movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-12 05:16:25 +03:00
Code Activity

Merge pull request #133133 from symphorien/tt-rss-read-only

Browse source 
nixos/tt-rss: make all php files read only
This commit is contained in:
Guillaume Girol 2021-08-29 11:33:25 +00:00 committed by GitHub
commit c988c752bb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 36 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

70
nixos/modules/services/web-apps/tt-rss.nix
View file

@ -6,10 +6,6 @@ let
configVersion = 26; configVersion = 26;
cacheDir = "cache";
lockDir = "lock";
feedIconsDir = "feed-icons";
dbPort = if cfg.database.port == null dbPort = if cfg.database.port == null
then (if cfg.database.type == "pgsql" then 5432 else 3306) then (if cfg.database.type == "pgsql" then 5432 else 3306)
else cfg.database.port; else cfg.database.port;
@ -32,10 +28,10 @@ let
<?php <?php
putenv('TTRSS_PHP_EXECUTABLE=${pkgs.php}/bin/php'); putenv('TTRSS_PHP_EXECUTABLE=${pkgs.php}/bin/php');
putenv('TTRSS_LOCK_DIRECTORY=${lockDir}'); putenv('TTRSS_LOCK_DIRECTORY=${cfg.root}/lock');
putenv('TTRSS_CACHE_DIR=${cacheDir}'); putenv('TTRSS_CACHE_DIR=${cfg.root}/cache');
putenv('TTRSS_ICONS_DIR=${feedIconsDir}'); putenv('TTRSS_ICONS_DIR=${cfg.root}/feed-icons');
putenv('TTRSS_ICONS_URL=${feedIconsDir}'); putenv('TTRSS_ICONS_URL=feed-icons');
putenv('TTRSS_SELF_URL_PATH=${cfg.selfUrlPath}'); putenv('TTRSS_SELF_URL_PATH=${cfg.selfUrlPath}');
putenv('TTRSS_MYSQL_CHARSET=UTF8'); putenv('TTRSS_MYSQL_CHARSET=UTF8');
@ -101,6 +97,22 @@ let
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
# tt-rss and plugins and themes and config.php
servedRoot = pkgs.runCommand "tt-rss-served-root" {} ''
cp --no-preserve=mode -r ${pkgs.tt-rss} $out
cp ${tt-rss-config} $out/config.php
${optionalString (cfg.pluginPackages != []) ''
for plugin in ${concatStringsSep " " cfg.pluginPackages}; do
cp -r "$plugin"/* "$out/plugins.local/"
done
''}
${optionalString (cfg.themePackages != []) ''
for theme in ${concatStringsSep " " cfg.themePackages}; do
cp -r "$theme"/* "$out/themes.local/"
done
''}
'';
in { in {
###### interface ###### interface
@ -544,12 +556,16 @@ let
enable = true; enable = true;
virtualHosts = { virtualHosts = {
${cfg.virtualHost} = { ${cfg.virtualHost} = {
root = "${cfg.root}"; root = "${cfg.root}/www";
locations."/" = { locations."/" = {
index = "index.php"; index = "index.php";
}; };
locations."^~ /feed-icons" = {
root = "${cfg.root}";
};
locations."~ \\.php$" = { locations."~ \\.php$" = {
extraConfig = '' extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
@ -562,13 +578,19 @@ let
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.root}' 0755 ${cfg.user} tt_rss - -" "d '${cfg.root}' 0555 ${cfg.user} tt_rss - -"
"Z '${cfg.root}' 0755 ${cfg.user} tt_rss - -" "d '${cfg.root}/lock' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache/upload' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache/images' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache/export' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/feed-icons' 0755 ${cfg.user} tt_rss - -"
"L+ '${cfg.root}/www' - - - - ${servedRoot}"
]; ];
systemd.services = { systemd.services = {
phpfpm-tt-rss = mkIf (cfg.pool == "${poolName}") { phpfpm-tt-rss = mkIf (cfg.pool == "${poolName}") {
restartTriggers = [ tt-rss-config pkgs.tt-rss ]; restartTriggers = [ servedRoot ];
}; };
tt-rss = { tt-rss = {
@ -594,27 +616,7 @@ let
else ""; else "";
in '' in (optionalString (cfg.database.type == "pgsql") ''
rm -rf "${cfg.root}/*"
cp -r "${pkgs.tt-rss}/"* "${cfg.root}"
${optionalString (cfg.pluginPackages != []) ''
for plugin in ${concatStringsSep " " cfg.pluginPackages}; do
cp -r "$plugin"/* "${cfg.root}/plugins.local/"
done
''}
${optionalString (cfg.themePackages != []) ''
for theme in ${concatStringsSep " " cfg.themePackages}; do
cp -r "$theme"/* "${cfg.root}/themes.local/"
done
''}
ln -sf "${tt-rss-config}" "${cfg.root}/config.php"
chmod -R 755 "${cfg.root}"
chmod -R ug+rwX "${cfg.root}/${lockDir}"
chmod -R ug+rwX "${cfg.root}/${cacheDir}"
chmod -R ug+rwX "${cfg.root}/${feedIconsDir}"
''
+ (optionalString (cfg.database.type == "pgsql") ''
exists=$(${callSql "select count(*) > 0 from pg_tables where tableowner = user"} \ exists=$(${callSql "select count(*) > 0 from pg_tables where tableowner = user"} \
| tail -n+3 | head -n-2 | sed -e 's/[ \n\t]*//') | tail -n+3 | head -n-2 | sed -e 's/[ \n\t]*//')
@ -639,7 +641,7 @@ let
serviceConfig = { serviceConfig = {
User = "${cfg.user}"; User = "${cfg.user}";
Group = "tt_rss"; Group = "tt_rss";
ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon --quiet"; ExecStart = "${pkgs.php}/bin/php ${cfg.root}/www/update.php --daemon --quiet";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "60"; RestartSec = "60";
SyslogIdentifier = "tt-rss"; SyslogIdentifier = "tt-rss";