The OracleJDK Dehaunting (#353043)

```

Note that `jdk` is an alias for the OpenJDK (self-built where available,

or pre-built via Zulu). Platforms with OpenJDK not (yet) in Nixpkgs

(`Aarch32`, `Aarch64`) point to the (unfree) `oraclejdk`.

or pre-built via Zulu).

Also note that not using `stripJavaArchivesHook` will likely cause the

generated `.jar` files to be non-deterministic, which is not optimal.

  This change requires granting access to the repositories to this user or

  setting the appropriate one through `services.cgit.some-instance.user`.

- All Oracle JDKs and JREs (`oraclejdk`, `oraclejdk8`, `oraclejre`, `oraclejre8`,

  `jrePlugin`, `jre8Plugin`, `jdkdistro`, `oraclejdk8distro`, and `oraclejdk11`)

  were dropped due to being unmaintained and heavily insecure. OpenJDK provides

  compatible replacements for JDKs and JREs.

- `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle).

  Additionally, it had numerous security vulnerabilities that were only patched

  in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751),

  nvimpager settings: user commands in `-c` and `--cmd` now override the

  respective default settings because they are executed later.

- `javacard-devkit` was dropped due to having a dependency on the Oracle JDK,

  as well as being several years out-of-date.

- Kubernetes `featureGates` have changed from a `listOf str` to `attrsOf bool`.

  This refactor makes it possible to also disable feature gates, without having

  to use `extraOpts` flags.

- `services.pgbouncer` systemd service is configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the free-form type option named [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings) according to the NixOS RFC 0042.

- Docear was removed because it was unmaintained upstream.

  JabRef, Zotero, or Mendeley are potential replacements.

- `nodePackages.coc-metals` was removed due to being deprecated upstream.

  `vimPlugins.nvim-metals` is its official replacement.

- PPD files for Utax printers got renamed (spaces replaced by underscores) in newest `foomatic-db` package; users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value.

- `sqldeveloper` was dropped due to being severely out-of-date and having a dependency on

  JavaFX for Java 8, which we do not support.

- The `kvdo` kernel module package was removed, because it was upstreamed in kernel version 6.9, where it is called `dm-vdo`.

- `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details.

  lists by default. Backwards-compatible behavior can be enabled with

  `atomsCoercedToLists`.

- Atlassian Server products have been removed, as support for the Atlassian Server

  products ended in February 2024 and there was insufficient interest in

  maintaining the Atlassian Data Center replacements:

  - The `atlassian-bamboo` package

  - The `atlassian-confluence` package and its `services.confluence` NixOS module

  - The `atlassian-crowd` package and its `services.crowd` NixOS module

  - The `atlassian-jira` package and its `services.jira` NixOS module

- `python3Packages.nose` has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12.

  Please switch to `pytest` or another test runner/framework.

  ./services/web-apps/alps.nix

  ./services/web-apps/anuko-time-tracker.nix

  ./services/web-apps/artalk.nix

  ./services/web-apps/atlassian/confluence.nix

  ./services/web-apps/atlassian/crowd.nix

  ./services/web-apps/atlassian/jira.nix

  ./services/web-apps/audiobookshelf.nix

  ./services/web-apps/bluemap.nix

  ./services/web-apps/bookstack.nix

    (mkRemovedOptionModule [ "services" "beegfsEnable" ] "The BeeGFS module has been removed")

    (mkRemovedOptionModule [ "services" "cgmanager" "enable"] "cgmanager was deprecated by lxc and therefore removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "chronos" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "confluence" ] "Atlassian software has been removed, as support for the Atlassian Server products ended in February 2024 and there was insufficient interest in maintaining the Atlassian Data Center replacements")

    (mkRemovedOptionModule [ "services" "couchpotato" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "crowd" ] "Atlassian software has been removed, as support for the Atlassian Server products ended in February 2024 and there was insufficient interest in maintaining the Atlassian Data Center replacements")

    (mkRemovedOptionModule [ "services" "dd-agent" ] "dd-agent was removed from nixpkgs in favor of the newer datadog-agent.")

    (mkRemovedOptionModule [ "services" "dnscrypt-proxy" ] "Use services.dnscrypt-proxy2 instead")

    (mkRemovedOptionModule [ "services" "dnscrypt-wrapper" ] ''

    (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")

    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")

    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

    (mkRemovedOptionModule [ "services" "jira" ] "Atlassian software has been removed, as support for the Atlassian Server products ended in February 2024 and there was insufficient interest in maintaining the Atlassian Data Center replacements")

    (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "lshd" ] "The corresponding package was removed from nixpkgs as it had no maintainer in Nixpkgs and hasn't seen an upstream release in over a decades.")

    (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.")

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.confluence;

  pkg = cfg.package.override (optionalAttrs cfg.sso.enable {

    enableSSO = cfg.sso.enable;

  });

  crowdProperties = pkgs.writeText "crowd.properties" ''

    application.name                        ${cfg.sso.applicationName}

    application.password                    ${if cfg.sso.applicationPassword != null then cfg.sso.applicationPassword else "@NIXOS_CONFLUENCE_CROWD_SSO_PWD@"}

    application.login.url                   ${cfg.sso.crowd}/console/

    crowd.server.url                        ${cfg.sso.crowd}/services/

    crowd.base.url                          ${cfg.sso.crowd}/

    session.isauthenticated                 session.isauthenticated

    session.tokenkey                        session.tokenkey

    session.validationinterval              ${toString cfg.sso.validationInterval}

    session.lastvalidation                  session.lastvalidation

  '';

in

{

  options = {

    services.confluence = {

      enable = mkEnableOption "Atlassian Confluence service";

      user = mkOption {

        type = types.str;

        default = "confluence";

        description = "User which runs confluence.";

      };

      group = mkOption {

        type = types.str;

        default = "confluence";

        description = "Group which runs confluence.";

      };

      home = mkOption {

        type = types.str;

        default = "/var/lib/confluence";

        description = "Home directory of the confluence instance.";

      };

      listenAddress = mkOption {

        type = types.str;

        default = "127.0.0.1";

        description = "Address to listen on.";

      };

      listenPort = mkOption {

        type = types.port;

        default = 8090;

        description = "Port to listen on.";

      };

      catalinaOptions = mkOption {

        type = types.listOf types.str;

        default = [];

        example = [ "-Xms1024m" "-Xmx2048m" "-Dconfluence.disable.peopledirectory.all=true" ];

        description = "Java options to pass to catalina/tomcat.";

      };

      proxy = {

        enable = mkEnableOption "proxy support";

        name = mkOption {

          type = types.str;

          example = "confluence.example.com";

          description = "Virtual hostname at the proxy";

        };

        port = mkOption {

          type = types.port;

          default = 443;

          example = 80;

          description = "Port used at the proxy";

        };

        scheme = mkOption {

          type = types.str;

          default = "https";

          example = "http";

          description = "Protocol used at the proxy.";

        };

      };

      sso = {

        enable = mkEnableOption "SSO with Atlassian Crowd";

        crowd = mkOption {

          type = types.str;

          example = "http://localhost:8095/crowd";

          description = "Crowd Base URL without trailing slash";

        };

        applicationName = mkOption {

          type = types.str;

          example = "jira";

          description = "Exact name of this Confluence instance in Crowd";

        };

        applicationPassword = mkOption {

          type = types.nullOr types.str;

          default = null;

          description = "Application password of this Confluence instance in Crowd";

        };

        applicationPasswordFile = mkOption {

          type = types.nullOr types.str;

          default = null;

          description = "Path to the application password for Crowd of Confluence.";

        };

        validationInterval = mkOption {

          type = types.int;

          default = 2;

          example = 0;

          description = ''

            Set to 0, if you want authentication checks to occur on each

            request. Otherwise set to the number of minutes between request

            to validate if the user is logged in or out of the Crowd SSO

            server. Setting this value to 1 or higher will increase the

            performance of Crowd's integration.

          '';

        };

      };

      package = mkPackageOption pkgs "atlassian-confluence" { };

      jrePackage = mkPackageOption pkgs "oraclejre8" {

        extraDescription = ''

        ::: {.note }

        Atlassian only supports the Oracle JRE (JRASERVER-46152).

        :::

        '';

      };

    };

  };

  config = mkIf cfg.enable {

    users.users.${cfg.user} = {

      isSystemUser = true;

      group = cfg.group;

    };

    assertions = [

      { assertion = cfg.sso.enable -> ((cfg.sso.applicationPassword == null) != (cfg.sso.applicationPasswordFile));

        message = "Please set either applicationPassword or applicationPasswordFile";

      }

    ];

    warnings = mkIf (cfg.sso.enable && cfg.sso.applicationPassword != null) [

      "Using `services.confluence.sso.applicationPassword` is deprecated! Use `applicationPasswordFile` instead!"

    ];

    users.groups.${cfg.group} = {};

    systemd.tmpfiles.rules = [

      "d '${cfg.home}' - ${cfg.user} - - -"

      "d /run/confluence - - - - -"

      "L+ /run/confluence/home - - - - ${cfg.home}"

      "L+ /run/confluence/logs - - - - ${cfg.home}/logs"

      "L+ /run/confluence/temp - - - - ${cfg.home}/temp"

      "L+ /run/confluence/work - - - - ${cfg.home}/work"

      "L+ /run/confluence/server.xml - - - - ${cfg.home}/server.xml"

    ];

    systemd.services.confluence = {

      description = "Atlassian Confluence";

      wantedBy = [ "multi-user.target" ];

      requires = [ "postgresql.service" ];

      after = [ "postgresql.service" ];

      path = [ cfg.jrePackage pkgs.bash ];

      environment = {

        CONF_USER = cfg.user;

        JAVA_HOME = "${cfg.jrePackage}";

        CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions;

        JAVA_OPTS = mkIf cfg.sso.enable "-Dcrowd.properties=${cfg.home}/crowd.properties";

      };

      preStart = ''

        mkdir -p ${cfg.home}/{logs,work,temp,deploy}

        sed -e 's,port="8090",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \

        '' + (lib.optionalString cfg.proxy.enable ''

          -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \

        '') + ''

          ${pkg}/conf/server.xml.dist > ${cfg.home}/server.xml

        ${optionalString cfg.sso.enable ''

          install -m660 ${crowdProperties} ${cfg.home}/crowd.properties

          ${optionalString (cfg.sso.applicationPasswordFile != null) ''

            ${pkgs.replace-secret}/bin/replace-secret \

              '@NIXOS_CONFLUENCE_CROWD_SSO_PWD@' \

              ${cfg.sso.applicationPasswordFile} \

              ${cfg.home}/crowd.properties

          ''}

        ''}

      '';

      serviceConfig = {

        User = cfg.user;

        Group = cfg.group;

        PrivateTmp = true;

        Restart = "on-failure";

        RestartSec = "10";

        ExecStart = "${pkg}/bin/start-confluence.sh -fg";

        ExecStop = "${pkg}/bin/stop-confluence.sh";

      };

    };

  };

}