tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

{,nixos/}pocket-id: 0.53.0 -> 1.1.0 (#411229)

authored by Marcus Ramberg and committed by GitHub 7d26069e d313d940

options
unified split
Changed files
+68 -139
nixos
doc
manual
release-notes
rl-2511.section.md
modules
services
security
pocket-id.nix
tests
pocket-id.nix
pkgs
by-name
po
pocket-id
package.nix
+2
nixos/doc/manual/release-notes/rl-2511.section.md
··· 25 25 26 26 - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream. 27 27 28 + - The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/). 29 + 28 30 - `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes. 29 31 30 32 ## Other Notable Changes {#sec-release-25.11-notable-changes}
+42 -84
nixos/modules/services/security/pocket-id.nix
··· 7 7 8 8 let 9 9 inherit (lib) 10 + concatMap 11 + concatStringsSep 12 + getExe 13 + maintainers 10 14 mkEnableOption 11 15 mkIf 12 16 mkOption 13 - optionalAttrs 14 - optional 15 17 mkPackageOption 18 + optional 19 + optionalAttrs 16 20 ; 17 21 inherit (lib.types) 18 22 bool ··· 27 31 settingsFile = format.generate "pocket-id-env-vars" cfg.settings; 28 32 in 29 33 { 30 - meta.maintainers = with lib.maintainers; [ 34 + meta.maintainers = with maintainers; [ 31 35 gepbird 32 36 ymstnt 33 37 ]; ··· 56 60 freeformType = format.type; 57 61 58 62 options = { 59 - PUBLIC_APP_URL = mkOption { 63 + APP_URL = mkOption { 60 64 type = str; 61 65 description = '' 62 66 The URL where you will access the app. ··· 71 75 ''; 72 76 default = false; 73 77 }; 78 + 79 + ANALYTICS_DISABLED = mkOption { 80 + type = bool; 81 + description = '' 82 + Whether to disable analytics. 83 + 84 + See [docs page](https://pocket-id.org/docs/configuration/analytics/). 85 + ''; 86 + default = false; 87 + }; 74 88 }; 75 89 }; 76 90 ··· 105 119 }; 106 120 107 121 config = mkIf cfg.enable { 108 - warnings = ( 122 + warnings = 109 123 optional (cfg.settings ? MAXMIND_LICENSE_KEY) 110 124 "config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead." 111 - ); 125 + ++ concatMap 126 + ( 127 + # Added 2025-05-27 128 + setting: 129 + optional (cfg.settings ? "${setting}") '' 130 + config.services.pocket-id.settings.${setting} is deprecated. 131 + See https://pocket-id.org/docs/setup/migrate-to-v1/ for migration instructions. 132 + '' 133 + ) 134 + [ 135 + "PUBLIC_APP_URL" 136 + "PUBLIC_UI_CONFIG_DISABLED" 137 + "CADDY_DISABLED" 138 + "CADDY_PORT" 139 + "BACKEND_PORT" 140 + "POSTGRES_CONNECTION_STRING" 141 + "SQLITE_DB_PATH" 142 + "INTERNAL_BACKEND_URL" 143 + ]; 112 144 113 145 systemd.tmpfiles.rules = [ 114 146 "d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}" 115 147 ]; 116 148 117 149 systemd.services = { 118 - pocket-id-backend = { 119 - description = "Pocket ID backend"; 150 + pocket-id = { 151 + description = "Pocket ID"; 120 152 after = [ "network.target" ]; 121 153 wantedBy = [ "multi-user.target" ]; 122 154 restartTriggers = [ ··· 130 162 User = cfg.user; 131 163 Group = cfg.group; 132 164 WorkingDirectory = cfg.dataDir; 133 - ExecStart = "${cfg.package}/bin/pocket-id-backend"; 165 + ExecStart = getExe cfg.package; 134 166 Restart = "always"; 135 167 EnvironmentFile = [ 136 168 cfg.environmentFile ··· 169 201 RestrictRealtime = true; 170 202 RestrictSUIDSGID = true; 171 203 SystemCallArchitectures = "native"; 172 - SystemCallFilter = lib.concatStringsSep " " [ 204 + SystemCallFilter = concatStringsSep " " [ 173 205 "~" 174 206 "@clock" 175 207 "@cpu-emulation" ··· 181 213 "@raw-io" 182 214 "@reboot" 183 215 #"@resources" # vm test segfaults 184 - "@swap" 185 - ]; 186 - UMask = "0077"; 187 - }; 188 - }; 189 - 190 - pocket-id-frontend = { 191 - description = "Pocket ID frontend"; 192 - after = [ 193 - "network.target" 194 - "pocket-id-backend.service" 195 - ]; 196 - wantedBy = [ "multi-user.target" ]; 197 - restartTriggers = [ 198 - cfg.package 199 - cfg.environmentFile 200 - settingsFile 201 - ]; 202 - 203 - serviceConfig = { 204 - Type = "simple"; 205 - User = cfg.user; 206 - Group = cfg.group; 207 - ExecStart = "${cfg.package}/bin/pocket-id-frontend"; 208 - Restart = "always"; 209 - EnvironmentFile = [ 210 - cfg.environmentFile 211 - settingsFile 212 - ]; 213 - 214 - # Hardening 215 - AmbientCapabilities = ""; 216 - CapabilityBoundingSet = ""; 217 - DeviceAllow = ""; 218 - DevicePolicy = "closed"; 219 - #IPAddressDeny = "any"; # communicates with the backend and client 220 - LockPersonality = true; 221 - MemoryDenyWriteExecute = false; # V8_Fatal segfault 222 - NoNewPrivileges = true; 223 - PrivateDevices = true; 224 - PrivateNetwork = false; # communicates with the backend and client 225 - PrivateTmp = true; 226 - PrivateUsers = true; 227 - ProcSubset = "pid"; 228 - ProtectClock = true; 229 - ProtectControlGroups = true; 230 - ProtectHome = true; 231 - ProtectHostname = true; 232 - ProtectKernelLogs = true; 233 - ProtectKernelModules = true; 234 - ProtectKernelTunables = true; 235 - ProtectProc = "invisible"; 236 - ProtectSystem = "strict"; 237 - RemoveIPC = true; 238 - RestrictAddressFamilies = [ 239 - "AF_INET" 240 - "AF_INET6" 241 - ]; 242 - RestrictNamespaces = true; 243 - RestrictRealtime = true; 244 - RestrictSUIDSGID = true; 245 - SystemCallArchitectures = "native"; 246 - SystemCallFilter = lib.concatStringsSep " " [ 247 - "~" 248 - "@clock" 249 - "@cpu-emulation" 250 - "@debug" 251 - "@module" 252 - "@mount" 253 - "@obsolete" 254 - "@privileged" 255 - "@raw-io" 256 - "@reboot" 257 - "@resources" 258 216 "@swap" 259 217 ]; 260 218 UMask = "0077";
+2 -7
nixos/tests/pocket-id.nix
··· 15 15 enable = true; 16 16 settings = { 17 17 PORT = 10001; 18 - INTERNAL_BACKEND_URL = "http://localhost:10002"; 19 - BACKEND_PORT = 10002; 20 18 }; 21 19 }; 22 20 }; ··· 29 27 inherit (builtins) toString; 30 28 in 31 29 '' 32 - machine.wait_for_unit("pocket-id-backend.service") 33 - machine.wait_for_open_port(${toString settings.BACKEND_PORT}) 34 - machine.wait_for_unit("pocket-id-frontend.service") 30 + machine.wait_for_unit("pocket-id.service") 35 31 machine.wait_for_open_port(${toString settings.PORT}) 36 32 37 - backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me") 33 + backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me") 38 34 assert backend_status == "401" 39 35 machine.succeed("grep 'You are not signed in' /tmp/backend-output") 40 36 41 37 frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}") 42 38 assert frontend_status == "200" 43 - machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output") 44 39 ''; 45 40 }
+22 -48
pkgs/by-name/po/pocket-id/package.nix
··· 3 3 fetchFromGitHub, 4 4 buildGoModule, 5 5 buildNpmPackage, 6 - makeWrapper, 7 - nodejs, 8 - stdenvNoCC, 9 6 nixosTests, 10 7 nix-update-script, 11 8 }: 12 9 13 - stdenvNoCC.mkDerivation (finalAttrs: { 10 + buildGoModule (finalAttrs: { 14 11 pname = "pocket-id"; 15 - version = "0.53.0"; 12 + version = "1.1.0"; 16 13 17 14 src = fetchFromGitHub { 18 15 owner = "pocket-id"; 19 16 repo = "pocket-id"; 20 17 tag = "v${finalAttrs.version}"; 21 - hash = "sha256-3lW4jPh9YElgpBcIooGQ2zZbNwC/rz7CABsp7ScTxyQ="; 18 + hash = "sha256-J/s8wpKAU7w8Djtd7rtamCzg/7176W0ybSoAB/vHOjs="; 22 19 }; 23 20 24 - backend = buildGoModule { 25 - pname = "pocket-id-backend"; 26 - inherit (finalAttrs) version src; 21 + sourceRoot = "${finalAttrs.src.name}/backend"; 22 + 23 + vendorHash = "sha256-jLwuBYiFZhUDIvG5uk78vXmo+wuqkFmyC5lAUZ3vUxU="; 27 24 28 - sourceRoot = "${finalAttrs.src.name}/backend"; 25 + env.CGO_ENABLED = 0; 26 + ldflags = [ 27 + "-X github.com/pocket-id/pocket-id/backend/internal/common.Version=${finalAttrs.version}" 28 + "-buildid=${finalAttrs.version}" 29 + ]; 29 30 30 - vendorHash = "sha256-wOrYIhOrUxz22Ay2A26FTrPJA8YRgdRihP78Ls8VgNM="; 31 + preBuild = '' 32 + cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist 33 + ''; 31 34 32 - preFixup = '' 33 - mv $out/bin/cmd $out/bin/pocket-id-backend 34 - ''; 35 - }; 35 + preFixup = '' 36 + mv $out/bin/cmd $out/bin/pocket-id 37 + ''; 36 38 37 39 frontend = buildNpmPackage { 38 40 pname = "pocket-id-frontend"; ··· 40 42 41 43 sourceRoot = "${finalAttrs.src.name}/frontend"; 42 44 43 - npmDepsHash = "sha256-UjYAndueuJU07unbNFoTQHqRFkdyaBKHyT4k3Ex4pg0="; 45 + npmDepsHash = "sha256-ykoyJtnqFK1fK60SbzrL7nhRcKYa3qYdHf9kFOC3EwE="; 44 46 npmFlags = [ "--legacy-peer-deps" ]; 45 47 46 - nativeBuildInputs = [ 47 - makeWrapper 48 - ]; 48 + env.BUILD_OUTPUT_PATH = "dist"; 49 49 50 50 installPhase = '' 51 51 runHook preInstall 52 52 53 - # even though vite build creates most of the minified js files, 54 - # it still needs a few packages from node_modules, try to strip that 55 - npm prune --omit=dev --omit=optional $npmFlags 56 - # larger seemingly unused packages 57 - rm -r node_modules/{lucide-svelte,jiti,@swc,.bin} 58 - # unused file types 59 - for pattern in '*.map' '*.map.js' '*.ts'; do 60 - find . -type f -name "$pattern" -exec rm {} + 61 - done 62 - 63 - mkdir -p $out/{bin,lib/pocket-id-frontend} 64 - cp -r build $out/lib/pocket-id-frontend/dist 65 - cp -r node_modules $out/lib/pocket-id-frontend/node_modules 66 - makeWrapper ${lib.getExe nodejs} $out/bin/pocket-id-frontend \ 67 - --add-flags $out/lib/pocket-id-frontend/dist/index.js 53 + mkdir -p $out/lib/pocket-id-frontend 54 + cp -r dist $out/lib/pocket-id-frontend/dist 68 55 69 56 runHook postInstall 70 57 ''; 71 58 }; 72 59 73 - dontUnpack = true; 74 - 75 - installPhase = '' 76 - runHook preInstall 77 - 78 - mkdir -p $out/bin 79 - ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend 80 - ln -s ${finalAttrs.frontend}/bin/pocket-id-frontend $out/bin/pocket-id-frontend 81 - 82 - runHook postInstall 83 - ''; 84 - 85 60 passthru = { 86 61 tests = { 87 62 inherit (nixosTests) pocket-id; 88 63 }; 89 64 updateScript = nix-update-script { 90 65 extraArgs = [ 91 - "--subpackage" 92 - "backend" 93 66 "--subpackage" 94 67 "frontend" 95 68 ]; ··· 101 74 homepage = "https://pocket-id.org"; 102 75 changelog = "https://github.com/pocket-id/pocket-id/releases/tag/v${finalAttrs.version}"; 103 76 license = lib.licenses.bsd2; 77 + mainProgram = "pocket-id"; 104 78 maintainers = with lib.maintainers; [ 105 79 gepbird 106 80 marcusramberg