From ab1ce1ea5b2d9d7b8b26eee15d62735d159ff9ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= Date: Tue, 27 May 2025 16:24:45 +0200 Subject: [PATCH 1/6] {,nixos/}pocket-id: 0.53.0 -> 1.0.0 This contains breaking changes, see https://pocket-id.org/docs/setup/migrate-to-v1/. The frontend now generates only static files and no longer includes a binary for serving them. The backend has taken over the responsibility of serving the static assets. Co-authored-by: ymstnt <21342713+YMSTNT@users.noreply.github.com> --- .../manual/release-notes/rl-2511.section.md | 2 + nixos/modules/services/security/pocket-id.nix | 99 +++++-------------- nixos/tests/pocket-id.nix | 7 +- pkgs/by-name/po/pocket-id/package.nix | 36 +++---- 4 files changed, 36 insertions(+), 108 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md index 21994daff24e..e2f4ad8a6266 100644 --- a/nixos/doc/manual/release-notes/rl-2511.section.md +++ b/nixos/doc/manual/release-notes/rl-2511.section.md @@ -20,6 +20,8 @@ - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream. +- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/). + - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes. ## Other Notable Changes {#sec-release-25.11-notable-changes} diff --git a/nixos/modules/services/security/pocket-id.nix b/nixos/modules/services/security/pocket-id.nix index 87c13b638dcb..a551fffce9c0 100644 --- a/nixos/modules/services/security/pocket-id.nix +++ b/nixos/modules/services/security/pocket-id.nix @@ -13,6 +13,7 @@ let optionalAttrs optional mkPackageOption + concatMap ; inherit (lib.types) bool @@ -56,7 +57,7 @@ in freeformType = format.type; options = { - PUBLIC_APP_URL = mkOption { + APP_URL = mkOption { type = str; description = '' The URL where you will access the app. @@ -105,10 +106,28 @@ in }; config = mkIf cfg.enable { - warnings = ( + warnings = optional (cfg.settings ? MAXMIND_LICENSE_KEY) "config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead." - ); + ++ concatMap + ( + # Added 2025-05-27 + setting: + optional (cfg.settings ? "${setting}") '' + config.services.pocket-id.settings.${setting} is deprecated. + See https://pocket-id.org/docs/setup/migrate-to-v1/ for migration instructions. + '' + ) + [ + "PUBLIC_APP_URL" + "PUBLIC_UI_CONFIG_DISABLED" + "CADDY_DISABLED" + "CADDY_PORT" + "BACKEND_PORT" + "POSTGRES_CONNECTION_STRING" + "SQLITE_DB_PATH" + "INTERNAL_BACKEND_URL" + ]; systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}" @@ -186,80 +205,6 @@ in UMask = "0077"; }; }; - - pocket-id-frontend = { - description = "Pocket ID frontend"; - after = [ - "network.target" - "pocket-id-backend.service" - ]; - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ - cfg.package - cfg.environmentFile - settingsFile - ]; - - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - ExecStart = "${cfg.package}/bin/pocket-id-frontend"; - Restart = "always"; - EnvironmentFile = [ - cfg.environmentFile - settingsFile - ]; - - # Hardening - AmbientCapabilities = ""; - CapabilityBoundingSet = ""; - DeviceAllow = ""; - DevicePolicy = "closed"; - #IPAddressDeny = "any"; # communicates with the backend and client - LockPersonality = true; - MemoryDenyWriteExecute = false; # V8_Fatal segfault - NoNewPrivileges = true; - PrivateDevices = true; - PrivateNetwork = false; # communicates with the backend and client - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = lib.concatStringsSep " " [ - "~" - "@clock" - "@cpu-emulation" - "@debug" - "@module" - "@mount" - "@obsolete" - "@privileged" - "@raw-io" - "@reboot" - "@resources" - "@swap" - ]; - UMask = "0077"; - }; - }; }; users.users = optionalAttrs (cfg.user == "pocket-id") { diff --git a/nixos/tests/pocket-id.nix b/nixos/tests/pocket-id.nix index 830ba3e8c760..4b835c32caa9 100644 --- a/nixos/tests/pocket-id.nix +++ b/nixos/tests/pocket-id.nix @@ -15,8 +15,6 @@ enable = true; settings = { PORT = 10001; - INTERNAL_BACKEND_URL = "http://localhost:10002"; - BACKEND_PORT = 10002; }; }; }; @@ -30,16 +28,13 @@ in '' machine.wait_for_unit("pocket-id-backend.service") - machine.wait_for_open_port(${toString settings.BACKEND_PORT}) - machine.wait_for_unit("pocket-id-frontend.service") machine.wait_for_open_port(${toString settings.PORT}) - backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me") + backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me") assert backend_status == "401" machine.succeed("grep 'You are not signed in' /tmp/backend-output") frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}") assert frontend_status == "200" - machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output") ''; } diff --git a/pkgs/by-name/po/pocket-id/package.nix b/pkgs/by-name/po/pocket-id/package.nix index 5f7d9c9b9922..dcbca10bcad0 100644 --- a/pkgs/by-name/po/pocket-id/package.nix +++ b/pkgs/by-name/po/pocket-id/package.nix @@ -3,8 +3,6 @@ fetchFromGitHub, buildGoModule, buildNpmPackage, - makeWrapper, - nodejs, stdenvNoCC, nixosTests, nix-update-script, @@ -12,13 +10,13 @@ stdenvNoCC.mkDerivation (finalAttrs: { pname = "pocket-id"; - version = "0.53.0"; + version = "1.0.0"; src = fetchFromGitHub { owner = "pocket-id"; repo = "pocket-id"; tag = "v${finalAttrs.version}"; - hash = "sha256-3lW4jPh9YElgpBcIooGQ2zZbNwC/rz7CABsp7ScTxyQ="; + hash = "sha256-cHPG4KZgfLuEDzLJ9dV4PRUlqWjd7Ji3480lrFwK6Ds="; }; backend = buildGoModule { @@ -27,7 +25,11 @@ stdenvNoCC.mkDerivation (finalAttrs: { sourceRoot = "${finalAttrs.src.name}/backend"; - vendorHash = "sha256-wOrYIhOrUxz22Ay2A26FTrPJA8YRgdRihP78Ls8VgNM="; + vendorHash = "sha256-82kdx9ihJgqMCiUjZTONGa1nCZoxKltw8mpF0KoOdT8="; + + preBuild = '' + cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist + ''; preFixup = '' mv $out/bin/cmd $out/bin/pocket-id-backend @@ -40,31 +42,16 @@ stdenvNoCC.mkDerivation (finalAttrs: { sourceRoot = "${finalAttrs.src.name}/frontend"; - npmDepsHash = "sha256-UjYAndueuJU07unbNFoTQHqRFkdyaBKHyT4k3Ex4pg0="; + npmDepsHash = "sha256-ykoyJtnqFK1fK60SbzrL7nhRcKYa3qYdHf9kFOC3EwE="; npmFlags = [ "--legacy-peer-deps" ]; - nativeBuildInputs = [ - makeWrapper - ]; + env.BUILD_OUTPUT_PATH = "dist"; installPhase = '' runHook preInstall - # even though vite build creates most of the minified js files, - # it still needs a few packages from node_modules, try to strip that - npm prune --omit=dev --omit=optional $npmFlags - # larger seemingly unused packages - rm -r node_modules/{lucide-svelte,jiti,@swc,.bin} - # unused file types - for pattern in '*.map' '*.map.js' '*.ts'; do - find . -type f -name "$pattern" -exec rm {} + - done - - mkdir -p $out/{bin,lib/pocket-id-frontend} - cp -r build $out/lib/pocket-id-frontend/dist - cp -r node_modules $out/lib/pocket-id-frontend/node_modules - makeWrapper ${lib.getExe nodejs} $out/bin/pocket-id-frontend \ - --add-flags $out/lib/pocket-id-frontend/dist/index.js + mkdir -p $out/lib/pocket-id-frontend + cp -r dist $out/lib/pocket-id-frontend/dist runHook postInstall ''; @@ -77,7 +64,6 @@ stdenvNoCC.mkDerivation (finalAttrs: { mkdir -p $out/bin ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend - ln -s ${finalAttrs.frontend}/bin/pocket-id-frontend $out/bin/pocket-id-frontend runHook postInstall ''; From cf7ece2830e068ef642c50524bbad0cef4766c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= Date: Tue, 27 May 2025 16:25:46 +0200 Subject: [PATCH 2/6] {,nixos/}pocket-id: make pocket-id-backend subpackage the main package --- nixos/modules/services/security/pocket-id.nix | 6 +-- nixos/tests/pocket-id.nix | 2 +- pkgs/by-name/po/pocket-id/package.nix | 38 +++++-------------- 3 files changed, 14 insertions(+), 32 deletions(-) diff --git a/nixos/modules/services/security/pocket-id.nix b/nixos/modules/services/security/pocket-id.nix index a551fffce9c0..c98c7e47023b 100644 --- a/nixos/modules/services/security/pocket-id.nix +++ b/nixos/modules/services/security/pocket-id.nix @@ -134,8 +134,8 @@ in ]; systemd.services = { - pocket-id-backend = { - description = "Pocket ID backend"; + pocket-id = { + description = "Pocket ID"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; restartTriggers = [ @@ -149,7 +149,7 @@ in User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.dataDir; - ExecStart = "${cfg.package}/bin/pocket-id-backend"; + ExecStart = "${cfg.package}/bin/pocket-id"; Restart = "always"; EnvironmentFile = [ cfg.environmentFile diff --git a/nixos/tests/pocket-id.nix b/nixos/tests/pocket-id.nix index 4b835c32caa9..c00ed1f497a6 100644 --- a/nixos/tests/pocket-id.nix +++ b/nixos/tests/pocket-id.nix @@ -27,7 +27,7 @@ inherit (builtins) toString; in '' - machine.wait_for_unit("pocket-id-backend.service") + machine.wait_for_unit("pocket-id.service") machine.wait_for_open_port(${toString settings.PORT}) backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me") diff --git a/pkgs/by-name/po/pocket-id/package.nix b/pkgs/by-name/po/pocket-id/package.nix index dcbca10bcad0..b951fdcee1be 100644 --- a/pkgs/by-name/po/pocket-id/package.nix +++ b/pkgs/by-name/po/pocket-id/package.nix @@ -3,12 +3,11 @@ fetchFromGitHub, buildGoModule, buildNpmPackage, - stdenvNoCC, nixosTests, nix-update-script, }: -stdenvNoCC.mkDerivation (finalAttrs: { +buildGoModule (finalAttrs: { pname = "pocket-id"; version = "1.0.0"; @@ -19,22 +18,17 @@ stdenvNoCC.mkDerivation (finalAttrs: { hash = "sha256-cHPG4KZgfLuEDzLJ9dV4PRUlqWjd7Ji3480lrFwK6Ds="; }; - backend = buildGoModule { - pname = "pocket-id-backend"; - inherit (finalAttrs) version src; + sourceRoot = "${finalAttrs.src.name}/backend"; - sourceRoot = "${finalAttrs.src.name}/backend"; + vendorHash = "sha256-82kdx9ihJgqMCiUjZTONGa1nCZoxKltw8mpF0KoOdT8="; - vendorHash = "sha256-82kdx9ihJgqMCiUjZTONGa1nCZoxKltw8mpF0KoOdT8="; + preBuild = '' + cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist + ''; - preBuild = '' - cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist - ''; - - preFixup = '' - mv $out/bin/cmd $out/bin/pocket-id-backend - ''; - }; + preFixup = '' + mv $out/bin/cmd $out/bin/pocket-id + ''; frontend = buildNpmPackage { pname = "pocket-id-frontend"; @@ -57,25 +51,12 @@ stdenvNoCC.mkDerivation (finalAttrs: { ''; }; - dontUnpack = true; - - installPhase = '' - runHook preInstall - - mkdir -p $out/bin - ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend - - runHook postInstall - ''; - passthru = { tests = { inherit (nixosTests) pocket-id; }; updateScript = nix-update-script { extraArgs = [ - "--subpackage" - "backend" "--subpackage" "frontend" ]; @@ -87,6 +68,7 @@ stdenvNoCC.mkDerivation (finalAttrs: { homepage = "https://pocket-id.org"; changelog = "https://github.com/pocket-id/pocket-id/releases/tag/v${finalAttrs.version}"; license = lib.licenses.bsd2; + mainProgram = "pocket-id"; maintainers = with lib.maintainers; [ gepbird marcusramberg From fd9611949fa9ebf9ac3f44c1b92d1d4a5b601caa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= Date: Mon, 26 May 2025 23:53:08 +0200 Subject: [PATCH 3/6] nixos/pocket-id: refactor --- nixos/modules/services/security/pocket-id.nix | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/security/pocket-id.nix b/nixos/modules/services/security/pocket-id.nix index c98c7e47023b..939f0d5762e9 100644 --- a/nixos/modules/services/security/pocket-id.nix +++ b/nixos/modules/services/security/pocket-id.nix @@ -7,13 +7,16 @@ let inherit (lib) + concatMap + concatStringsSep + getExe + maintainers mkEnableOption mkIf mkOption - optionalAttrs - optional mkPackageOption - concatMap + optional + optionalAttrs ; inherit (lib.types) bool @@ -28,7 +31,7 @@ let settingsFile = format.generate "pocket-id-env-vars" cfg.settings; in { - meta.maintainers = with lib.maintainers; [ + meta.maintainers = with maintainers; [ gepbird ymstnt ]; @@ -149,7 +152,7 @@ in User = cfg.user; Group = cfg.group; WorkingDirectory = cfg.dataDir; - ExecStart = "${cfg.package}/bin/pocket-id"; + ExecStart = getExe cfg.package; Restart = "always"; EnvironmentFile = [ cfg.environmentFile @@ -188,7 +191,7 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = lib.concatStringsSep " " [ + SystemCallFilter = concatStringsSep " " [ "~" "@clock" "@cpu-emulation" From af5e55c43dcf58151a31c56b9324dbf283ea871b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= Date: Mon, 26 May 2025 21:56:05 +0200 Subject: [PATCH 4/6] pocket-id: match upstream go build config --- pkgs/by-name/po/pocket-id/package.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/by-name/po/pocket-id/package.nix b/pkgs/by-name/po/pocket-id/package.nix index b951fdcee1be..7e869d7a2200 100644 --- a/pkgs/by-name/po/pocket-id/package.nix +++ b/pkgs/by-name/po/pocket-id/package.nix @@ -22,6 +22,12 @@ buildGoModule (finalAttrs: { vendorHash = "sha256-82kdx9ihJgqMCiUjZTONGa1nCZoxKltw8mpF0KoOdT8="; + env.CGO_ENABLED = 0; + ldflags = [ + "-X github.com/pocket-id/pocket-id/backend/internal/common.Version=${finalAttrs.version}" + "-buildid=${finalAttrs.version}" + ]; + preBuild = '' cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist ''; From b2f4a19872152ba5594390b88ab4ee8bd4552f1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= Date: Fri, 30 May 2025 12:24:46 +0000 Subject: [PATCH 5/6] pocket-id: 1.0.0 -> 1.1.0 --- pkgs/by-name/po/pocket-id/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/po/pocket-id/package.nix b/pkgs/by-name/po/pocket-id/package.nix index 7e869d7a2200..abd96cd6c227 100644 --- a/pkgs/by-name/po/pocket-id/package.nix +++ b/pkgs/by-name/po/pocket-id/package.nix @@ -9,18 +9,18 @@ buildGoModule (finalAttrs: { pname = "pocket-id"; - version = "1.0.0"; + version = "1.1.0"; src = fetchFromGitHub { owner = "pocket-id"; repo = "pocket-id"; tag = "v${finalAttrs.version}"; - hash = "sha256-cHPG4KZgfLuEDzLJ9dV4PRUlqWjd7Ji3480lrFwK6Ds="; + hash = "sha256-J/s8wpKAU7w8Djtd7rtamCzg/7176W0ybSoAB/vHOjs="; }; sourceRoot = "${finalAttrs.src.name}/backend"; - vendorHash = "sha256-82kdx9ihJgqMCiUjZTONGa1nCZoxKltw8mpF0KoOdT8="; + vendorHash = "sha256-jLwuBYiFZhUDIvG5uk78vXmo+wuqkFmyC5lAUZ3vUxU="; env.CGO_ENABLED = 0; ldflags = [ From 17db1b17e7615b10ecce00c9b1051b14feec6cee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gutyina=20Gerg=C5=91?= Date: Sat, 31 May 2025 12:44:55 +0200 Subject: [PATCH 6/6] nixos/pocket-id: add option to disable analytics Co-authored-by: ymstnt <21342713+YMSTNT@users.noreply.github.com> --- nixos/modules/services/security/pocket-id.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nixos/modules/services/security/pocket-id.nix b/nixos/modules/services/security/pocket-id.nix index 939f0d5762e9..62259a7959a4 100644 --- a/nixos/modules/services/security/pocket-id.nix +++ b/nixos/modules/services/security/pocket-id.nix @@ -75,6 +75,16 @@ in ''; default = false; }; + + ANALYTICS_DISABLED = mkOption { + type = bool; + description = '' + Whether to disable analytics. + + See [docs page](https://pocket-id.org/docs/configuration/analytics/). + ''; + default = false; + }; }; };