diff options
| author | Guillaume Girol <symphorien+git@xlumurb.eu> | 2021-08-08 12:00:00 +0000 |
|---|---|---|
| committer | Guillaume Girol <symphorien+git@xlumurb.eu> | 2021-08-08 12:00:00 +0000 |
| commit | 48619f77a4b2c02ebc964a3b7afd7341c65dda11 (patch) | |
| tree | b134cfe87814708ccfbc137893e3612c2581c313 /nixos | |
| parent | 439b1605227b8adb1357b55ce8529d541abbe9eb (diff) | |
| download | nixpkgs-48619f77a4b2c02ebc964a3b7afd7341c65dda11.tar nixpkgs-48619f77a4b2c02ebc964a3b7afd7341c65dda11.tar.gz nixpkgs-48619f77a4b2c02ebc964a3b7afd7341c65dda11.tar.bz2 nixpkgs-48619f77a4b2c02ebc964a3b7afd7341c65dda11.tar.lz nixpkgs-48619f77a4b2c02ebc964a3b7afd7341c65dda11.tar.xz nixpkgs-48619f77a4b2c02ebc964a3b7afd7341c65dda11.tar.zst nixpkgs-48619f77a4b2c02ebc964a3b7afd7341c65dda11.zip | |
nixos/tt-rss: make all php files read only
Fixes: #55300
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/web-apps/tt-rss.nix | 70 |
1 files changed, 36 insertions, 34 deletions
diff --git a/nixos/modules/services/web-apps/tt-rss.nix b/nixos/modules/services/web-apps/tt-rss.nix index ed13845915c..bc18c824f39 100644 --- a/nixos/modules/services/web-apps/tt-rss.nix +++ b/nixos/modules/services/web-apps/tt-rss.nix @@ -6,10 +6,6 @@ let configVersion = 26; - cacheDir = "cache"; - lockDir = "lock"; - feedIconsDir = "feed-icons"; - dbPort = if cfg.database.port == null then (if cfg.database.type == "pgsql" then 5432 else 3306) else cfg.database.port; @@ -32,10 +28,10 @@ let <?php putenv('TTRSS_PHP_EXECUTABLE=${pkgs.php}/bin/php'); - putenv('TTRSS_LOCK_DIRECTORY=${lockDir}'); - putenv('TTRSS_CACHE_DIR=${cacheDir}'); - putenv('TTRSS_ICONS_DIR=${feedIconsDir}'); - putenv('TTRSS_ICONS_URL=${feedIconsDir}'); + putenv('TTRSS_LOCK_DIRECTORY=${cfg.root}/lock'); + putenv('TTRSS_CACHE_DIR=${cfg.root}/cache'); + putenv('TTRSS_ICONS_DIR=${cfg.root}/feed-icons'); + putenv('TTRSS_ICONS_URL=feed-icons'); putenv('TTRSS_SELF_URL_PATH=${cfg.selfUrlPath}'); putenv('TTRSS_MYSQL_CHARSET=UTF8'); @@ -101,6 +97,22 @@ let ${cfg.extraConfig} ''; + # tt-rss and plugins and themes and config.php + servedRoot = pkgs.runCommand "tt-rss-served-root" {} '' + cp --no-preserve=mode -r ${pkgs.tt-rss} $out + cp ${tt-rss-config} $out/config.php + ${optionalString (cfg.pluginPackages != []) '' + for plugin in ${concatStringsSep " " cfg.pluginPackages}; do + cp -r "$plugin"/* "$out/plugins.local/" + done + ''} + ${optionalString (cfg.themePackages != []) '' + for theme in ${concatStringsSep " " cfg.themePackages}; do + cp -r "$theme"/* "$out/themes.local/" + done + ''} + ''; + in { ###### interface @@ -544,12 +556,16 @@ let enable = true; virtualHosts = { ${cfg.virtualHost} = { - root = "${cfg.root}"; + root = "${cfg.root}/www"; locations."/" = { index = "index.php"; }; + locations."^~ /feed-icons" = { + root = "${cfg.root}"; + }; + locations."~ \\.php$" = { extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; @@ -562,13 +578,19 @@ let }; systemd.tmpfiles.rules = [ - "d '${cfg.root}' 0755 ${cfg.user} tt_rss - -" - "Z '${cfg.root}' 0755 ${cfg.user} tt_rss - -" + "d '${cfg.root}' 0555 ${cfg.user} tt_rss - -" + "d '${cfg.root}/lock' 0755 ${cfg.user} tt_rss - -" + "d '${cfg.root}/cache' 0755 ${cfg.user} tt_rss - -" + "d '${cfg.root}/cache/upload' 0755 ${cfg.user} tt_rss - -" + "d '${cfg.root}/cache/images' 0755 ${cfg.user} tt_rss - -" + "d '${cfg.root}/cache/export' 0755 ${cfg.user} tt_rss - -" + "d '${cfg.root}/feed-icons' 0755 ${cfg.user} tt_rss - -" + "L+ '${cfg.root}/www' - - - - ${servedRoot}" ]; systemd.services = { phpfpm-tt-rss = mkIf (cfg.pool == "${poolName}") { - restartTriggers = [ tt-rss-config pkgs.tt-rss ]; + restartTriggers = [ servedRoot ]; }; tt-rss = { @@ -594,27 +616,7 @@ let else ""; - in '' - rm -rf "${cfg.root}/*" - cp -r "${pkgs.tt-rss}/"* "${cfg.root}" - ${optionalString (cfg.pluginPackages != []) '' - for plugin in ${concatStringsSep " " cfg.pluginPackages}; do - cp -r "$plugin"/* "${cfg.root}/plugins.local/" - done - ''} - ${optionalString (cfg.themePackages != []) '' - for theme in ${concatStringsSep " " cfg.themePackages}; do - cp -r "$theme"/* "${cfg.root}/themes.local/" - done - ''} - ln -sf "${tt-rss-config}" "${cfg.root}/config.php" - chmod -R 755 "${cfg.root}" - chmod -R ug+rwX "${cfg.root}/${lockDir}" - chmod -R ug+rwX "${cfg.root}/${cacheDir}" - chmod -R ug+rwX "${cfg.root}/${feedIconsDir}" - '' - - + (optionalString (cfg.database.type == "pgsql") '' + in (optionalString (cfg.database.type == "pgsql") '' exists=$(${callSql "select count(*) > 0 from pg_tables where tableowner = user"} \ | tail -n+3 | head -n-2 | sed -e 's/[ \n\t]*//') @@ -639,7 +641,7 @@ let serviceConfig = { User = "${cfg.user}"; Group = "tt_rss"; - ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon --quiet"; + ExecStart = "${pkgs.php}/bin/php ${cfg.root}/www/update.php --daemon --quiet"; Restart = "on-failure"; RestartSec = "60"; SyslogIdentifier = "tt-rss"; |