hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

merge files for ttrss

Browse source
This commit is contained in:
ibizaman 2023-01-16 21:39:20 -08:00
parent c98cfdb892
commit ba14b8d4a1
10 changed files with 124 additions and 222 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
all-packages.nix
View file

@ -28,15 +28,7 @@ let
mkKeycloakCliService = callPackage ./keycloak-cli-config/unit.nix {inherit utils;}; mkKeycloakCliService = callPackage ./keycloak-cli-config/unit.nix {inherit utils;};
TtrssEnvironment = callPackage ./ttrss/environment.nix {}; ttrss = callPackage ./ttrss {inherit utils customPkgs;};
TtrssConfig = callPackage ./ttrss/config.nix {};
mkTtrssConfig = callPackage ./ttrss/mkconfig.nix {inherit TtrssConfig;};
TtrssUpdateService = callPackage ./ttrss/update.nix {inherit utils;};
mkTtrssUpdateService = callPackage ./ttrss/mkupdate.nix {inherit TtrssUpdateService;};
TtrssUpgradeDBService = callPackage ./ttrss/dbupgrade.nix {};
mkTtrssUpgradeDBService = callPackage ./ttrss/mkdbupgrade.nix {inherit TtrssUpgradeDBService;};
mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {};
vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;}; vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;};
}; };
in in

61
ttrss/config.nix
View file

@ -2,8 +2,10 @@
, pkgs , pkgs
, lib , lib
}: }:
{ document_root { documentRoot
, name ? "ttrss" , name ? "ttrss"
, serviceName ? "ttrss"
, subdomain ? "ttrss"
, user ? "http" , user ? "http"
, group ? "http" , group ? "http"
, domain , domain
@ -22,8 +24,8 @@
# , feedback_url ? "" # , feedback_url ? ""
, auth_remote_post_logout_url ? null , auth_remote_post_logout_url ? null
, enabled_plugins ? [ "auth_remote" "note" ] , enabled_plugins ? [ "auth_remote" "note" ]
}:
{ TtrssPostgresDB , dependsOn ? {}
}: }:
let let
@ -34,9 +36,9 @@ let
); );
wrapPutenv = key: value: "putenv('TTRSS_${lib.toUpper key}=${value}');"; wrapPutenv = key: value: "putenv('TTRSS_${lib.toUpper key}=${value}');";
config = self_url_path: { config = self_url_path: db: {
db_type = "pgsql"; db_type = "pgsql";
db_host = db_host {inherit TtrssPostgresDB;}; db_host = db_host db;
db_port = builtins.toString db_port; db_port = builtins.toString db_port;
db_user = db_username; db_user = db_username;
db_name = db_database; db_name = db_database;
@ -85,26 +87,35 @@ let
} else {} } else {}
); );
in in
stdenv.mkDerivation rec { {
inherit name; name = serviceName;
src = pkgs.tt-rss;
buildCommand = pkg = {
let db
configFile = pkgs.writeText "config.php" (asTtrssConfig (config "https://${name}.${domain}/")); }: stdenv.mkDerivation rec {
dr = dirOf document_root; inherit name;
in src = pkgs.tt-rss;
''
mkdir -p $out/${name}
cp -ra $src/* $out/${name}
cp ${configFile} $out/${name}/config.php
echo "${dr}" > $out/.dysnomia-targetdir buildCommand =
echo "${user}:${group}" > $out/.dysnomia-filesetowner let
configFile = pkgs.writeText "config.php" (asTtrssConfig (config "https://${subdomain}.${domain}/" db));
cat > $out/.dysnomia-fileset <<FILESET dr = dirOf documentRoot;
symlink $out/${name} in
target ${dr} ''
FILESET mkdir -p $out/${name}
''; cp -ra $src/* $out/${name}
cp ${configFile} $out/${name}/config.php
echo "${dr}" > $out/.dysnomia-targetdir
echo "${user}:${group}" > $out/.dysnomia-filesetowner
cat > $out/.dysnomia-fileset <<FILESET
symlink $out/${name}
target ${dr}
FILESET
'';
};
inherit dependsOn;
type = "fileset";
} }

74
ttrss/dbupgrade.nix
View file

@ -1,42 +1,52 @@
{ stdenv { stdenv
, pkgs , pkgs
}: }:
{ binDir { name
, user , user
}: , binDir
{ TtrssPostgresDB
, TtrssConfig , dependsOn ? {}
}: }:
stdenv.mkDerivation { {
name = "dbupgrade"; inherit name;
pkg =
{ db
, config
}:
stdenv.mkDerivation {
name = "dbupgrade";
src = pkgs.writeTextDir "wrapper" '' src = pkgs.writeTextDir "wrapper" ''
#!/bin/bash -e #!/bin/bash -e
sudo -u ${user} bash <<HERE sudo -u ${user} bash <<HERE
case "$1" in case "$1" in
activate) activate)
${pkgs.php}/bin/php ${binDir}/update.php --update-schema=force-yes ${pkgs.php}/bin/php ${binDir}/update.php --update-schema=force-yes
;; ;;
lock) lock)
if [ -f /tmp/wrapper.lock ] if [ -f /tmp/wrapper.lock ]
then then
exit 1 exit 1
else else
echo "1" > /tmp/wrapper.lock echo "1" > /tmp/wrapper.lock
fi fi
;; ;;
unlock) unlock)
rm -f /tmp/wrapper.lock rm -f /tmp/wrapper.lock
;; ;;
esac esac
HERE HERE
''; '';
installPhase = '' installPhase = ''
mkdir -p $out/bin mkdir -p $out/bin
cp $src/wrapper $out/bin cp $src/wrapper $out/bin
chmod +x $out/bin/* chmod +x $out/bin/*
''; '';
};
inherit dependsOn;
type = "wrapper";
} }

2
ttrss/default.nix
View file

@ -66,7 +66,7 @@ rec {
inherit (phpfpmService) user group; inherit (phpfpmService) user group;
inherit domain; inherit domain;
db_host = {TtrssPostgresDB}: TtrssPostgresDB.target.properties.hostname; db_host = db: db.target.properties.hostname;
db_port = (utils.getTarget distribution "TtrssPostgresDB").containers.postgresql-database.port; db_port = (utils.getTarget distribution "TtrssPostgresDB").containers.postgresql-database.port;
db_database = postgresDatabase; db_database = postgresDatabase;
db_username = postgresUser; db_username = postgresUser;

37
ttrss/environment.nix
View file

@ -1,37 +0,0 @@
{}:
{
name ? "ttrss",
document_root ? "/usr/share/webapps/${name}",
systemd_run ? "/run/${name}",
persistent_dir ? "/var/lib/${name}"
}:
rec {
inherit name document_root systemd_run persistent_dir;
lock_directory = "${systemd_run}/lock";
cache_directory = "${systemd_run}/cache";
feed_icons_directory = "${persistent_dir}/feed-icons";
ro_directories = [];
rw_directories = [
lock_directory
cache_directory
feed_icons_directory
];
directories_modes = {
"${systemd_run}" = "0550";
"${lock_directory}" = "0770";
"${cache_directory}" = "0770";
"${cache_directory}/upload" = "0770";
"${cache_directory}/images" = "0770";
"${cache_directory}/export" = "0770";
"${persistent_dir}/feed-icons" = "0770";
};
postgresql = {
username = name;
password = "ttrsspw";
database = name;
};
}

39
ttrss/mkconfig.nix
View file

@ -1,39 +0,0 @@
{ TtrssConfig
}:
{ name
, user
, group
, domain
, serviceName
, document_root
, lock_directory
, cache_directory
, feed_icons_directory
, enabled_plugins ? []
, auth_remote_post_logout_url ? null
, db_host
, db_port
, db_username
, db_password
, db_database
, dependsOn ? {}
}:
{
inherit name;
pkg = TtrssConfig {
name = serviceName;
inherit document_root lock_directory cache_directory feed_icons_directory;
inherit user group;
inherit domain;
inherit db_host db_port db_username db_password db_database;
inherit enabled_plugins;
inherit auth_remote_post_logout_url;
};
inherit dependsOn;
type = "fileset";
}

17
ttrss/mkdbupgrade.nix
View file

@ -1,17 +0,0 @@
{ TtrssUpgradeDBService
}:
{ name
, user
, binDir
, dependsOn ? {}
}:
{
inherit name;
pkg = TtrssUpgradeDBService {
inherit user binDir;
};
inherit dependsOn;
type = "wrapper";
}

25
ttrss/mkupdate.nix
View file

@ -1,25 +0,0 @@
{ TtrssUpdateService
}:
{ name
, user
, group
, documentRoot
, readOnlyPaths
, readWritePaths
, postgresServiceName
, dependsOn ? {}
}:
{
inherit name;
pkg = TtrssUpdateService {
inherit documentRoot;
inherit user group;
inherit readOnlyPaths readWritePaths;
inherit postgresServiceName;
};
inherit dependsOn;
type = "systemd-unit";
}

79
ttrss/update.nix
View file

@ -3,14 +3,15 @@
, lib , lib
, utils , utils
}: }:
{ documentRoot { name
, user , user
, group , group
, documentRoot
, readOnlyPaths ? [] , readOnlyPaths ? []
, readWritePaths ? [] , readWritePaths ? []
, postgresServiceName , postgresServiceName
}:
{ ... , dependsOn ? {}
}: }:
# Assumptions: # Assumptions:
@ -25,43 +26,49 @@ let
fullPath = "${documentRoot}"; fullPath = "${documentRoot}";
roPaths = [fullPath] ++ readOnlyPaths; roPaths = [fullPath] ++ readOnlyPaths;
in in
utils.systemd.mkService rec { {
name = "ttrss-update"; inherit name;
content = '' pkg = {...}: utils.systemd.mkService rec {
[Unit] name = "ttrss-update";
Description=${name} content = ''
After=network.target ${postgresServiceName} [Unit]
Description=${name}
[Service] After=network.target ${postgresServiceName}
User=${user}
Group=${group}
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
RuntimeDirectory=${name} [Service]
User=${user}
Group=${group}
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
PrivateDevices=true RuntimeDirectory=${name}
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectHome=true
ProtectHostname=true
ProtectClock=true
RestrictSUIDSGID=true
LockPersonality=true
NoNewPrivileges=true
SystemCallFilter=@basic-io @file-system @process @system-service PrivateDevices=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectHome=true
ProtectHostname=true
ProtectClock=true
RestrictSUIDSGID=true
LockPersonality=true
NoNewPrivileges=true
ProtectSystem=strict SystemCallFilter=@basic-io @file-system @process @system-service
ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
# NoExecPaths=/ ProtectSystem=strict
# ExecPaths=${pkgs.php}/bin ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
[Install] # NoExecPaths=/
WantedBy=multi-user.target # ExecPaths=${pkgs.php}/bin
'';
[Install]
WantedBy=multi-user.target
'';
};
inherit dependsOn;
type = "systemd-unit";
} }

2
vaultwarden/default.nix
View file

@ -99,7 +99,7 @@ rec {
ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
WorkingDirectory=${dataFolder} WorkingDirectory=${dataFolder}
StateDirectory=${dataFolder} StateDirectory=${name}
User=${user} User=${user}
Group=${group} Group=${group}