{,nixos/}pocket-id: 0.53.0 -> 1.1.0 (#411229)

2025-06-09 19:13:26 +03:00 · 2025-05-31 18:06:33 +02:00 · 2025-05-31 18:06:33 +02:00 · 7d26069e0d
commit 7d26069e0d
parent d313d94049 17db1b17e7
4 changed files with 68 additions and 139 deletions
--- a/nixos/doc/manual/release-notes/rl-2511.section.md
+++ b/nixos/doc/manual/release-notes/rl-2511.section.md
@ -25,6 +25,8 @@

 - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.

+- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).
+
 - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes.

 ## Other Notable Changes {#sec-release-25.11-notable-changes}
--- a/nixos/modules/services/security/pocket-id.nix
+++ b/nixos/modules/services/security/pocket-id.nix
@ -7,12 +7,16 @@

 let
  inherit (lib)
+    concatMap
+    concatStringsSep
+    getExe
+    maintainers
    mkEnableOption
    mkIf
    mkOption
-    optionalAttrs
-    optional
    mkPackageOption
+    optional
+    optionalAttrs
    ;
  inherit (lib.types)
    bool
@ -27,7 +31,7 @@ let
  settingsFile = format.generate "pocket-id-env-vars" cfg.settings;
 in
 {
-  meta.maintainers = with lib.maintainers; [
+  meta.maintainers = with maintainers; [
    gepbird
    ymstnt
  ];
@ -56,7 +60,7 @@ in
        freeformType = format.type;

        options = {
-          PUBLIC_APP_URL = mkOption {
+          APP_URL = mkOption {
            type = str;
            description = ''
              The URL where you will access the app.
@ -71,6 +75,16 @@ in
            '';
            default = false;
          };
+
+          ANALYTICS_DISABLED = mkOption {
+            type = bool;
+            description = ''
+              Whether to disable analytics.
+
+              See [docs page](https://pocket-id.org/docs/configuration/analytics/).
+            '';
+            default = false;
+          };
        };
      };

@ -105,18 +119,36 @@ in
  };

  config = mkIf cfg.enable {
-    warnings = (
+    warnings =
      optional (cfg.settings ? MAXMIND_LICENSE_KEY)
        "config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead."
-    );
+      ++ concatMap
+        (
+          # Added 2025-05-27
+          setting:
+          optional (cfg.settings ? "${setting}") ''
+            config.services.pocket-id.settings.${setting} is deprecated.
+            See https://pocket-id.org/docs/setup/migrate-to-v1/ for migration instructions.
+          ''
+        )
+        [
+          "PUBLIC_APP_URL"
+          "PUBLIC_UI_CONFIG_DISABLED"
+          "CADDY_DISABLED"
+          "CADDY_PORT"
+          "BACKEND_PORT"
+          "POSTGRES_CONNECTION_STRING"
+          "SQLITE_DB_PATH"
+          "INTERNAL_BACKEND_URL"
+        ];

    systemd.tmpfiles.rules = [
      "d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}"
    ];

    systemd.services = {
-      pocket-id-backend = {
-        description = "Pocket ID backend";
+      pocket-id = {
+        description = "Pocket ID";
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];
        restartTriggers = [
@ -130,7 +162,7 @@ in
          User = cfg.user;
          Group = cfg.group;
          WorkingDirectory = cfg.dataDir;
-          ExecStart = "${cfg.package}/bin/pocket-id-backend";
+          ExecStart = getExe cfg.package;
          Restart = "always";
          EnvironmentFile = [
            cfg.environmentFile
@ -169,7 +201,7 @@ in
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
-          SystemCallFilter = lib.concatStringsSep " " [
+          SystemCallFilter = concatStringsSep " " [
            "~"
            "@clock"
            "@cpu-emulation"
@ -186,80 +218,6 @@ in
          UMask = "0077";
        };
      };
-
-      pocket-id-frontend = {
-        description = "Pocket ID frontend";
-        after = [
-          "network.target"
-          "pocket-id-backend.service"
-        ];
-        wantedBy = [ "multi-user.target" ];
-        restartTriggers = [
-          cfg.package
-          cfg.environmentFile
-          settingsFile
-        ];
-
-        serviceConfig = {
-          Type = "simple";
-          User = cfg.user;
-          Group = cfg.group;
-          ExecStart = "${cfg.package}/bin/pocket-id-frontend";
-          Restart = "always";
-          EnvironmentFile = [
-            cfg.environmentFile
-            settingsFile
-          ];
-
-          # Hardening
-          AmbientCapabilities = "";
-          CapabilityBoundingSet = "";
-          DeviceAllow = "";
-          DevicePolicy = "closed";
-          #IPAddressDeny = "any"; # communicates with the backend and client
-          LockPersonality = true;
-          MemoryDenyWriteExecute = false; # V8_Fatal segfault
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateNetwork = false; # communicates with the backend and client
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProcSubset = "pid";
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectProc = "invisible";
-          ProtectSystem = "strict";
-          RemoveIPC = true;
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = lib.concatStringsSep " " [
-            "~"
-            "@clock"
-            "@cpu-emulation"
-            "@debug"
-            "@module"
-            "@mount"
-            "@obsolete"
-            "@privileged"
-            "@raw-io"
-            "@reboot"
-            "@resources"
-            "@swap"
-          ];
-          UMask = "0077";
-        };
-      };
    };

    users.users = optionalAttrs (cfg.user == "pocket-id") {
--- a/nixos/tests/pocket-id.nix
+++ b/nixos/tests/pocket-id.nix
@ -15,8 +15,6 @@
          enable = true;
          settings = {
            PORT = 10001;
-            INTERNAL_BACKEND_URL = "http://localhost:10002";
-            BACKEND_PORT = 10002;
          };
        };
      };
@ -29,17 +27,14 @@
      inherit (builtins) toString;
    in
    ''
-      machine.wait_for_unit("pocket-id-backend.service")
-      machine.wait_for_open_port(${toString settings.BACKEND_PORT})
-      machine.wait_for_unit("pocket-id-frontend.service")
+      machine.wait_for_unit("pocket-id.service")
      machine.wait_for_open_port(${toString settings.PORT})

-      backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me")
+      backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me")
      assert backend_status == "401"
      machine.succeed("grep 'You are not signed in' /tmp/backend-output")

      frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")
      assert frontend_status == "200"
-      machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output")
    '';
 }