movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

{,nixos/}pocket-id: 0.53.0 -> 1.0.0

Browse source 
This contains breaking changes, see https://pocket-id.org/docs/setup/migrate-to-v1/.

The frontend now generates only static files and no longer includes a
binary for serving them. The backend has taken over the responsibility
of serving the static assets.

Co-authored-by: ymstnt <21342713+YMSTNT@users.noreply.github.com>
This commit is contained in:
Gutyina Gergő 2025-05-27 16:24:45 +02:00
parent 6783cdd317
commit ab1ce1ea5b
No known key found for this signature in database
4 changed files with 36 additions and 108 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2511.section.md
View file

@ -20,6 +20,8 @@
- The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream. - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.
- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).
- `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes. - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes.
## Other Notable Changes {#sec-release-25.11-notable-changes} ## Other Notable Changes {#sec-release-25.11-notable-changes}

99
nixos/modules/services/security/pocket-id.nix
View file

@ -13,6 +13,7 @@ let
optionalAttrs optionalAttrs
optional optional
mkPackageOption mkPackageOption
concatMap
; ;
inherit (lib.types) inherit (lib.types)
bool bool
@ -56,7 +57,7 @@ in
freeformType = format.type; freeformType = format.type;
options = { options = {
PUBLIC_APP_URL = mkOption { APP_URL = mkOption {
type = str; type = str;
description = '' description = ''
The URL where you will access the app. The URL where you will access the app.
@ -105,10 +106,28 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
warnings = ( warnings =
optional (cfg.settings ? MAXMIND_LICENSE_KEY) optional (cfg.settings ? MAXMIND_LICENSE_KEY)
"config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead." "config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead."
); ++ concatMap
(
# Added 2025-05-27
setting:
optional (cfg.settings ? "${setting}") ''
config.services.pocket-id.settings.${setting} is deprecated.
See https://pocket-id.org/docs/setup/migrate-to-v1/ for migration instructions.
''
)
[
"PUBLIC_APP_URL"
"PUBLIC_UI_CONFIG_DISABLED"
"CADDY_DISABLED"
"CADDY_PORT"
"BACKEND_PORT"
"POSTGRES_CONNECTION_STRING"
"SQLITE_DB_PATH"
"INTERNAL_BACKEND_URL"
];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}" "d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}"
@ -186,80 +205,6 @@ in
UMask = "0077"; UMask = "0077";
}; };
}; };
pocket-id-frontend = {
description = "Pocket ID frontend";
after = [
"network.target"
"pocket-id-backend.service"
];
wantedBy = [ "multi-user.target" ];
restartTriggers = [
cfg.package
cfg.environmentFile
settingsFile
];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/pocket-id-frontend";
Restart = "always";
EnvironmentFile = [
cfg.environmentFile
settingsFile
];
# Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
DevicePolicy = "closed";
#IPAddressDeny = "any"; # communicates with the backend and client
LockPersonality = true;
MemoryDenyWriteExecute = false; # V8_Fatal segfault
NoNewPrivileges = true;
PrivateDevices = true;
PrivateNetwork = false; # communicates with the backend and client
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.concatStringsSep " " [
"~"
"@clock"
"@cpu-emulation"
"@debug"
"@module"
"@mount"
"@obsolete"
"@privileged"
"@raw-io"
"@reboot"
"@resources"
"@swap"
];
UMask = "0077";
};
};
}; };
users.users = optionalAttrs (cfg.user == "pocket-id") { users.users = optionalAttrs (cfg.user == "pocket-id") {

7
nixos/tests/pocket-id.nix
View file

@ -15,8 +15,6 @@
enable = true; enable = true;
settings = { settings = {
PORT = 10001; PORT = 10001;
INTERNAL_BACKEND_URL = "http://localhost:10002";
BACKEND_PORT = 10002;
}; };
}; };
}; };
@ -30,16 +28,13 @@
in in
'' ''
machine.wait_for_unit("pocket-id-backend.service") machine.wait_for_unit("pocket-id-backend.service")
machine.wait_for_open_port(${toString settings.BACKEND_PORT})
machine.wait_for_unit("pocket-id-frontend.service")
machine.wait_for_open_port(${toString settings.PORT}) machine.wait_for_open_port(${toString settings.PORT})
backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me") backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me")
assert backend_status == "401" assert backend_status == "401"
machine.succeed("grep 'You are not signed in' /tmp/backend-output") machine.succeed("grep 'You are not signed in' /tmp/backend-output")
frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}") frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")
assert frontend_status == "200" assert frontend_status == "200"
machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output")
''; '';
} }

36
pkgs/by-name/po/pocket-id/package.nix
View file

@ -3,8 +3,6 @@
fetchFromGitHub, fetchFromGitHub,
buildGoModule, buildGoModule,
buildNpmPackage, buildNpmPackage,
makeWrapper,
nodejs,
stdenvNoCC, stdenvNoCC,
nixosTests, nixosTests,
nix-update-script, nix-update-script,
@ -12,13 +10,13 @@
stdenvNoCC.mkDerivation (finalAttrs: { stdenvNoCC.mkDerivation (finalAttrs: {
pname = "pocket-id"; pname = "pocket-id";
version = "0.53.0"; version = "1.0.0";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "pocket-id"; owner = "pocket-id";
repo = "pocket-id"; repo = "pocket-id";
tag = "v${finalAttrs.version}"; tag = "v${finalAttrs.version}";
hash = "sha256-3lW4jPh9YElgpBcIooGQ2zZbNwC/rz7CABsp7ScTxyQ="; hash = "sha256-cHPG4KZgfLuEDzLJ9dV4PRUlqWjd7Ji3480lrFwK6Ds=";
}; };
backend = buildGoModule { backend = buildGoModule {
@ -27,7 +25,11 @@ stdenvNoCC.mkDerivation (finalAttrs: {
sourceRoot = "${finalAttrs.src.name}/backend"; sourceRoot = "${finalAttrs.src.name}/backend";
vendorHash = "sha256-wOrYIhOrUxz22Ay2A26FTrPJA8YRgdRihP78Ls8VgNM="; vendorHash = "sha256-82kdx9ihJgqMCiUjZTONGa1nCZoxKltw8mpF0KoOdT8=";
preBuild = ''
cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist
'';
preFixup = '' preFixup = ''
mv $out/bin/cmd $out/bin/pocket-id-backend mv $out/bin/cmd $out/bin/pocket-id-backend
@ -40,31 +42,16 @@ stdenvNoCC.mkDerivation (finalAttrs: {
sourceRoot = "${finalAttrs.src.name}/frontend"; sourceRoot = "${finalAttrs.src.name}/frontend";
npmDepsHash = "sha256-UjYAndueuJU07unbNFoTQHqRFkdyaBKHyT4k3Ex4pg0="; npmDepsHash = "sha256-ykoyJtnqFK1fK60SbzrL7nhRcKYa3qYdHf9kFOC3EwE=";
npmFlags = [ "--legacy-peer-deps" ]; npmFlags = [ "--legacy-peer-deps" ];
nativeBuildInputs = [ env.BUILD_OUTPUT_PATH = "dist";
makeWrapper
];
installPhase = '' installPhase = ''
runHook preInstall runHook preInstall
# even though vite build creates most of the minified js files, mkdir -p $out/lib/pocket-id-frontend
# it still needs a few packages from node_modules, try to strip that cp -r dist $out/lib/pocket-id-frontend/dist
npm prune --omit=dev --omit=optional $npmFlags
# larger seemingly unused packages
rm -r node_modules/{lucide-svelte,jiti,@swc,.bin}
# unused file types
for pattern in '*.map' '*.map.js' '*.ts'; do
find . -type f -name "$pattern" -exec rm {} +
done
mkdir -p $out/{bin,lib/pocket-id-frontend}
cp -r build $out/lib/pocket-id-frontend/dist
cp -r node_modules $out/lib/pocket-id-frontend/node_modules
makeWrapper ${lib.getExe nodejs} $out/bin/pocket-id-frontend \
--add-flags $out/lib/pocket-id-frontend/dist/index.js
runHook postInstall runHook postInstall
''; '';
@ -77,7 +64,6 @@ stdenvNoCC.mkDerivation (finalAttrs: {
mkdir -p $out/bin mkdir -p $out/bin
ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend
ln -s ${finalAttrs.frontend}/bin/pocket-id-frontend $out/bin/pocket-id-frontend
runHook postInstall runHook postInstall
''; '';