Merge pull request #55432 from Mic92/ttrss

ttrss: database.passwordFile, ldap plugin, configureable socket
2019-02-10 09:01:45 +00:00 · 2019-02-10 09:01:45 +00:00 · d59f9c0e5f
parent 929cc78363 f636bb2016
commit d59f9c0e5f
3 changed files with 75 additions and 17 deletions
--- a/nixos/modules/services/web-apps/tt-rss.nix
+++ b/nixos/modules/services/web-apps/tt-rss.nix
@ -34,7 +34,14 @@ let
      define('DB_HOST', '${optionalString (cfg.database.host != null) cfg.database.host}');
      define('DB_USER', '${cfg.database.user}');
      define('DB_NAME', '${cfg.database.name}');
-      define('DB_PASS', '${optionalString (cfg.database.password != null) (escape ["'" "\\"] cfg.database.password)}');
+      define('DB_PASS', ${
+        if (cfg.database.password != null) then
+          "'${(escape ["'" "\\"] cfg.database.password)}'"
+        else if (cfg.database.passwordFile != null) then
+          "file_get_contents('${cfg.database.passwordFile}')"
+        else
+          ""
+      });
      define('DB_PORT', '${toString dbPort}');

      define('AUTH_AUTO_CREATE', ${boolToString cfg.auth.autoCreate});
@ -168,6 +175,14 @@ let
          '';
        };

+        passwordFile = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = ''
+            The database user's password.
+          '';
+        };
+
        port = mkOption {
          type = types.nullOr types.int;
          default = null;
@ -479,21 +494,30 @@ let

  config = mkIf cfg.enable {

-    services.phpfpm.poolConfigs = mkIf (cfg.pool == "${poolName}") {
-      "${poolName}" = ''
-        listen = "${phpfpmSocketName}";
-        listen.owner = nginx
-        listen.group = nginx
-        listen.mode = 0600
-        user = ${cfg.user}
-        pm = dynamic
-        pm.max_children = 75
-        pm.start_servers = 10
-        pm.min_spare_servers = 5
-        pm.max_spare_servers = 20
-        pm.max_requests = 500
-        catch_workers_output = 1
-      '';
+    assertions = [
+      {
+        assertion = cfg.database.password != null -> cfg.database.passwordFile == null;
+        message = "Cannot set both password and passwordFile";
+      }
+    ];
+
+    services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
+      "${poolName}" = {
+        listen = "/var/run/phpfpm/${poolName}.sock";
+        extraConfig = ''
+          listen.owner = nginx
+          listen.group = nginx
+          listen.mode = 0600
+          user = ${cfg.user}
+          pm = dynamic
+          pm.max_children = 75
+          pm.start_servers = 10
+          pm.min_spare_servers = 5
+          pm.max_spare_servers = 20
+          pm.max_requests = 500
+          catch_workers_output = 1
+        '';
+      };
    };

    # NOTE: No configuration is done if not using virtual host
@ -510,7 +534,7 @@ let
          locations."~ \.php$" = {
            extraConfig = ''
              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:${phpfpmSocketName};
+              fastcgi_pass unix:${config.services.phpfpm.pools.${cfg.pool}.listen};
              fastcgi_index index.php;
            '';
          };
@ -528,6 +552,7 @@ let
          callSql = e:
              if cfg.database.type == "pgsql" then ''
                  ${optionalString (cfg.database.password != null) "PGPASSWORD=${cfg.database.password}"} \
+                  ${optionalString (cfg.database.passwordFile != null) "PGPASSWORD=$(cat ${cfg.database.passwordFile}"}) \
                  ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${config.services.postgresql.package}/bin/psql \
                    -U ${cfg.database.user} \
                    ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} --port ${toString dbPort}"} \
--- a/pkgs/servers/tt-rss/plugin-auth-ldap/default.nix
+++ b/pkgs/servers/tt-rss/plugin-auth-ldap/default.nix
@ -0,0 +1,32 @@
+{ stdenv, fetchFromGitHub, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  name = "tt-rss-plugin-auth-ldap-${version}";
+  version = "2.0.0";
+
+  src = fetchFromGitHub {
+    owner = "hydrian";
+    repo = "TTRSS-Auth-LDAP";
+    rev = version;
+    sha256 = "1mg9jff2m0ajxql1vd1g7hsxfbv9smhrmjg4j2gvvjbii45ry0jh";
+  };
+
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/Mic92/TTRSS-Auth-LDAP/commit/7534fa54babc377a070e05e326a46a252b5e3884.patch";
+      sha256 = "1p7zas0n627z0g226dp5m5dg1ai2z3vi69n3xivp517iv3lch70l";
+    })
+  ];
+
+  installPhase = ''
+    install -D plugins/auth_ldap/init.php $out/auth_ldap/init.php
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Plugin for TT-RSS to authenticate users via ldap";
+    license = licenses.gpl3;
+    homepage = https://github.com/hydrian/TTRSS-Auth-LDAP;
+    maintainers = with maintainers; [ mic92 ];
+    platforms = platforms.all;
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -14113,6 +14113,7 @@ in

  tt-rss = callPackage ../servers/tt-rss { };
  tt-rss-plugin-tumblr-gdpr = callPackage ../servers/tt-rss/plugin-tumblr-gdpr { };
+  tt-rss-plugin-auth-ldap = callPackage ../servers/tt-rss/plugin-auth-ldap { };
  tt-rss-theme-feedly = callPackage ../servers/tt-rss/theme-feedly { };

  searx = callPackage ../servers/web-apps/searx { };