{,nixos/}pocket-id: 0.53.0 -> 1.1.0 (#411229) (7d26069e) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2511.section.md

+2 −0

Original line number	Diff line number	Diff line
		@@ -25,6 +25,8 @@

		- The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.

		- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).

		- `renovate` was updated to v40. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/40.0.0) for breaking changes.

		## Other Notable Changes {#sec-release-25.11-notable-changes}

nixos/modules/services/security/pocket-id.nix

+42 −84

Original line number	Diff line number	Diff line
		@@ -7,12 +7,16 @@

		let
		inherit (lib)
		concatMap
		concatStringsSep
		getExe
		maintainers
		mkEnableOption
		mkIf
		mkOption
		optionalAttrs
		optional
		mkPackageOption
		optional
		optionalAttrs
		;
		inherit (lib.types)
		bool
		@@ -27,7 +31,7 @@ let
		settingsFile = format.generate "pocket-id-env-vars" cfg.settings;
		in
		{
		meta.maintainers = with lib.maintainers; [
		meta.maintainers = with maintainers; [
		gepbird
		ymstnt
		];
		@@ -56,7 +60,7 @@ in
		freeformType = format.type;

		options = {
		PUBLIC_APP_URL = mkOption {
		APP_URL = mkOption {
		type = str;
		description = ''
		The URL where you will access the app.
		@@ -71,6 +75,16 @@ in
		'';
		default = false;
		};

		ANALYTICS_DISABLED = mkOption {
		type = bool;
		description = ''
		Whether to disable analytics.

		See [docs page](https://pocket-id.org/docs/configuration/analytics/).
		'';
		default = false;
		};
		};
		};

		@@ -105,18 +119,36 @@ in
		};

		config = mkIf cfg.enable {
		warnings = (
		warnings =
		optional (cfg.settings ? MAXMIND_LICENSE_KEY)
		"config.services.pocket-id.settings.MAXMIND_LICENSE_KEY will be stored as plaintext in the Nix store. Use config.services.pocket-id.environmentFile instead."
		);
		++ concatMap
		(
		# Added 2025-05-27
		setting:
		optional (cfg.settings ? "${setting}") ''
		config.services.pocket-id.settings.${setting} is deprecated.
		See https://pocket-id.org/docs/setup/migrate-to-v1/ for migration instructions.
		''
		)
		[
		"PUBLIC_APP_URL"
		"PUBLIC_UI_CONFIG_DISABLED"
		"CADDY_DISABLED"
		"CADDY_PORT"
		"BACKEND_PORT"
		"POSTGRES_CONNECTION_STRING"
		"SQLITE_DB_PATH"
		"INTERNAL_BACKEND_URL"
		];

		systemd.tmpfiles.rules = [
		"d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group}"
		];

		systemd.services = {
		pocket-id-backend = {
		description = "Pocket ID backend";
		pocket-id = {
		description = "Pocket ID";
		after = [ "network.target" ];
		wantedBy = [ "multi-user.target" ];
		restartTriggers = [
		@@ -130,7 +162,7 @@ in
		User = cfg.user;
		Group = cfg.group;
		WorkingDirectory = cfg.dataDir;
		ExecStart = "${cfg.package}/bin/pocket-id-backend";
		ExecStart = getExe cfg.package;
		Restart = "always";
		EnvironmentFile = [
		cfg.environmentFile
		@@ -169,7 +201,7 @@ in
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = lib.concatStringsSep " " [
		SystemCallFilter = concatStringsSep " " [
		"~"
		"@clock"
		"@cpu-emulation"
		@@ -186,80 +218,6 @@ in
		UMask = "0077";
		};
		};

		pocket-id-frontend = {
		description = "Pocket ID frontend";
		after = [
		"network.target"
		"pocket-id-backend.service"
		];
		wantedBy = [ "multi-user.target" ];
		restartTriggers = [
		cfg.package
		cfg.environmentFile
		settingsFile
		];

		serviceConfig = {
		Type = "simple";
		User = cfg.user;
		Group = cfg.group;
		ExecStart = "${cfg.package}/bin/pocket-id-frontend";
		Restart = "always";
		EnvironmentFile = [
		cfg.environmentFile
		settingsFile
		];

		# Hardening
		AmbientCapabilities = "";
		CapabilityBoundingSet = "";
		DeviceAllow = "";
		DevicePolicy = "closed";
		#IPAddressDeny = "any"; # communicates with the backend and client
		LockPersonality = true;
		MemoryDenyWriteExecute = false; # V8_Fatal segfault
		NoNewPrivileges = true;
		PrivateDevices = true;
		PrivateNetwork = false; # communicates with the backend and client
		PrivateTmp = true;
		PrivateUsers = true;
		ProcSubset = "pid";
		ProtectClock = true;
		ProtectControlGroups = true;
		ProtectHome = true;
		ProtectHostname = true;
		ProtectKernelLogs = true;
		ProtectKernelModules = true;
		ProtectKernelTunables = true;
		ProtectProc = "invisible";
		ProtectSystem = "strict";
		RemoveIPC = true;
		RestrictAddressFamilies = [
		"AF_INET"
		"AF_INET6"
		];
		RestrictNamespaces = true;
		RestrictRealtime = true;
		RestrictSUIDSGID = true;
		SystemCallArchitectures = "native";
		SystemCallFilter = lib.concatStringsSep " " [
		"~"
		"@clock"
		"@cpu-emulation"
		"@debug"
		"@module"
		"@mount"
		"@obsolete"
		"@privileged"
		"@raw-io"
		"@reboot"
		"@resources"
		"@swap"
		];
		UMask = "0077";
		};
		};
		};

		users.users = optionalAttrs (cfg.user == "pocket-id") {

nixos/tests/pocket-id.nix

+2 −7

Original line number	Diff line number	Diff line
		@@ -15,8 +15,6 @@
		enable = true;
		settings = {
		PORT = 10001;
		INTERNAL_BACKEND_URL = "http://localhost:10002";
		BACKEND_PORT = 10002;
		};
		};
		};
		@@ -29,17 +27,14 @@
		inherit (builtins) toString;
		in
		''
		machine.wait_for_unit("pocket-id-backend.service")
		machine.wait_for_open_port(${toString settings.BACKEND_PORT})
		machine.wait_for_unit("pocket-id-frontend.service")
		machine.wait_for_unit("pocket-id.service")
		machine.wait_for_open_port(${toString settings.PORT})

		backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.BACKEND_PORT}/api/users/me")
		backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me")
		assert backend_status == "401"
		machine.succeed("grep 'You are not signed in' /tmp/backend-output")

		frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")
		assert frontend_status == "200"
		machine.succeed("grep 'Sign in to Pocket ID' /tmp/frontend-output")
		'';
		}

pkgs/by-name/po/pocket-id/package.nix

+22 −48

Original line number	Diff line number	Diff line
		@@ -3,36 +3,38 @@
		fetchFromGitHub,
		buildGoModule,
		buildNpmPackage,
		makeWrapper,
		nodejs,
		stdenvNoCC,
		nixosTests,
		nix-update-script,
		}:

		stdenvNoCC.mkDerivation (finalAttrs: {
		buildGoModule (finalAttrs: {
		pname = "pocket-id";
		version = "0.53.0";
		version = "1.1.0";

		src = fetchFromGitHub {
		owner = "pocket-id";
		repo = "pocket-id";
		tag = "v${finalAttrs.version}";
		hash = "sha256-3lW4jPh9YElgpBcIooGQ2zZbNwC/rz7CABsp7ScTxyQ=";
		hash = "sha256-J/s8wpKAU7w8Djtd7rtamCzg/7176W0ybSoAB/vHOjs=";
		};

		backend = buildGoModule {
		pname = "pocket-id-backend";
		inherit (finalAttrs) version src;

		sourceRoot = "${finalAttrs.src.name}/backend";

		vendorHash = "sha256-wOrYIhOrUxz22Ay2A26FTrPJA8YRgdRihP78Ls8VgNM=";
		vendorHash = "sha256-jLwuBYiFZhUDIvG5uk78vXmo+wuqkFmyC5lAUZ3vUxU=";

		env.CGO_ENABLED = 0;
		ldflags = [
		"-X github.com/pocket-id/pocket-id/backend/internal/common.Version=${finalAttrs.version}"
		"-buildid=${finalAttrs.version}"
		];

		preBuild = ''
		cp -r ${finalAttrs.frontend}/lib/pocket-id-frontend/dist frontend/dist
		'';

		preFixup = ''
		mv $out/bin/cmd $out/bin/pocket-id-backend
		mv $out/bin/cmd $out/bin/pocket-id
		'';
		};

		frontend = buildNpmPackage {
		pname = "pocket-id-frontend";
		@@ -40,56 +42,27 @@ stdenvNoCC.mkDerivation (finalAttrs: {

		sourceRoot = "${finalAttrs.src.name}/frontend";

		npmDepsHash = "sha256-UjYAndueuJU07unbNFoTQHqRFkdyaBKHyT4k3Ex4pg0=";
		npmDepsHash = "sha256-ykoyJtnqFK1fK60SbzrL7nhRcKYa3qYdHf9kFOC3EwE=";
		npmFlags = [ "--legacy-peer-deps" ];

		nativeBuildInputs = [
		makeWrapper
		];
		env.BUILD_OUTPUT_PATH = "dist";

		installPhase = ''
		runHook preInstall

		# even though vite build creates most of the minified js files,
		# it still needs a few packages from node_modules, try to strip that
		npm prune --omit=dev --omit=optional $npmFlags
		# larger seemingly unused packages
		rm -r node_modules/{lucide-svelte,jiti,@swc,.bin}
		# unused file types
		for pattern in '.map' '.map.js' '*.ts'; do
		find . -type f -name "$pattern" -exec rm {} +
		done

		mkdir -p $out/{bin,lib/pocket-id-frontend}
		cp -r build $out/lib/pocket-id-frontend/dist
		cp -r node_modules $out/lib/pocket-id-frontend/node_modules
		makeWrapper ${lib.getExe nodejs} $out/bin/pocket-id-frontend \
		--add-flags $out/lib/pocket-id-frontend/dist/index.js
		mkdir -p $out/lib/pocket-id-frontend
		cp -r dist $out/lib/pocket-id-frontend/dist

		runHook postInstall
		'';
		};

		dontUnpack = true;

		installPhase = ''
		runHook preInstall

		mkdir -p $out/bin
		ln -s ${finalAttrs.backend}/bin/pocket-id-backend $out/bin/pocket-id-backend
		ln -s ${finalAttrs.frontend}/bin/pocket-id-frontend $out/bin/pocket-id-frontend

		runHook postInstall
		'';

		passthru = {
		tests = {
		inherit (nixosTests) pocket-id;
		};
		updateScript = nix-update-script {
		extraArgs = [
		"--subpackage"
		"backend"
		"--subpackage"
		"frontend"
		];
		@@ -101,6 +74,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
		homepage = "https://pocket-id.org";
		changelog = "https://github.com/pocket-id/pocket-id/releases/tag/v${finalAttrs.version}";
		license = lib.licenses.bsd2;
		mainProgram = "pocket-id";
		maintainers = with lib.maintainers; [
		gepbird
		marcusramberg