From 8c7ad41570dac51acd4685adda6b6d882dbcc676 Mon Sep 17 00:00:00 2001 From: NotAShelf Date: Tue, 9 Jul 2024 16:11:01 +0300 Subject: [PATCH 1/3] miniflux: vendor upstream systemd service --- pkgs/by-name/mi/miniflux/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/mi/miniflux/package.nix b/pkgs/by-name/mi/miniflux/package.nix index c3e590e80fd41..6c28496b897c7 100644 --- a/pkgs/by-name/mi/miniflux/package.nix +++ b/pkgs/by-name/mi/miniflux/package.nix @@ -24,6 +24,11 @@ buildGoModule rec { postInstall = '' mv $out/bin/miniflux.app $out/bin/miniflux installManPage miniflux.1 + + # Upstream provides a Systemd service. + # Ship it with the package, for usage + # in `systemd.packages` + install -Dm444 packaging/systemd/miniflux.service -t $out/lib/systemd/system ''; passthru = { From 1f4f2ee8ee19bb7eea06ffd2e09bc059116867ee Mon Sep 17 00:00:00 2001 From: NotAShelf Date: Tue, 9 Jul 2024 16:36:05 +0300 Subject: [PATCH 2/3] nixos/miniflux: use vendored systemd service --- nixos/modules/services/web-apps/miniflux.nix | 28 +++++--------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index b733ceec74dbe..52221b3ef90cb 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -84,6 +84,8 @@ in ensureDatabases = [ "miniflux" ]; }; + systemd.packages = [ cfg.package ]; + systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally { description = "Miniflux database setup"; requires = [ "postgresql.service" ]; @@ -103,45 +105,27 @@ in ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { - Type = "notify"; - ExecStart = lib.getExe cfg.package; + ExecStart = [ "" (lib.getExe cfg.package) ]; + EnvironmentFile = lib.optional (cfg.adminCredentialsFile != null) [ "" cfg.adminCredentialsFile ]; User = "miniflux"; DynamicUser = true; - RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0750"; - EnvironmentFile = lib.mkIf (cfg.adminCredentialsFile != null) cfg.adminCredentialsFile; - WatchdogSec = 60; - WatchdogSignal = "SIGKILL"; - Restart = "always"; - RestartSec = 5; - # Hardening + AmbientCapabilities = [ "" ]; CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - PrivateDevices = true; PrivateUsers = true; ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; ProtectProc = "invisible"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; - RestrictNamespaces = true; - RestrictRealtime = true; RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; }; environment = lib.mapAttrs (_: toString) cfg.config; }; + environment.systemPackages = [ cfg.package ]; security.apparmor.policies."bin.miniflux".profile = '' From ef039d09941e9ff3fc207c61f81979f87ec1c455 Mon Sep 17 00:00:00 2001 From: NotAShelf Date: Tue, 1 Oct 2024 08:36:06 +0300 Subject: [PATCH 3/3] nixos/miniflux: fix tests --- nixos/modules/services/web-apps/miniflux.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 52221b3ef90cb..807e467f4a006 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -106,7 +106,7 @@ in serviceConfig = { ExecStart = [ "" (lib.getExe cfg.package) ]; - EnvironmentFile = lib.optional (cfg.adminCredentialsFile != null) [ "" cfg.adminCredentialsFile ]; + EnvironmentFile = lib.optionals (cfg.adminCredentialsFile != null) [ "" cfg.adminCredentialsFile ]; User = "miniflux"; DynamicUser = true; RuntimeDirectoryMode = "0750";