1
0
Fork 0

add ttrss update service and dbupgrade on deploy

This commit is contained in:
ibizaman 2022-05-18 00:06:32 -07:00
parent e0c1af94da
commit a35170e3bb
4 changed files with 121 additions and 10 deletions

42
Ttrss/dbupgrade.nix Normal file
View file

@ -0,0 +1,42 @@
{ stdenv
, pkgs
}:
{ binDir
, user
}:
{ TtrssPostgresDB
, TtrssService
}:
stdenv.mkDerivation {
name = "dbupgrade";
src = pkgs.writeTextDir "wrapper" ''
#!/bin/bash -e
sudo -u ${user} bash <<HERE
case "$1" in
activate)
${pkgs.php}/bin/php ${binDir}/update.php --update-schema=force-yes
;;
lock)
if [ -f /tmp/wrapper.lock ]
then
exit 1
else
echo "1" > /tmp/wrapper.lock
fi
;;
unlock)
rm -f /tmp/wrapper.lock
;;
esac
HERE
'';
installPhase = ''
mkdir -p $out/bin
cp $src/wrapper $out/bin
chmod +x $out/bin/*
'';
}

View file

@ -3,8 +3,12 @@
, lib , lib
}: }:
{ documentRoot { documentRoot
, name ? "ttrss"
, user ? "http" , user ? "http"
, group ? "http" , group ? "http"
, lock_directory ? "/run/${name}/lock"
, cache_dir ? "/run/${name}/cache"
, icons_dir ? "${documentRoot}/feed-icons"
}: }:
{ TtrssPostgresDB { TtrssPostgresDB
}: }:
@ -28,11 +32,11 @@ let
self_url_path = self_url_path; self_url_path = self_url_path;
single_user_mode = "true"; single_user_mode = "true";
simple_update_mode = "false"; simple_update_mode = "false";
php_executable = pkgs.php; php_executable = "${pkgs.php}/bin/php";
lock_directory = "/run/ttrss/lock"; lock_directory = "${lock_directory}";
cache_dir = "/run/ttrss/cache"; cache_dir = "${cache_dir}";
icons_dir = "feed-icons"; icons_dir = "${icons_dir}";
icons_url = "feed-icons"; icons_url = "feed-icons";
auth_auto_create = "true"; auth_auto_create = "true";
@ -56,14 +60,9 @@ let
log_destination = "syslog"; log_destination = "syslog";
}; };
outputDirs = [
config.cache_dir
config.lock_directory
];
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "ttrss"; inherit name;
src = pkgs.tt-rss; src = pkgs.tt-rss;
buildCommand = buildCommand =

68
Ttrss/update.nix Normal file
View file

@ -0,0 +1,68 @@
{ stdenv
, pkgs
, lib
}:
{ readOnlyPaths ? []
, readWritePaths ? []
}:
{ TtrssService
, TtrssPostgresDB
, ...
}:
# Assumptions:
# - Do not run as root.
# - Image cache should be writable.
# - Upload cache should be writable.
# - Data export cache should be writable.
# - ICONS_DIR should be writable.
# - LOCK_DIRECTORY should be writable.
let
fullPath = "${TtrssService.documentRoot}/${TtrssService.documentName}";
roPaths = [fullPath] ++ readOnlyPaths;
in
stdenv.mkDerivation rec {
name = "ttrss-update";
src = pkgs.writeTextDir "${name}.service" ''
[Unit]
Description=${name}
After=network.target ${TtrssPostgresDB.postgresServiceName}
[Service]
User=${TtrssService.user}
Group=${TtrssService.group}
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
PrivateDevices=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectHome=true
ProtectHostname=true
ProtectClock=true
RestrictSUIDSGID=true
SystemCallFilter=@basic-io @file-system @process @system-service
ProtectSystem=strict
ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
# NoExecPaths=/
# ExecPaths=${pkgs.php}/bin
NoNewPrivileges=true
RuntimeDirectory=${name}
[Install]
WantedBy=multi-user.target
'';
installPhase = ''
mkdir -p $out/etc/systemd/system
cp $src/*.service $out/etc/systemd/system
'';
}

View file

@ -11,6 +11,8 @@ let
PostgresDB = callPackage ./PostgresDB {}; PostgresDB = callPackage ./PostgresDB {};
TtrssService = callPackage ./Ttrss {}; TtrssService = callPackage ./Ttrss {};
TtrssUpdateService = callPackage ./Ttrss/update.nix {};
TtrssUpgradeDBService = callPackage ./Ttrss/dbupgrade.nix {};
}; };
in in
self self