Merge pull request #289009 from 999eagle/feat/miniflux-no-db

nixos/miniflux: add option to disable configuring a local postgresql db
2024-03-04 09:47:14 -05:00 · 2024-03-04 09:47:14 -05:00 · 8e19126885
commit 8e19126885
parent 1e17184db0 cb5f2a8e87
2 changed files with 76 additions and 30 deletions
--- a/nixos/modules/services/web-apps/miniflux.nix
+++ b/nixos/modules/services/web-apps/miniflux.nix
@ -16,10 +16,20 @@ in
 {
  options = {
    services.miniflux = {
-      enable = mkEnableOption (lib.mdDoc "miniflux and creates a local postgres database for it");
+      enable = mkEnableOption (lib.mdDoc "miniflux");

      package = mkPackageOption pkgs "miniflux" { };

+      createDatabaseLocally = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = ''
+          Whether a PostgreSQL database should be automatically created and
+          configured on the local host. If set to `false`, you need provision a
+          database yourself and make sure to create the hstore extension in it.
+        '';
+      };
+
      config = mkOption {
        type = with types; attrsOf (oneOf [ str int ]);
        example = literalExpression ''
@ -38,7 +48,7 @@ in
        '';
      };

-      adminCredentialsFile = mkOption  {
+      adminCredentialsFile = mkOption {
        type = types.path;
        description = lib.mdDoc ''
          File containing the ADMIN_USERNAME and
@ -51,14 +61,14 @@ in
  };

  config = mkIf cfg.enable {
-    services.miniflux.config =  {
+    services.miniflux.config = {
      LISTEN_ADDR = mkDefault defaultAddress;
-      DATABASE_URL = "user=miniflux host=/run/postgresql dbname=miniflux";
+      DATABASE_URL = lib.mkIf cfg.createDatabaseLocally "user=miniflux host=/run/postgresql dbname=miniflux";
      RUN_MIGRATIONS = 1;
      CREATE_ADMIN = 1;
    };

-    services.postgresql = {
+    services.postgresql = lib.mkIf cfg.createDatabaseLocally {
      enable = true;
      ensureUsers = [ {
        name = "miniflux";
@ -67,7 +77,7 @@ in
      ensureDatabases = [ "miniflux" ];
    };

-    systemd.services.miniflux-dbsetup = {
+    systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally {
      description = "Miniflux database setup";
      requires = [ "postgresql.service" ];
      after = [ "network.target" "postgresql.service" ];
@ -81,8 +91,9 @@ in
    systemd.services.miniflux = {
      description = "Miniflux service";
      wantedBy = [ "multi-user.target" ];
-      requires = [ "miniflux-dbsetup.service" ];
-      after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
+      requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service";
+      after = [ "network.target" ]
+        ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ];

      serviceConfig = {
        ExecStart = "${cfg.package}/bin/miniflux";
@ -129,6 +140,7 @@ in
        include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}"
        r ${cfg.package}/bin/miniflux,
        r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size,
+        rw /run/miniflux/**,
      }
    '';
  };
--- a/nixos/tests/miniflux.nix
+++ b/nixos/tests/miniflux.nix
@ -15,6 +15,10 @@ let
            ADMIN_USERNAME=${username}
            ADMIN_PASSWORD=${password}
          '';
+  postgresPassword = "correcthorsebatterystaple";
+  postgresPasswordFile = pkgs.writeText "pgpass" ''
+    *:*:*:*:${postgresPassword}
+  '';

 in
 {
@ -56,32 +60,62 @@ in
          adminCredentialsFile = customAdminCredentialsFile;
        };
      };
+
+    postgresTcp = { config, pkgs, lib, ... }: {
+      services.postgresql = {
+        enable = true;
+        initialScript = pkgs.writeText "init-postgres" ''
+          CREATE USER miniflux WITH PASSWORD '${postgresPassword}';
+          CREATE DATABASE miniflux WITH OWNER miniflux;
+        '';
+        enableTCPIP = true;
+        authentication = ''
+          host sameuser miniflux samenet scram-sha-256
+        '';
+      };
+      systemd.services.postgresql.postStart = lib.mkAfter ''
+        $PSQL -tAd miniflux -c 'CREATE EXTENSION hstore;'
+      '';
+      networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
+    };
+    externalDb = { ... }: {
+      security.apparmor.enable = true;
+      services.miniflux = {
+        enable = true;
+        createDatabaseLocally = false;
+        inherit adminCredentialsFile;
+        config = {
+          DATABASE_URL = "user=miniflux host=postgresTcp dbname=miniflux sslmode=disable";
+          PGPASSFILE = "/run/miniflux/pgpass";
+        };
+      };
+      systemd.services.miniflux.preStart = ''
+        cp ${postgresPasswordFile} /run/miniflux/pgpass
+        chmod 600 /run/miniflux/pgpass
+      '';
+    };
  };
  testScript = ''
-    start_all()
+    def runTest(machine, port, user):
+      machine.wait_for_unit("miniflux.service")
+      machine.wait_for_open_port(port)
+      machine.succeed(f"curl --fail 'http://localhost:{port}/healthcheck' | grep OK")
+      machine.succeed(
+          f"curl 'http://localhost:{port}/v1/me' -u '{user}' -H Content-Type:application/json | grep '\"is_admin\":true'"
+      )
+      machine.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')

-    default.wait_for_unit("miniflux.service")
-    default.wait_for_open_port(${toString defaultPort})
-    default.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep OK")
-    default.succeed(
-        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
-    )
-    default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
+    default.start()
+    withoutSudo.start()
+    customized.start()
+    postgresTcp.start()

-    withoutSudo.wait_for_unit("miniflux.service")
-    withoutSudo.wait_for_open_port(${toString defaultPort})
-    withoutSudo.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep OK")
-    withoutSudo.succeed(
-        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
-    )
-    withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
+    runTest(default, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
+    runTest(withoutSudo, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
+    runTest(customized, ${toString port}, "${username}:${password}")

-    customized.wait_for_unit("miniflux.service")
-    customized.wait_for_open_port(${toString port})
-    customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep OK")
-    customized.succeed(
-        "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'"
-    )
-    customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
+    postgresTcp.wait_for_unit("postgresql.service")
+    externalDb.start()
+    runTest(externalDb, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
  '';
 })