add ttrss update service and dbupgrade on deploy
This commit is contained in:
parent
e0c1af94da
commit
a35170e3bb
4 changed files with 121 additions and 10 deletions
42
Ttrss/dbupgrade.nix
Normal file
42
Ttrss/dbupgrade.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
{ stdenv
|
||||||
|
, pkgs
|
||||||
|
}:
|
||||||
|
{ binDir
|
||||||
|
, user
|
||||||
|
}:
|
||||||
|
{ TtrssPostgresDB
|
||||||
|
, TtrssService
|
||||||
|
}:
|
||||||
|
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
name = "dbupgrade";
|
||||||
|
|
||||||
|
src = pkgs.writeTextDir "wrapper" ''
|
||||||
|
#!/bin/bash -e
|
||||||
|
|
||||||
|
sudo -u ${user} bash <<HERE
|
||||||
|
case "$1" in
|
||||||
|
activate)
|
||||||
|
${pkgs.php}/bin/php ${binDir}/update.php --update-schema=force-yes
|
||||||
|
;;
|
||||||
|
lock)
|
||||||
|
if [ -f /tmp/wrapper.lock ]
|
||||||
|
then
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "1" > /tmp/wrapper.lock
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
unlock)
|
||||||
|
rm -f /tmp/wrapper.lock
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
HERE
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/bin
|
||||||
|
cp $src/wrapper $out/bin
|
||||||
|
chmod +x $out/bin/*
|
||||||
|
'';
|
||||||
|
}
|
|
@ -3,8 +3,12 @@
|
||||||
, lib
|
, lib
|
||||||
}:
|
}:
|
||||||
{ documentRoot
|
{ documentRoot
|
||||||
|
, name ? "ttrss"
|
||||||
, user ? "http"
|
, user ? "http"
|
||||||
, group ? "http"
|
, group ? "http"
|
||||||
|
, lock_directory ? "/run/${name}/lock"
|
||||||
|
, cache_dir ? "/run/${name}/cache"
|
||||||
|
, icons_dir ? "${documentRoot}/feed-icons"
|
||||||
}:
|
}:
|
||||||
{ TtrssPostgresDB
|
{ TtrssPostgresDB
|
||||||
}:
|
}:
|
||||||
|
@ -28,11 +32,11 @@ let
|
||||||
self_url_path = self_url_path;
|
self_url_path = self_url_path;
|
||||||
single_user_mode = "true";
|
single_user_mode = "true";
|
||||||
simple_update_mode = "false";
|
simple_update_mode = "false";
|
||||||
php_executable = pkgs.php;
|
php_executable = "${pkgs.php}/bin/php";
|
||||||
|
|
||||||
lock_directory = "/run/ttrss/lock";
|
lock_directory = "${lock_directory}";
|
||||||
cache_dir = "/run/ttrss/cache";
|
cache_dir = "${cache_dir}";
|
||||||
icons_dir = "feed-icons";
|
icons_dir = "${icons_dir}";
|
||||||
icons_url = "feed-icons";
|
icons_url = "feed-icons";
|
||||||
|
|
||||||
auth_auto_create = "true";
|
auth_auto_create = "true";
|
||||||
|
@ -56,14 +60,9 @@ let
|
||||||
|
|
||||||
log_destination = "syslog";
|
log_destination = "syslog";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputDirs = [
|
|
||||||
config.cache_dir
|
|
||||||
config.lock_directory
|
|
||||||
];
|
|
||||||
in
|
in
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
name = "ttrss";
|
inherit name;
|
||||||
src = pkgs.tt-rss;
|
src = pkgs.tt-rss;
|
||||||
|
|
||||||
buildCommand =
|
buildCommand =
|
||||||
|
|
68
Ttrss/update.nix
Normal file
68
Ttrss/update.nix
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
{ stdenv
|
||||||
|
, pkgs
|
||||||
|
, lib
|
||||||
|
}:
|
||||||
|
{ readOnlyPaths ? []
|
||||||
|
, readWritePaths ? []
|
||||||
|
}:
|
||||||
|
{ TtrssService
|
||||||
|
, TtrssPostgresDB
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
|
||||||
|
# Assumptions:
|
||||||
|
# - Do not run as root.
|
||||||
|
# - Image cache should be writable.
|
||||||
|
# - Upload cache should be writable.
|
||||||
|
# - Data export cache should be writable.
|
||||||
|
# - ICONS_DIR should be writable.
|
||||||
|
# - LOCK_DIRECTORY should be writable.
|
||||||
|
|
||||||
|
let
|
||||||
|
fullPath = "${TtrssService.documentRoot}/${TtrssService.documentName}";
|
||||||
|
roPaths = [fullPath] ++ readOnlyPaths;
|
||||||
|
in
|
||||||
|
stdenv.mkDerivation rec {
|
||||||
|
name = "ttrss-update";
|
||||||
|
src = pkgs.writeTextDir "${name}.service" ''
|
||||||
|
[Unit]
|
||||||
|
Description=${name}
|
||||||
|
After=network.target ${TtrssPostgresDB.postgresServiceName}
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=${TtrssService.user}
|
||||||
|
Group=${TtrssService.group}
|
||||||
|
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
|
||||||
|
|
||||||
|
PrivateDevices=true
|
||||||
|
PrivateTmp=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectHome=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectClock=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
SystemCallFilter=@basic-io @file-system @process @system-service
|
||||||
|
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
|
||||||
|
ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
|
||||||
|
|
||||||
|
# NoExecPaths=/
|
||||||
|
# ExecPaths=${pkgs.php}/bin
|
||||||
|
|
||||||
|
NoNewPrivileges=true
|
||||||
|
|
||||||
|
RuntimeDirectory=${name}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out/etc/systemd/system
|
||||||
|
cp $src/*.service $out/etc/systemd/system
|
||||||
|
'';
|
||||||
|
}
|
|
@ -11,6 +11,8 @@ let
|
||||||
PostgresDB = callPackage ./PostgresDB {};
|
PostgresDB = callPackage ./PostgresDB {};
|
||||||
|
|
||||||
TtrssService = callPackage ./Ttrss {};
|
TtrssService = callPackage ./Ttrss {};
|
||||||
|
TtrssUpdateService = callPackage ./Ttrss/update.nix {};
|
||||||
|
TtrssUpgradeDBService = callPackage ./Ttrss/dbupgrade.nix {};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
self
|
self
|
||||||
|
|
Loading…
Reference in a new issue