Merge pull request #209526 from NixOS/backport-209254-to-release-22.11

[Backport release-22.11] nixos/freshrss: fix permissions and add database test
author: Felix Bühler <Stunkymonkey@users.noreply.github.com> 2023-01-08 20:29:18 +0100
committer: GitHub <noreply@github.com> 2023-01-08 20:29:18 +0100
commit: 3b8404678a5f789f75b4c10f6cb0e8ec019283b8 (patch)
tree: 97c15d27a250689f645af5f02931cf820cdd1730
parent: 3f3c12856bbdd15a2121eecf959cf9219158a9e5 (diff)
parent: d80354e22de94ff636d2fd6be629839c34818f0a (diff)
4 files changed, 78 insertions, 23 deletions
diff --git a/nixos/modules/services/web-apps/freshrss.nix b/nixos/modules/services/web-apps/freshrss.nix
index c05e7b2c4f7f..89e29f7ccb51 100644
--- a/nixos/modules/services/web-apps/freshrss.nix
+++ b/nixos/modules/services/web-apps/freshrss.nix
@@ -60,7 +60,7 @@ in
       };
 
       port = mkOption {
-        type = with types; nullOr port;
+        type = types.nullOr types.port;
         default = null;
         description = mdDoc "Database port for FreshRSS.";
         example = 3306;
@@ -73,7 +73,7 @@ in
       };
 
       passFile = mkOption {
-        type = types.nullOr types.str;
+        type = types.nullOr types.path;
         default = null;
         description = mdDoc "Database password file for FreshRSS.";
         example = "/run/secrets/freshrss";
@@ -116,12 +116,18 @@ in
         with default values.
       '';
     };
-  };
 
+    user = mkOption {
+      type = types.str;
+      default = "freshrss";
+      description = lib.mdDoc "User under which Freshrss runs.";
+    };
+  };
 
   config =
     let
-      systemd-hardening = {
+      defaultServiceConfig = {
+        ReadWritePaths = "${cfg.dataDir}";
         CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
         DeviceAllow = "";
         LockPersonality = true;
@@ -146,6 +152,11 @@ in
         SystemCallArchitectures = "native";
         SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
         UMask = "0007";
+        Type = "oneshot";
+        User = cfg.user;
+        Group = config.users.users.${cfg.user}.group;
+        StateDirectory = "freshrss";
+        WorkingDirectory = cfg.package;
       };
     in
     mkIf cfg.enable {
@@ -199,12 +210,17 @@ in
         };
       };
 
-      users.users.freshrss = {
+      users.users."${cfg.user}" = {
         description = "FreshRSS service user";
         isSystemUser = true;
-        group = "freshrss";
+        group = "${cfg.user}";
+        home = cfg.dataDir;
       };
-      users.groups.freshrss = { };
+      users.groups."${cfg.user}" = { };
+
+      systemd.tmpfiles.rules = [
+        "d '${cfg.dataDir}' - ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
+      ];
 
       systemd.services.freshrss-config =
         let
@@ -228,30 +244,24 @@ in
         {
           description = "Set up the state directory for FreshRSS before use";
           wantedBy = [ "multi-user.target" ];
-          serviceConfig = {
+          serviceConfig = defaultServiceConfig //{
             Type = "oneshot";
             User = "freshrss";
             Group = "freshrss";
             StateDirectory = "freshrss";
             WorkingDirectory = cfg.package;
-          } // systemd-hardening;
+          };
           environment = {
             FRESHRSS_DATA_PATH = cfg.dataDir;
           };
 
           script = ''
-            # create files with correct permissions
-            mkdir -m 755 -p ${cfg.dataDir}
-
             # do installation or reconfigure
             if test -f ${cfg.dataDir}/config.php; then
               # reconfigure with settings
               ./cli/reconfigure.php ${settingsFlags}
               ./cli/update-user.php --user ${cfg.defaultUser} --password "$(cat ${cfg.passwordFile})"
             else
-              # Copy the user data template directory
-              cp -r ./data ${cfg.dataDir}
-
               # check correct folders in data folder
               ./cli/prepare.php
               # install with settings
@@ -269,14 +279,9 @@ in
         environment = {
           FRESHRSS_DATA_PATH = cfg.dataDir;
         };
-        serviceConfig = {
-          Type = "oneshot";
-          User = "freshrss";
-          Group = "freshrss";
-          StateDirectory = "freshrss";
-          WorkingDirectory = cfg.package;
+        serviceConfig = defaultServiceConfig //{
           ExecStart = "${cfg.package}/app/actualize_script.php";
-        } // systemd-hardening;
+        };
       };
     };
 }
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index f5aca45f4cc2..538dbf02e9da 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -214,7 +214,8 @@ in {
   fluidd = handleTest ./fluidd.nix {};
   fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
   freeswitch = handleTest ./freeswitch.nix {};
-  freshrss = handleTest ./freshrss.nix {};
+  freshrss-sqlite = handleTest ./freshrss-sqlite.nix {};
+  freshrss-pgsql = handleTest ./freshrss-pgsql.nix {};
   frr = handleTest ./frr.nix {};
   fsck = handleTest ./fsck.nix {};
   ft2-clone = handleTest ./ft2-clone.nix {};
diff --git a/nixos/tests/freshrss-pgsql.nix b/nixos/tests/freshrss-pgsql.nix
new file mode 100644
index 000000000000..055bd51ed43d
--- /dev/null
+++ b/nixos/tests/freshrss-pgsql.nix
@@ -0,0 +1,48 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }: {
+  name = "freshrss";
+  meta.maintainers = with lib.maintainers; [ etu stunkymonkey ];
+
+  nodes.machine = { pkgs, ... }: {
+    services.freshrss = {
+      enable = true;
+      baseUrl = "http://localhost";
+      passwordFile = pkgs.writeText "password" "secret";
+      dataDir = "/srv/freshrss";
+      database = {
+        type = "pgsql";
+        port = 5432;
+        user = "freshrss";
+        passFile = pkgs.writeText "db-password" "db-secret";
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "freshrss" ];
+      ensureUsers = [
+        {
+          name = "freshrss";
+          ensurePermissions = {
+            "DATABASE freshrss" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+      initialScript = pkgs.writeText "postgresql-password" ''
+        CREATE ROLE freshrss WITH LOGIN PASSWORD 'db-secret' CREATEDB;
+      '';
+    };
+
+    systemd.services."freshrss-config" = {
+      requires = [ "postgresql.service" ];
+      after = [ "postgresql.service" ];
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_open_port(5432)
+    machine.wait_for_open_port(80)
+    response = machine.succeed("curl -vvv -s -H 'Host: freshrss' http://127.0.0.1:80/i/")
+    assert '<title>Login · FreshRSS</title>' in response, "Login page didn't load successfully"
+  '';
+})
diff --git a/nixos/tests/freshrss.nix b/nixos/tests/freshrss-sqlite.nix
index 7bdbf29e9230..b821c98a7e7a 100644
--- a/nixos/tests/freshrss.nix
+++ b/nixos/tests/freshrss-sqlite.nix
@@ -7,6 +7,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
       enable = true;
       baseUrl = "http://localhost";
       passwordFile = pkgs.writeText "password" "secret";
+      dataDir = "/srv/freshrss";
     };
   };
author	Felix Bühler <Stunkymonkey@users.noreply.github.com>	2023-01-08 20:29:18 +0100
committer	GitHub <noreply@github.com>	2023-01-08 20:29:18 +0100
commit	3b8404678a5f789f75b4c10f6cb0e8ec019283b8 (patch)
tree	97c15d27a250689f645af5f02931cf820cdd1730
parent	3f3c12856bbdd15a2121eecf959cf9219158a9e5 (diff)
parent	d80354e22de94ff636d2fd6be629839c34818f0a (diff)