1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
import ./make-test-python.nix ({ pkgs, lib, ... }:
let
port = 3142;
username = "alice";
password = "correcthorsebatterystaple";
defaultPort = 8080;
defaultUsername = "admin";
defaultPassword = "password";
adminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${defaultUsername}
ADMIN_PASSWORD=${defaultPassword}
'';
customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
ADMIN_USERNAME=${username}
ADMIN_PASSWORD=${password}
'';
postgresPassword = "correcthorsebatterystaple";
postgresPasswordFile = pkgs.writeText "pgpass" ''
*:*:*:*:${postgresPassword}
'';
in
{
name = "miniflux";
meta.maintainers = [ ];
nodes = {
default =
{ ... }:
{
security.apparmor.enable = true;
services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
};
withoutSudo =
{ ... }:
{
security.apparmor.enable = true;
services.miniflux = {
enable = true;
inherit adminCredentialsFile;
};
security.sudo.enable = false;
};
customized =
{ ... }:
{
security.apparmor.enable = true;
services.miniflux = {
enable = true;
config = {
CLEANUP_FREQUENCY = "48";
LISTEN_ADDR = "localhost:${toString port}";
};
adminCredentialsFile = customAdminCredentialsFile;
};
};
postgresTcp = { config, pkgs, lib, ... }: {
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "init-postgres" ''
CREATE USER miniflux WITH PASSWORD '${postgresPassword}';
CREATE DATABASE miniflux WITH OWNER miniflux;
'';
enableTCPIP = true;
authentication = ''
host sameuser miniflux samenet scram-sha-256
'';
};
systemd.services.postgresql.postStart = lib.mkAfter ''
$PSQL -tAd miniflux -c 'CREATE EXTENSION hstore;'
'';
networking.firewall.allowedTCPPorts = [ config.services.postgresql.settings.port ];
};
externalDb = { ... }: {
security.apparmor.enable = true;
services.miniflux = {
enable = true;
createDatabaseLocally = false;
inherit adminCredentialsFile;
config = {
DATABASE_URL = "user=miniflux host=postgresTcp dbname=miniflux sslmode=disable";
PGPASSFILE = "/run/miniflux/pgpass";
};
};
systemd.services.miniflux.preStart = ''
cp ${postgresPasswordFile} /run/miniflux/pgpass
chmod 600 /run/miniflux/pgpass
'';
};
};
testScript = ''
def runTest(machine, port, user):
machine.wait_for_unit("miniflux.service")
machine.wait_for_open_port(port)
machine.succeed(f"curl --fail 'http://localhost:{port}/healthcheck' | grep OK")
machine.succeed(
f"curl 'http://localhost:{port}/v1/me' -u '{user}' -H Content-Type:application/json | grep '\"is_admin\":true'"
)
machine.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
default.start()
withoutSudo.start()
customized.start()
postgresTcp.start()
runTest(default, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
runTest(withoutSudo, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
runTest(customized, ${toString port}, "${username}:${password}")
postgresTcp.wait_for_unit("postgresql.service")
externalDb.start()
runTest(externalDb, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
'';
})
|