Merge pull request #209254 from Stunkymonkey/freshrss-srv-pgsql (a4eb1b11) · Commits · nix / nixpkgs

nixos/modules/services/web-apps/freshrss.nix

+27 −22

Original line number	Diff line number	Diff line
		@@ -60,7 +60,7 @@ in
		};

		port = mkOption {
		type = with types; nullOr port;
		type = types.nullOr types.port;
		default = null;
		description = mdDoc "Database port for FreshRSS.";
		example = 3306;
		@@ -73,7 +73,7 @@ in
		};

		passFile = mkOption {
		type = types.nullOr types.str;
		type = types.nullOr types.path;
		default = null;
		description = mdDoc "Database password file for FreshRSS.";
		example = "/run/secrets/freshrss";
		@@ -116,12 +116,18 @@ in
		with default values.
		'';
		};
		};

		user = mkOption {
		type = types.str;
		default = "freshrss";
		description = lib.mdDoc "User under which Freshrss runs.";
		};
		};

		config =
		let
		systemd-hardening = {
		defaultServiceConfig = {
		ReadWritePaths = "${cfg.dataDir}";
		CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
		DeviceAllow = "";
		LockPersonality = true;
		@@ -146,6 +152,11 @@ in
		SystemCallArchitectures = "native";
		SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
		UMask = "0007";
		Type = "oneshot";
		User = cfg.user;
		Group = config.users.users.${cfg.user}.group;
		StateDirectory = "freshrss";
		WorkingDirectory = cfg.package;
		};
		in
		mkIf cfg.enable {
		@@ -199,12 +210,17 @@ in
		};
		};

		users.users.freshrss = {
		users.users."${cfg.user}" = {
		description = "FreshRSS service user";
		isSystemUser = true;
		group = "freshrss";
		group = "${cfg.user}";
		home = cfg.dataDir;
		};
		users.groups.freshrss = { };
		users.groups."${cfg.user}" = { };

		systemd.tmpfiles.rules = [
		"d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
		];

		systemd.services.freshrss-config =
		let
		@@ -228,30 +244,24 @@ in
		{
		description = "Set up the state directory for FreshRSS before use";
		wantedBy = [ "multi-user.target" ];
		serviceConfig = {
		serviceConfig = defaultServiceConfig //{
		Type = "oneshot";
		User = "freshrss";
		Group = "freshrss";
		StateDirectory = "freshrss";
		WorkingDirectory = cfg.package;
		} // systemd-hardening;
		};
		environment = {
		FRESHRSS_DATA_PATH = cfg.dataDir;
		};

		script = ''
		# create files with correct permissions
		mkdir -m 755 -p ${cfg.dataDir}

		# do installation or reconfigure
		if test -f ${cfg.dataDir}/config.php; then
		# reconfigure with settings
		./cli/reconfigure.php ${settingsFlags}
		./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
		else
		# Copy the user data template directory
		cp -r ./data ${cfg.dataDir}

		# check correct folders in data folder
		./cli/prepare.php
		# install with settings
		@@ -269,14 +279,9 @@ in
		environment = {
		FRESHRSS_DATA_PATH = cfg.dataDir;
		};
		serviceConfig = {
		Type = "oneshot";
		User = "freshrss";
		Group = "freshrss";
		StateDirectory = "freshrss";
		WorkingDirectory = cfg.package;
		serviceConfig = defaultServiceConfig //{
		ExecStart = "${cfg.package}/app/actualize_script.php";
		} // systemd-hardening;
		};
		};
		};
		}

nixos/tests/all-tests.nix

+2 −1

Original line number	Diff line number	Diff line
		@@ -225,7 +225,8 @@ in {
		fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
		freenet = handleTest ./freenet.nix {};
		freeswitch = handleTest ./freeswitch.nix {};
		freshrss = handleTest ./freshrss.nix {};
		freshrss-sqlite = handleTest ./freshrss-sqlite.nix {};
		freshrss-pgsql = handleTest ./freshrss-pgsql.nix {};
		frr = handleTest ./frr.nix {};
		fsck = handleTest ./fsck.nix {};
		ft2-clone = handleTest ./ft2-clone.nix {};

nixos/tests/freshrss-pgsql.nix

0 → 100644

+48 −0

Original line number	Diff line number	Diff line
		import ./make-test-python.nix ({ lib, pkgs, ... }: {
		name = "freshrss";
		meta.maintainers = with lib.maintainers; [ etu stunkymonkey ];

		nodes.machine = { pkgs, ... }: {
		services.freshrss = {
		enable = true;
		baseUrl = "http://localhost";
		passwordFile = pkgs.writeText "password" "secret";
		dataDir = "/srv/freshrss";
		database = {
		type = "pgsql";
		port = 5432;
		user = "freshrss";
		passFile = pkgs.writeText "db-password" "db-secret";
		};
		};

		services.postgresql = {
		enable = true;
		ensureDatabases = [ "freshrss" ];
		ensureUsers = [
		{
		name = "freshrss";
		ensurePermissions = {
		"DATABASE freshrss" = "ALL PRIVILEGES";
		};
		}
		];
		initialScript = pkgs.writeText "postgresql-password" ''
		CREATE ROLE freshrss WITH LOGIN PASSWORD 'db-secret' CREATEDB;
		'';
		};

		systemd.services."freshrss-config" = {
		requires = [ "postgresql.service" ];
		after = [ "postgresql.service" ];
		};
		};

		testScript = ''
		machine.wait_for_unit("multi-user.target")
		machine.wait_for_open_port(5432)
		machine.wait_for_open_port(80)
		response = machine.succeed("curl -vvv -s -H 'Host: freshrss' http://127.0.0.1:80/i/")
		assert '<title>Login · FreshRSS</title>' in response, "Login page didn't load successfully"
		'';
		})

nixos/tests/freshrss.nix→nixos/tests/freshrss-sqlite.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -7,6 +7,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
		enable = true;
		baseUrl = "http://localhost";
		passwordFile = pkgs.writeText "password" "secret";
		dataDir = "/srv/freshrss";
		};
		};

Admin message