Merge pull request #64365 from aanderse/tt-rss

nixos/tt-rss: remove deprecated usage of PermissionsStartOnly, specify a group to run service as, and fix local pgsql database creation
2024-11-16 14:54:29 +01:00 · 2019-07-20 08:23:48 -04:00 · 2019-07-20 08:23:48 -04:00 · faf884ca9b
commit faf884ca9b
parent a149c7543a 1cd3b98c3a
1 changed files with 35 additions and 27 deletions
--- a/nixos/modules/services/web-apps/tt-rss.nix
+++ b/nixos/modules/services/web-apps/tt-rss.nix
@ -16,6 +16,9 @@ let
  poolName = "tt-rss";
  mysqlLocal = cfg.database.createLocally && cfg.database.type == "mysql";
  pgsqlLocal = cfg.database.createLocally && cfg.database.type == "pgsql";
  tt-rss-config = pkgs.writeText "config.php" ''
    <?php
@ -200,6 +203,12 @@ let
            and 3306 for pgsql and mysql respectively).
          '';
        };
        createLocally = mkOption {
          type = types.bool;
          default = true;
          description = "Create the database and database user locally.";
        };
      };
      auth = {
@ -551,9 +560,13 @@ let
      };
    };
-    systemd.services.tt-rss = let
+    systemd.tmpfiles.rules = [
-      dbService = if cfg.database.type == "pgsql" then "postgresql.service" else "mysql.service";
+      "d '${cfg.root}' 0755 ${cfg.user} tt_rss - -"
-    in {
+      "Z '${cfg.root}' 0755 ${cfg.user} tt_rss - -"
    ];
    systemd.services.tt-rss =
      {
        description = "Tiny Tiny RSS feeds update daemon";
@ -562,14 +575,14 @@ let
              if cfg.database.type == "pgsql" then ''
                  ${optionalString (cfg.database.password != null) "PGPASSWORD=${cfg.database.password}"} \
                  ${optionalString (cfg.database.passwordFile != null) "PGPASSWORD=$(cat ${cfg.database.passwordFile})"} \
-                  ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${config.services.postgresql.package}/bin/psql \
+                  ${config.services.postgresql.package}/bin/psql \
                    -U ${cfg.database.user} \
                    ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} --port ${toString dbPort}"} \
                    -c '${e}' \
                    ${cfg.database.name}''
              else if cfg.database.type == "mysql" then ''
-                  echo '${e}' | ${pkgs.sudo}/bin/sudo -u ${cfg.user} ${config.services.mysql.package}/bin/mysql \
+                  echo '${e}' | ${config.services.mysql.package}/bin/mysql \
                    -u ${cfg.database.user} \
                    ${optionalString (cfg.database.password != null) "-p${cfg.database.password}"} \
                    ${optionalString (cfg.database.host != null) "-h ${cfg.database.host} -P ${toString dbPort}"} \
@ -579,7 +592,6 @@ let
        in ''
          rm -rf "${cfg.root}/*"
          mkdir -m 755 -p "${cfg.root}"
          cp -r "${pkgs.tt-rss}/"* "${cfg.root}"
          ${optionalString (cfg.pluginPackages != []) ''
            for plugin in ${concatStringsSep " " cfg.pluginPackages}; do
@ -592,19 +604,10 @@ let
            done
          ''}
          ln -sf "${tt-rss-config}" "${cfg.root}/config.php"
          chown -R "${cfg.user}" "${cfg.root}"
          chmod -R 755 "${cfg.root}"
        ''
        + (optionalString (cfg.database.type == "pgsql") ''
          ${optionalString (cfg.database.host == null && cfg.database.password == null) ''
            if ! [ -e ${cfg.root}/.db-created ]; then
              ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser ${cfg.database.user}
              ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O ${cfg.database.user} ${cfg.database.name}
              touch ${cfg.root}/.db-created
            fi
          ''}
          exists=$(${callSql "select count(*) > 0 from pg_tables where tableowner = user"} \
          | tail -n+3 | head -n-2 | sed -e 's/[ \n\t]*//')
@ -628,18 +631,18 @@ let
        serviceConfig = {
          User = "${cfg.user}";
          Group = "tt_rss";
          ExecStart = "${pkgs.php}/bin/php ${cfg.root}/update.php --daemon";
          StandardOutput = "syslog";
          StandardError = "syslog";
          PermissionsStartOnly = true;
        };
        wantedBy = [ "multi-user.target" ];
-        requires = ["${dbService}"];
+        requires = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
-        after = ["network.target" "${dbService}"];
+        after = [ "network.target" ] ++ optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service";
    };
-    services.mysql = optionalAttrs (cfg.database.type == "mysql") {
+    services.mysql = mkIf mysqlLocal {
      enable = true;
      package = mkDefault pkgs.mysql;
      ensureDatabases = [ cfg.database.name ];
@ -653,17 +656,22 @@ let
      ];
    };
-    services.postgresql = optionalAttrs (cfg.database.type == "pgsql") {
+    services.postgresql = mkIf pgsqlLocal {
      enable = mkDefault true;
      ensureDatabases = [ cfg.database.name ];
      ensureUsers = [
        { name = cfg.user;
          ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
        }
      ];
    };
-    users = optionalAttrs (cfg.user == "tt_rss") {
+    users.users.tt_rss = optionalAttrs (cfg.user == "tt_rss") {
-      users.tt_rss = {
+      description = "tt-rss service user";
-        description = "tt-rss service user";
+      isSystemUser = true;
-        isSystemUser = true;
+      group = "tt_rss";
        group = "tt_rss";
      };
      groups.tt_rss = {};
    };
    users.groups.tt_rss = {};
  };
 }