Merge pull request #111030 from cript0nauta/miniflux-sudo

nixos/miniflux: don't depend on sudo
This commit is contained in:
Aaron Andersen 2021-03-12 20:42:09 -05:00 committed by GitHub
commit 5a24206e17
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 7 deletions

View File

@ -14,17 +14,16 @@ let
ADMIN_PASSWORD=password ADMIN_PASSWORD=password
''; '';
pgsu = "${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser}";
pgbin = "${config.services.postgresql.package}/bin"; pgbin = "${config.services.postgresql.package}/bin";
preStart = pkgs.writeScript "miniflux-pre-start" '' preStart = pkgs.writeScript "miniflux-pre-start" ''
#!${pkgs.runtimeShell} #!${pkgs.runtimeShell}
db_exists() { db_exists() {
[ "$(${pgsu} ${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ] [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
} }
if ! db_exists "${dbName}"; then if ! db_exists "${dbName}"; then
${pgsu} ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'" ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
${pgsu} ${pgbin}/createdb --owner "${dbUser}" "${dbName}" ${pgbin}/createdb --owner "${dbUser}" "${dbName}"
${pgsu} ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore" ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
fi fi
''; '';
in in
@ -73,15 +72,26 @@ in
services.postgresql.enable = true; services.postgresql.enable = true;
systemd.services.miniflux-dbsetup = {
description = "Miniflux database setup";
wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ];
serviceConfig = {
Type = "oneshot";
User = config.services.postgresql.superUser;
ExecStart = preStart;
};
};
systemd.services.miniflux = { systemd.services.miniflux = {
description = "Miniflux service"; description = "Miniflux service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ]; after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.miniflux}/bin/miniflux"; ExecStart = "${pkgs.miniflux}/bin/miniflux";
ExecStartPre = "+${preStart}";
DynamicUser = true; DynamicUser = true;
RuntimeDirectory = "miniflux"; RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700"; RuntimeDirectoryMode = "0700";

View File

@ -20,6 +20,13 @@ with lib;
services.miniflux.enable = true; services.miniflux.enable = true;
}; };
withoutSudo =
{ ... }:
{
services.miniflux.enable = true;
security.sudo.enable = false;
};
customized = customized =
{ ... }: { ... }:
{ {
@ -46,6 +53,13 @@ with lib;
"curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'" "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"
) )
withoutSudo.wait_for_unit("miniflux.service")
withoutSudo.wait_for_open_port(${toString defaultPort})
withoutSudo.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep -q OK")
withoutSudo.succeed(
"curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep -q '\"is_admin\":true'"
)
customized.wait_for_unit("miniflux.service") customized.wait_for_unit("miniflux.service")
customized.wait_for_open_port(${toString port}) customized.wait_for_open_port(${toString port})
customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK") customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep -q OK")