000000..712f829 --- /dev/null +++ b/Ttrss/update.nix @@ -0,0 +1,68 @@ +{ stdenv +, pkgs +, lib +}: +{ readOnlyPaths ? [] +, readWritePaths ? [] +}: +{ TtrssService +, TtrssPostgresDB +, ... +}: + +# Assumptions: +# - Do not run as root. +# - Image cache should be writable. +# - Upload cache should be writable. +# - Data export cache should be writable. +# - ICONS_DIR should be writable. +# - LOCK_DIRECTORY should be writable. + +let + fullPath = "${TtrssService.documentRoot}/${TtrssService.documentName}"; + roPaths = [fullPath] ++ readOnlyPaths; +in +stdenv.mkDerivation rec { + name = "ttrss-update"; + src = pkgs.writeTextDir "${name}.service" '' + [Unit] + Description=${name} + After=network.target ${TtrssPostgresDB.postgresServiceName} + + [Service] + User=${TtrssService.user} + Group=${TtrssService.group} + ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php + + PrivateDevices=true + PrivateTmp=true + ProtectKernelTunables=true + ProtectKernelModules=true + ProtectControlGroups=true + ProtectKernelLogs=true + ProtectHome=true + ProtectHostname=true + ProtectClock=true + RestrictSUIDSGID=true + SystemCallFilter=@basic-io @file-system @process @system-service + + ProtectSystem=strict + ReadOnlyPaths=${builtins.concatStringsSep " " roPaths} + ReadWritePaths=${builtins.concatStringsSep " " readWritePaths} + + # NoExecPaths=/ + # ExecPaths=${pkgs.php}/bin + + NoNewPrivileges=true + + RuntimeDirectory=${name} + + [Install] + WantedBy=multi-user.target + ''; + + installPhase = '' + mkdir -p $out/etc/systemd/system + cp $src/*.service $out/etc/systemd/system + ''; +} diff --git a/all-packages.nix b/all-packages.nix index 311875b..284d010 100644 --- a/all-packages.nix +++ b/all-packages.nix @@ -11,6 +11,8 @@ let PostgresDB = callPackage ./PostgresDB {}; TtrssService = callPackage ./Ttrss {}; + TtrssUpdateService = callPackage ./Ttrss/update.nix {}; + TtrssUpgradeDBService = callPackage ./Ttrss/dbupgrade.nix {}; }; in self