3
0
Fork 0
forked from mirrors/nixpkgs

Merge pull request #133133 from symphorien/tt-rss-read-only

nixos/tt-rss: make all php files read only
This commit is contained in:
Guillaume Girol 2021-08-29 11:33:25 +00:00 committed by GitHub
commit c988c752bb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -6,10 +6,6 @@ let
configVersion = 26;
cacheDir = "cache";
lockDir = "lock";
feedIconsDir = "feed-icons";
dbPort = if cfg.database.port == null
then (if cfg.database.type == "pgsql" then 5432 else 3306)
else cfg.database.port;
@ -32,10 +28,10 @@ let
<?php
putenv('TTRSS_PHP_EXECUTABLE=${pkgs.php}/bin/php');
putenv('TTRSS_LOCK_DIRECTORY=${lockDir}');
putenv('TTRSS_CACHE_DIR=${cacheDir}');
putenv('TTRSS_ICONS_DIR=${feedIconsDir}');
putenv('TTRSS_ICONS_URL=${feedIconsDir}');
putenv('TTRSS_LOCK_DIRECTORY=${cfg.root}/lock');
putenv('TTRSS_CACHE_DIR=${cfg.root}/cache');
putenv('TTRSS_ICONS_DIR=${cfg.root}/feed-icons');
putenv('TTRSS_ICONS_URL=feed-icons');
putenv('TTRSS_SELF_URL_PATH=${cfg.selfUrlPath}');
putenv('TTRSS_MYSQL_CHARSET=UTF8');
@ -101,6 +97,22 @@ let
${cfg.extraConfig}
'';
# tt-rss and plugins and themes and config.php
servedRoot = pkgs.runCommand "tt-rss-served-root" {} ''
cp --no-preserve=mode -r ${pkgs.tt-rss} $out
cp ${tt-rss-config} $out/config.php
${optionalString (cfg.pluginPackages != []) ''
for plugin in ${concatStringsSep " " cfg.pluginPackages}; do
cp -r "$plugin"/* "$out/plugins.local/"
done
''}
${optionalString (cfg.themePackages != []) ''
for theme in ${concatStringsSep " " cfg.themePackages}; do
cp -r "$theme"/* "$out/themes.local/"
done
''}
'';
in {
###### interface
@ -544,12 +556,16 @@ let
enable = true;
virtualHosts = {
${cfg.virtualHost} = {
root = "${cfg.root}";
root = "${cfg.root}/www";
locations."/" = {
index = "index.php";
};
locations."^~ /feed-icons" = {
root = "${cfg.root}";
};
locations."~ \\.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
@ -562,13 +578,19 @@ let
};
systemd.tmpfiles.rules = [
"d '${cfg.root}' 0755 ${cfg.user} tt_rss - -"
"Z '${cfg.root}' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}' 0555 ${cfg.user} tt_rss - -"
"d '${cfg.root}/lock' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache/upload' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache/images' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/cache/export' 0755 ${cfg.user} tt_rss - -"
"d '${cfg.root}/feed-icons' 0755 ${cfg.user} tt_rss - -"
"L+ '${cfg.root}/www' - - - - ${servedRoot}"
];
systemd.services = {
phpfpm-tt-rss = mkIf (cfg.pool == "${poolName}") {
restartTriggers = [ tt-rss-config pkgs.tt-rss ];
restartTriggers = [ servedRoot ];
};
tt-rss = {
@ -594,27 +616,7 @@ let
else "";
in ''
rm -rf "${cfg.root}/*"
cp -r "${pkgs.tt-rss}/"* "${cfg.root}"
${optionalString (cfg.pluginPackages != []) ''
for plugin in ${concatStringsSep " " cfg.pluginPackages}; do
cp -r "$plugin"/* "${cfg.root}/plugins.local/"
done
''}
${optionalString (cfg.themePackages != []) ''
for theme in ${concatStringsSep " " cfg.themePackages}; do
cp -r "$theme"/* "${cfg.root}/themes.local/"
done
''}
ln -sf "${tt-rss-config}" "${cfg.root}/config.php"
chmod -R 755 "${cfg.root}"
chmod -R ug+rwX "${cfg.root}/${lockDir}"
chmod -R ug+rwX "${cfg.root}/${cacheDir}"
chmod -R ug+rwX "${cfg.root}/${feedIconsDir}"
''
+ (optionalString (cfg.database.type == "pgsql") ''
in (optionalString (cfg.database.type == "pgsql") ''
exists=$(${callSql "select count(*) > 0 from pg_tables where tableowner = user"} \
| tail -n+3 | head -n-2 | sed -e 's/[ \n\t]*//')
@ -639,7 +641,7 @@ let
serviceConfig = {
User = "${cfg.user}";
Group = "tt_rss";
ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon --quiet";
ExecStart = "${pkgs.php}/bin/php ${cfg.root}/www/update.php --daemon --quiet";
Restart = "on-failure";
RestartSec = "60";
SyslogIdentifier = "tt-rss";