diff options
Diffstat (limited to 'nixos/modules/services/web-apps/freshrss.nix')
-rw-r--r-- | nixos/modules/services/web-apps/freshrss.nix | 49 |
1 files changed, 27 insertions, 22 deletions
diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix index c05e7b2c4f7f7..89e29f7ccb51b 100644 --- a/nixos/modules/services/web-apps/freshrss.nix +++ b/nixos/modules/services/web-apps/freshrss.nix @@ -60,7 +60,7 @@ in }; port = mkOption { - type = with types; nullOr port; + type = types.nullOr types.port; default = null; description = mdDoc "Database port for FreshRSS."; example = 3306; @@ -73,7 +73,7 @@ in }; passFile = mkOption { - type = types.nullOr types.str; + type = types.nullOr types.path; default = null; description = mdDoc "Database password file for FreshRSS."; example = "/run/secrets/freshrss"; @@ -116,12 +116,18 @@ in with default values. ''; }; - }; + user = mkOption { + type = types.str; + default = "freshrss"; + description = lib.mdDoc "User under which Freshrss runs."; + }; + }; config = let - systemd-hardening = { + defaultServiceConfig = { + ReadWritePaths = "${cfg.dataDir}"; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; DeviceAllow = ""; LockPersonality = true; @@ -146,6 +152,11 @@ in SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; UMask = "0007"; + Type = "oneshot"; + User = cfg.user; + Group = config.users.users.${cfg.user}.group; + StateDirectory = "freshrss"; + WorkingDirectory = cfg.package; }; in mkIf cfg.enable { @@ -199,12 +210,17 @@ in }; }; - users.users.freshrss = { + users.users."${cfg.user}" = { description = "FreshRSS service user"; isSystemUser = true; - group = "freshrss"; + group = "${cfg.user}"; + home = cfg.dataDir; }; - users.groups.freshrss = { }; + users.groups."${cfg.user}" = { }; + + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -" + ]; systemd.services.freshrss-config = let @@ -228,30 +244,24 @@ in { description = "Set up the state directory for FreshRSS before use"; wantedBy = [ "multi-user.target" ]; - serviceConfig = { + serviceConfig = defaultServiceConfig //{ Type = "oneshot"; User = "freshrss"; Group = "freshrss"; StateDirectory = "freshrss"; WorkingDirectory = cfg.package; - } // systemd-hardening; + }; environment = { FRESHRSS_DATA_PATH = cfg.dataDir; }; script = '' - # create files with correct permissions - mkdir -m 755 -p ${cfg.dataDir} - # do installation or reconfigure if test -f ${cfg.dataDir}/config.php; then # reconfigure with settings ./cli/reconfigure.php ${settingsFlags} ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})" else - # Copy the user data template directory - cp -r ./data ${cfg.dataDir} - # check correct folders in data folder ./cli/prepare.php # install with settings @@ -269,14 +279,9 @@ in environment = { FRESHRSS_DATA_PATH = cfg.dataDir; }; - serviceConfig = { - Type = "oneshot"; - User = "freshrss"; - Group = "freshrss"; - StateDirectory = "freshrss"; - WorkingDirectory = cfg.package; + serviceConfig = defaultServiceConfig //{ ExecStart = "${cfg.package}/app/actualize_script.php"; - } // systemd-hardening; + }; }; }; } |