diff --git a/nixos/doc/manual/release-notes/rl-2511.section.md b/nixos/doc/manual/release-notes/rl-2511.section.md index 21994daff24e..e2f4ad8a6266 100644 --- a/nixos/doc/manual/release-notes/rl-2511.section.md +++ b/nixos/doc/manual/release-notes/rl-2511.section.md @@ -20,6 +20,8 @@ - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream. +- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/). + - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes. ## Other Notable Changes {#sec-release-25.11-notable-changes} diff --git a/nixos/modules/services/security/pocket-id.nix b/nixos/modules/services/security/pocket-id.nix index 87c13b638dcb..a551fffce9c0 100644 --- a/nixos/modules/services/security/pocket-id.nix +++ b/nixos/modules/services/security/pocket-id.nix @@ -13,6 +13,7 @@ let optionalAttrs optional mkPackageOption + concatMap ; inherit (lib.types) bool @@ -56,7 +57,7 @@ in freeformType = format.type; options = { - PUBLIC_APP_URL = mkOption { + APP_URL = mkOption { type = str; description = '' The URL where you will access the app. @@ -105,10 +106,28 @@ in }; config = mkIf cfg.enable { - warnings = ( + warnings = optional (cfg.settings ? MAXMIND_LICENSE_KEY) "config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead." - ); + ++ concatMap + ( + # Added 2025-05-27 + setting: + optional (cfg.settings ? "${setting}") '' + config.services.pocket-id.settings.${setting} is deprecated. + See https://pocket-id.org/docs/setup/migrate-to-v1/ for migration instructions. + '' + ) + [ + "PUBLIC_APP_URL" + "PUBLIC_UI_CONFIG_DISABLED" + "CADDY_DISABLED" + "CADDY_PORT" + "BACKEND_PORT" + "POSTGRES_CONNECTION_STRING" + "SQLITE_DB_PATH" + "INTERNAL_BACKEND_URL" + ]; systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}" @@ -186,80 +205,6 @@ in UMask = "0077"; }; }; - - pocket-id-frontend = { - description = "Pocket ID frontend"; - after = [ - "network.target" - "pocket-id-backend.service" - ]; - wantedBy = [ "multi-user.target" ]; - restartTriggers = [ - cfg.package - cfg.environmentFile - settingsFile - ]; - - serviceConfig = { - Type = "simple"; - User = cfg.user; - Group = cfg.group; - ExecStart = "${cfg.package}/bin/pocket-id-frontend"; - Restart = "always"; - EnvironmentFile = [ - cfg.environmentFile - settingsFile - ]; - - # Hardening - AmbientCapabilities = ""; - CapabilityBoundingSet = ""; - DeviceAllow = ""; - DevicePolicy = "closed"; - #IPAddressDeny = "any"; # communicates with the backend and client - LockPersonality = true; - MemoryDenyWriteExecute = false; # V8_Fatal segfault - NoNewPrivileges = true; - PrivateDevices = true; - PrivateNetwork = false; # communicates with the backend and client - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = lib.concatStringsSep " " [ - "~" - "@clock" - "@cpu-emulation" - "@debug" - "@module" - "@mount" - "@obsolete" - "@privileged" - "@raw-io" - "@reboot" - "@resources" - "@swap" - ]; - UMask = "0077"; - }; - }; }; users.users = optionalAttrs (cfg.user == "pocket-id") { diff --git a/nixos/tests/pocket-id.nix b/nixos/tests/pocket-id.nix index 830ba3e8c760..4b835c32caa9 100644 --- a/nixos/tests/pocket-id.nix +++ b/nixos/tests/pocket-id.nix @@ -15,8 +15,6 @@ enable = true; settings = { PORT = 10001; - INTERNAL_BACKEND_URL = "http://localhost:10002"; - BACKEND_PORT = 10002; }; }; }; @@ -30,16 +28,13 @@ in '' machine.wait_for_unit("pocket-id-backend.service") - machine.wait_for_open_port(${toString settings.BACKEND_PORT}) - machine.wait_for_unit("pocket-id-frontend.service") machine.wait_for_open_port(${toString settings.PORT}) - backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me") + backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me") assert backend_status == "401" machine.succeed("grep 'You are not signed in' /tmp/backend-output") frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}") assert frontend_status == "200" - machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output") ''; } diff --git a/pkgs/by-name/po/pocket-id/package.nix b/pkgs/by-name/po/pocket-id/package.nix index 5f7d9c9b9922..dcbca10bcad0 100644 --- a/pkgs/by-name/po/pocket-id/package.nix +++ b/pkgs/by-name/po/pocket-id/package.nix @@ -3,8 +3,6 @@ fetchFromGitHub, buildGoModule, buildNpmPackage, - makeWrapper, - nodejs, stdenvNoCC, nixosTests, nix-update-script, @@ -12,13 +10,13 @@ stdenvNoCC.mkDerivation (finalAttrs: { pname = "pocket-id"; - version = "0.53.0"; + version = "1.0.0"; src = fetchFromGitHub { owner = "pocket-id"; repo = "pocket-id"; tag = "v${finalAttrs.version}"; - hash = "sha256-3lW4jPh9YElgpBcIooGQ2zZbNwC/rz7CABsp7ScTxyQ="; + hash = "sha256-cHPG4KZgfLuEDzLJ9dV4PRUlqWjd7Ji3480lrFwK6Ds="; }; backend = buildGoModule { @@ -27,7 +25,11 @@ stdenvNoCC.mkDerivation (finalAttrs: { sourceRoot = "${finalAttrs.src.name}/backend"; - vendorHash = "sha256-wOrYIhOrUxz22Ay2A26FTrPJA8YRgdRihP78Ls8VgNM="; + vendorHash = "sha256-82kdx9ihJgqMCiUjZTONGa1nCZoxKltw8mpF0KoOdT8="; + + preBuild = '' + cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist + ''; preFixup = '' mv $out/bin/cmd $out/bin/pocket-id-backend @@ -40,31 +42,16 @@ stdenvNoCC.mkDerivation (finalAttrs: { sourceRoot = "${finalAttrs.src.name}/frontend"; - npmDepsHash = "sha256-UjYAndueuJU07unbNFoTQHqRFkdyaBKHyT4k3Ex4pg0="; + npmDepsHash = "sha256-ykoyJtnqFK1fK60SbzrL7nhRcKYa3qYdHf9kFOC3EwE="; npmFlags = [ "--legacy-peer-deps" ]; - nativeBuildInputs = [ - makeWrapper - ]; + env.BUILD_OUTPUT_PATH = "dist"; installPhase = '' runHook preInstall - # even though vite build creates most of the minified js files, - # it still needs a few packages from node_modules, try to strip that - npm prune --omit=dev --omit=optional $npmFlags - # larger seemingly unused packages - rm -r node_modules/{lucide-svelte,jiti,@swc,.bin} - # unused file types - for pattern in '*.map' '*.map.js' '*.ts'; do - find . -type f -name "$pattern" -exec rm {} + - done - - mkdir -p $out/{bin,lib/pocket-id-frontend} - cp -r build $out/lib/pocket-id-frontend/dist - cp -r node_modules $out/lib/pocket-id-frontend/node_modules - makeWrapper ${lib.getExe nodejs} $out/bin/pocket-id-frontend \ - --add-flags $out/lib/pocket-id-frontend/dist/index.js + mkdir -p $out/lib/pocket-id-frontend + cp -r dist $out/lib/pocket-id-frontend/dist runHook postInstall ''; @@ -77,7 +64,6 @@ stdenvNoCC.mkDerivation (finalAttrs: { mkdir -p $out/bin ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend - ln -s ${finalAttrs.frontend}/bin/pocket-id-frontend $out/bin/pocket-id-frontend runHook postInstall '';