movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity

{,nixos/}pocket-id: 0.53.0 -> 1.1.0 (#411229)

Browse source
This commit is contained in:
Marcus Ramberg 2025-05-31 18:06:33 +02:00 committed by GitHub
commit 7d26069e0d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 68 additions and 139 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2511.section.md
View file

@ -25,6 +25,8 @@
- The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.
- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).
- `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes.
## Other Notable Changes {#sec-release-25.11-notable-changes}

126
nixos/modules/services/security/pocket-id.nix
View file

@ -7,12 +7,16 @@
let
inherit (lib)
concatMap
concatStringsSep
getExe
maintainers
mkEnableOption
mkIf
mkOption
optionalAttrs
optional
mkPackageOption
optional
optionalAttrs
;
inherit (lib.types)
bool
@ -27,7 +31,7 @@ let
settingsFile = format.generate "pocket-id-env-vars" cfg.settings;
in
{
meta.maintainers = with lib.maintainers; [
meta.maintainers = with maintainers; [
gepbird
ymstnt
];
@ -56,7 +60,7 @@ in
freeformType = format.type;
options = {
PUBLIC_APP_URL = mkOption {
APP_URL = mkOption {
type = str;
description = ''
The URL where you will access the app.
@ -71,6 +75,16 @@ in
'';
default = false;
};
ANALYTICS_DISABLED = mkOption {
type = bool;
description = ''
Whether to disable analytics.
See [docs page](https://pocket-id.org/docs/configuration/analytics/).
'';
default = false;
};
};
};
@ -105,18 +119,36 @@ in
};
config = mkIf cfg.enable {
warnings = (
warnings =
optional (cfg.settings ? MAXMIND_LICENSE_KEY)
"config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead."
);
++ concatMap
(
# Added 2025-05-27
setting:
optional (cfg.settings ? "${setting}") ''
config.services.pocket-id.settings.${setting} is deprecated.
See https://pocket-id.org/docs/setup/migrate-to-v1/ for migration instructions.
''
)
[
"PUBLIC_APP_URL"
"PUBLIC_UI_CONFIG_DISABLED"
"CADDY_DISABLED"
"CADDY_PORT"
"BACKEND_PORT"
"POSTGRES_CONNECTION_STRING"
"SQLITE_DB_PATH"
"INTERNAL_BACKEND_URL"
];
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}"
];
systemd.services = {
pocket-id-backend = {
description = "Pocket ID backend";
pocket-id = {
description = "Pocket ID";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
@ -130,7 +162,7 @@ in
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/pocket-id-backend";
ExecStart = getExe cfg.package;
Restart = "always";
EnvironmentFile = [
cfg.environmentFile
@ -169,7 +201,7 @@ in
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.concatStringsSep " " [
SystemCallFilter = concatStringsSep " " [
"~"
"@clock"
"@cpu-emulation"
@ -186,80 +218,6 @@ in
UMask = "0077";
};
};
pocket-id-frontend = {
description = "Pocket ID frontend";
after = [
"network.target"
"pocket-id-backend.service"
];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
cfg.package
cfg.environmentFile
settingsFile
];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/pocket-id-frontend";
Restart = "always";
EnvironmentFile = [
cfg.environmentFile
settingsFile
];
# Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
DevicePolicy = "closed";
#IPAddressDeny = "any"; # communicates with the backend and client
LockPersonality = true;
MemoryDenyWriteExecute = false; # V8_Fatal segfault
NoNewPrivileges = true;
PrivateDevices = true;
PrivateNetwork = false; # communicates with the backend and client
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.concatStringsSep " " [
"~"
"@clock"
"@cpu-emulation"
"@debug"
"@module"
"@mount"
"@obsolete"
"@privileged"
"@raw-io"
"@reboot"
"@resources"
"@swap"
];
UMask = "0077";
};
};
};
users.users = optionalAttrs (cfg.user == "pocket-id") {

9
nixos/tests/pocket-id.nix
View file

@ -15,8 +15,6 @@
enable = true;
settings = {
PORT = 10001;
INTERNAL_BACKEND_URL = "http://localhost:10002";
BACKEND_PORT = 10002;
};
};
};
@ -29,17 +27,14 @@
inherit (builtins) toString;
in
''
machine.wait_for_unit("pocket-id-backend.service")
machine.wait_for_open_port(${toString settings.BACKEND_PORT})
machine.wait_for_unit("pocket-id-frontend.service")
machine.wait_for_unit("pocket-id.service")
machine.wait_for_open_port(${toString settings.PORT})
backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me")
backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me")
assert backend_status == "401"
machine.succeed("grep 'You are not signed in' /tmp/backend-output")
frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")
assert frontend_status == "200"
machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output")
'';
}

70
pkgs/by-name/po/pocket-id/package.nix
View file

@ -3,36 +3,38 @@
fetchFromGitHub,
buildGoModule,
buildNpmPackage,
makeWrapper,
nodejs,
stdenvNoCC,
nixosTests,
nix-update-script,
}:
stdenvNoCC.mkDerivation (finalAttrs: {
buildGoModule (finalAttrs: {
pname = "pocket-id";
version = "0.53.0";
version = "1.1.0";
src = fetchFromGitHub {
owner = "pocket-id";
repo = "pocket-id";
tag = "v${finalAttrs.version}";
hash = "sha256-3lW4jPh9YElgpBcIooGQ2zZbNwC/rz7CABsp7ScTxyQ=";
hash = "sha256-J/s8wpKAU7w8Djtd7rtamCzg/7176W0ybSoAB/vHOjs=";
};
backend = buildGoModule {
pname = "pocket-id-backend";
inherit (finalAttrs) version src;
sourceRoot = "${finalAttrs.src.name}/backend";
sourceRoot = "${finalAttrs.src.name}/backend";
vendorHash = "sha256-jLwuBYiFZhUDIvG5uk78vXmo+wuqkFmyC5lAUZ3vUxU=";
vendorHash = "sha256-wOrYIhOrUxz22Ay2A26FTrPJA8YRgdRihP78Ls8VgNM=";
env.CGO_ENABLED = 0;
ldflags = [
"-X github.com/pocket-id/pocket-id/backend/internal/common.Version=${finalAttrs.version}"
"-buildid=${finalAttrs.version}"
];
preFixup = ''
mv $out/bin/cmd $out/bin/pocket-id-backend
'';
};
preBuild = ''
cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist
'';
preFixup = ''
mv $out/bin/cmd $out/bin/pocket-id
'';
frontend = buildNpmPackage {
pname = "pocket-id-frontend";
@ -40,56 +42,27 @@ stdenvNoCC.mkDerivation (finalAttrs: {
sourceRoot = "${finalAttrs.src.name}/frontend";
npmDepsHash = "sha256-UjYAndueuJU07unbNFoTQHqRFkdyaBKHyT4k3Ex4pg0=";
npmDepsHash = "sha256-ykoyJtnqFK1fK60SbzrL7nhRcKYa3qYdHf9kFOC3EwE=";
npmFlags = [ "--legacy-peer-deps" ];
nativeBuildInputs = [
makeWrapper
];
env.BUILD_OUTPUT_PATH = "dist";
installPhase = ''
runHook preInstall
# even though vite build creates most of the minified js files,
# it still needs a few packages from node_modules, try to strip that
npm prune --omit=dev --omit=optional $npmFlags
# larger seemingly unused packages
rm -r node_modules/{lucide-svelte,jiti,@swc,.bin}
# unused file types
for pattern in '*.map' '*.map.js' '*.ts'; do
find . -type f -name "$pattern" -exec rm {} +
done
mkdir -p $out/{bin,lib/pocket-id-frontend}
cp -r build $out/lib/pocket-id-frontend/dist
cp -r node_modules $out/lib/pocket-id-frontend/node_modules
makeWrapper ${lib.getExe nodejs} $out/bin/pocket-id-frontend \
--add-flags $out/lib/pocket-id-frontend/dist/index.js
mkdir -p $out/lib/pocket-id-frontend
cp -r dist $out/lib/pocket-id-frontend/dist
runHook postInstall
'';
};
dontUnpack = true;
installPhase = ''
runHook preInstall
mkdir -p $out/bin
ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend
ln -s ${finalAttrs.frontend}/bin/pocket-id-frontend $out/bin/pocket-id-frontend
runHook postInstall
'';
passthru = {
tests = {
inherit (nixosTests) pocket-id;
};
updateScript = nix-update-script {
extraArgs = [
"--subpackage"
"backend"
"--subpackage"
"frontend"
];
@ -101,6 +74,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
homepage = "https://pocket-id.org";
changelog = "https://github.com/pocket-id/pocket-id/releases/tag/v${finalAttrs.version}";
license = lib.licenses.bsd2;
mainProgram = "pocket-id";
maintainers = with lib.maintainers; [
gepbird
marcusramberg