68 lines
1.5 KiB
Nix
68 lines
1.5 KiB
Nix
{ stdenv
|
|
, pkgs
|
|
, lib
|
|
}:
|
|
{ readOnlyPaths ? []
|
|
, readWritePaths ? []
|
|
}:
|
|
{ TtrssService
|
|
, TtrssPostgresDB
|
|
, ...
|
|
}:
|
|
|
|
# Assumptions:
|
|
# - Do not run as root.
|
|
# - Image cache should be writable.
|
|
# - Upload cache should be writable.
|
|
# - Data export cache should be writable.
|
|
# - ICONS_DIR should be writable.
|
|
# - LOCK_DIRECTORY should be writable.
|
|
|
|
let
|
|
fullPath = "${TtrssService.documentRoot}/${TtrssService.documentName}";
|
|
roPaths = [fullPath] ++ readOnlyPaths;
|
|
in
|
|
stdenv.mkDerivation rec {
|
|
name = "ttrss-update";
|
|
src = pkgs.writeTextDir "${name}.service" ''
|
|
[Unit]
|
|
Description=${name}
|
|
After=network.target ${TtrssPostgresDB.postgresServiceName}
|
|
|
|
[Service]
|
|
User=${TtrssService.user}
|
|
Group=${TtrssService.group}
|
|
ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php
|
|
|
|
PrivateDevices=true
|
|
PrivateTmp=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
ProtectKernelLogs=true
|
|
ProtectHome=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
RestrictSUIDSGID=true
|
|
SystemCallFilter=@basic-io @file-system @process @system-service
|
|
|
|
ProtectSystem=strict
|
|
ReadOnlyPaths=${builtins.concatStringsSep " " roPaths}
|
|
ReadWritePaths=${builtins.concatStringsSep " " readWritePaths}
|
|
|
|
# NoExecPaths=/
|
|
# ExecPaths=${pkgs.php}/bin
|
|
|
|
NoNewPrivileges=true
|
|
|
|
RuntimeDirectory=${name}
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
'';
|
|
|
|
installPhase = ''
|
|
mkdir -p $out/etc/systemd/system
|
|
cp $src/*.service $out/etc/systemd/system
|
|
'';
|
|
}
|