Merge pull request #293210 from onny/eintopf

nixos/eintopf: init; eintopf: init at 0.13.16
2025-06-14 13:39:15 +03:00 · 2024-07-05 13:12:59 +02:00 · 2024-07-05 13:12:59 +02:00 · e97d5eb3eb
commit e97d5eb3eb
parent cce97cf0de 325ae12432
7 changed files with 238 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -20,6 +20,8 @@

 - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).

+- [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf).
+
 - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).

 - [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1370,6 +1370,7 @@
  ./services/web-apps/documize.nix
  ./services/web-apps/dokuwiki.nix
  ./services/web-apps/dolibarr.nix
+  ./services/web-apps/eintopf.nix
  ./services/web-apps/engelsystem.nix
  ./services/web-apps/ethercalc.nix
  ./services/web-apps/filesender.nix
--- a/nixos/modules/services/web-apps/eintopf.nix
+++ b/nixos/modules/services/web-apps/eintopf.nix
@ -0,0 +1,92 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.eintopf;
+
+in {
+  options.services.eintopf = {
+
+    enable = mkEnableOption "Eintopf community event calendar web app";
+
+    settings = mkOption {
+      type = types.attrsOf types.str;
+      default = { };
+      description = ''
+        Settings to configure web service. See
+        <https://codeberg.org/Klasse-Methode/eintopf/src/branch/main/DEPLOYMENT.md>
+        for available options.
+      '';
+      example = literalExpression ''
+        {
+          EINTOPF_ADDR = ":1234";
+          EINTOPF_ADMIN_EMAIL = "admin@example.org";
+          EINTOPF_TIMEZONE = "Europe/Berlin";
+        }
+      '';
+    };
+
+    secrets = lib.mkOption {
+      type = with types; listOf path;
+      description = ''
+        A list of files containing the various secrets. Should be in the
+        format expected by systemd's `EnvironmentFile` directory.
+      '';
+      default = [ ];
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services.eintopf = {
+      description = "Community event calendar web app";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      environment = cfg.settings;
+      serviceConfig = {
+        ExecStart = "${pkgs.eintopf}/bin/eintopf";
+        WorkingDirectory = "/var/lib/eintopf";
+        StateDirectory = "eintopf" ;
+        EnvironmentFile = [ cfg.secrets ];
+
+        # hardening
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "" ;
+        DevicePolicy = "closed";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged" ];
+        UMask = "0077";
+      };
+    };
+
+  };
+
+  meta.maintainers = with lib.maintainers; [ onny ];
+
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -280,6 +280,7 @@ in {
  ecryptfs = handleTest ./ecryptfs.nix {};
  fscrypt = handleTest ./fscrypt.nix {};
  fastnetmon-advanced = runTest ./fastnetmon-advanced.nix;
+  eintopf = handleTest ./eintopf.nix {};
  ejabberd = handleTest ./xmpp/ejabberd.nix {};
  elk = handleTestOn ["x86_64-linux"] ./elk.nix {};
  emacs-daemon = handleTest ./emacs-daemon.nix {};
--- a/nixos/tests/eintopf.nix
+++ b/nixos/tests/eintopf.nix
@ -0,0 +1,21 @@
+import ./make-test-python.nix ({ pkgs, ...} : {
+  name = "eintopf";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ onny ];
+  };
+
+  nodes = {
+    eintopf = { config, pkgs, ... }: {
+      services.eintopf = {
+        enable = true;
+      };
+    };
+  };
+
+  testScript = ''
+    eintopf.start
+    eintopf.wait_for_unit("eintopf.service")
+    eintopf.wait_for_open_port(3333)
+    eintopf.succeed("curl -sSfL http://eintopf:3333 | grep 'Es sind keine Veranstaltungen eingetragen'")
+  '';
+})
--- a/pkgs/by-name/ei/eintopf/frontend.nix
+++ b/pkgs/by-name/ei/eintopf/frontend.nix
@ -0,0 +1,64 @@
+{ lib
+, stdenv
+, fetchYarnDeps
+, fixup-yarn-lock
+, yarn
+, fetchFromGitea
+, src
+, version
+, nodejs
+, eintopf
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "eintopf";
+  inherit version src;
+
+  sourceRoot = "${finalAttrs.src.name}/backstage";
+
+  offlineCache = fetchYarnDeps {
+    yarnLock = "${finalAttrs.src}/yarn.lock";
+    hash = "sha256-Z/Pkk/qCWwr99g11DjEgnisPfxOhfD8+OCn6otxJtfI=";
+  };
+
+  nativeBuildInputs = [
+    fixup-yarn-lock
+    nodejs
+    yarn
+  ];
+
+  configurePhase = ''
+    runHook preConfigure
+
+    export HOME=$(mktemp -d)
+    yarn config --offline set yarn-offline-mirror $offlineCache
+    fixup-yarn-lock yarn.lock
+    yarn --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive install
+    patchShebangs node_modules
+
+    runHook postConfigure
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+
+    yarn --offline build
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    yarn --offline --production install
+
+    mkdir -p "$out"
+    cp -r . $out/
+
+    runHook postInstall
+  '';
+
+  meta = {
+    inherit (eintopf.meta) homepage description license maintainers;
+  };
+})
--- a/pkgs/by-name/ei/eintopf/package.nix
+++ b/pkgs/by-name/ei/eintopf/package.nix
@ -0,0 +1,57 @@
+{ lib
+, buildGoModule
+, fetchFromGitea
+, callPackage
+, nixosTests
+}:
+
+let
+  version = "0.13.16";
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "Klasse-Methode";
+    repo = "eintopf";
+    rev = "v${version}";
+    hash = "sha256-ex5bpO60ousJcgZGdviqWrCyihycW+JT+EYFvdooUDw=";
+  };
+  frontend = callPackage ./frontend.nix { inherit src version; };
+in
+
+buildGoModule rec {
+  pname = "eintopf";
+  inherit version src;
+
+  vendorHash = "sha256-dBxI6cUGc16lg89x8b+hSLcv5y/MLf6vDIvqdMBUz3I=";
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.version=${version}"
+    "-X main.revision=${src.rev}"
+  ];
+
+  preConfigure = ''
+    cp -R ${frontend}/. backstage/
+  '';
+
+  preCheck = ''
+    # Disable test, requires running Docker daemon
+    rm cmd/eintopf/main_test.go
+    rm service/email/email_test.go
+  '';
+
+  passthru.tests = {
+    inherit (nixosTests) eintopf;
+  };
+
+  meta = with lib; {
+    description = "A calendar for Stuttgart, showing events, groups and places";
+    homepage = "https://codeberg.org/Klasse-Methode/eintopf";
+    # License is going to change back to AGPL in the next release
+    # https://codeberg.org/Klasse-Methode/eintopf/issues/351#issuecomment-2076870
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ onny ];
+    platforms = platforms.unix;
+  };
+}
+