[Backport release-25.05] nixos/signald, signald, signaldctl, purple-signald: drop (#408483)

- Default ICU version updated from 74 to 76

- The packages `signald`, `signaldctl` and `purple-signald` have been dropped as they are unmaintained upstream and have been incompatible with the official Signal servers for a long while.

- Apache Kafka was updated to `>= 4.0.0`. Please note that this is the first release which operates

  entirely without Apache ZooKeeper support, and all clusters need to be migrated to KRaft mode. See

  the [release announcement](https://kafka.apache.org/blog#apache_kafka_400_release_announcement)

- `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.

- `services.signald` has been removed as `signald` is unmaintained upstream and has been incompatible to official Signal servers for a long while.

- `tauon` 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up `~/.local/share/TauonMusicBox`.

- `aws-workspaces` has dropped support for PCoiP networking.

  ./services/misc/servarr/whisparr.nix

  ./services/misc/serviio.nix

  ./services/misc/sickbeard.nix

  ./services/misc/signald.nix

  ./services/misc/siproxd.nix

  ./services/misc/snapper.nix

  ./services/misc/soft-serve.nix

      The conduwuit project has been discontinued by upstream.

      See https://github.com/NixOS/nixpkgs/pull/397902 for more information.

    '')

    (mkRemovedOptionModule [ "services" "signald" ] ''

      The signald project is unmaintained and has long been incompatible with the

      official Signal servers.

    '')

    # Do NOT add any option renames here, see top of the file

  ];

{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.signald;

  dataDir = "/var/lib/signald";

  defaultUser = "signald";

in

{

  options.services.signald = {

    enable = lib.mkEnableOption "signald, the unofficial daemon for interacting with Signal";

    user = lib.mkOption {

      type = lib.types.str;

      default = defaultUser;

      description = "User under which signald runs.";

    };

    group = lib.mkOption {

      type = lib.types.str;

      default = defaultUser;

      description = "Group under which signald runs.";

    };

    socketPath = lib.mkOption {

      type = lib.types.str;

      default = "/run/signald/signald.sock";

      description = "Path to the signald socket";

    };

  };

  config = lib.mkIf cfg.enable {

    users.users = lib.optionalAttrs (cfg.user == defaultUser) {

      ${defaultUser} = {

        group = cfg.group;

        isSystemUser = true;

      };

    };

    users.groups = lib.optionalAttrs (cfg.group == defaultUser) {

      ${defaultUser} = { };

    };

    systemd.services.signald = {

      description = "A daemon for interacting with the Signal Private Messenger";

      wants = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

      serviceConfig = {

        User = cfg.user;

        Group = cfg.group;

        ExecStart = "${pkgs.signald}/bin/signald -d ${dataDir} -s ${cfg.socketPath}";

        ExecStartPre = "${pkgs.signald}/bin/signald -d ${dataDir} -s ${cfg.socketPath} --migrate-data";

        Restart = "on-failure";

        StateDirectory = "signald";

        RuntimeDirectory = "signald";

        StateDirectoryMode = "0750";

        RuntimeDirectoryMode = "0750";

        BindReadOnlyPaths = [

          "/nix/store"

          "-/etc/resolv.conf"

          "-/etc/nsswitch.conf"

          "-/etc/hosts"

          "-/etc/localtime"

        ];

        CapabilityBoundingSet = "";

        # ProtectClock= adds DeviceAllow=char-rtc r

        DeviceAllow = "";

        # Use a static user so other applications can access the files

        #DynamicUser = true;

        LockPersonality = true;

        # Needed for java

        #MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateMounts = true;

        # Needs network access

        #PrivateNetwork = true;

        PrivateTmp = true;

        PrivateUsers = true;

        ProcSubset = "pid";

        ProtectClock = true;

        ProtectHome = true;

        ProtectHostname = true;

        # Would re-mount paths ignored by temporary root

        #ProtectSystem = "strict";

        ProtectControlGroups = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_UNIX"

        ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "~@privileged @resources @setuid @keyring"

        ];

        TemporaryFileSystem = "/:ro";

        # Does not work well with the temporary root

        #UMask = "0066";

      };

    };

  };

}