{modules,pkgs}/sharkey: Use the sharkey package and module from nixpkgs

Sharkey was package in nixpkgs.

4 files changed, 78 insertions, 405 deletions

diff --git a/flake.lock b/flake.lock
index 0bde9a0..2e89df4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -141,11 +141,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751607816,
-        "narHash": "sha256-5PtrwjqCIJ4DKQhzYdm8RFePBuwb+yTzjV52wWoGSt4=",
+        "lastModified": 1752113600,
+        "narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "da6109c917b48abc1f76dd5c9bf3901c8c80f662",
+        "rev": "79264292b7e3482e5702932949de9cbb69fedf6d",
         "type": "github"
       },
       "original": {
@@ -292,11 +292,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751675867,
-        "narHash": "sha256-RdbC7JPst1u7s6RKQYvGo6LVgaud+I91LUdDJLlZjZs=",
+        "lastModified": 1752244816,
+        "narHash": "sha256-xi2uQTCjKev5kzfhLFMrOoCPBYnePmvRWtpCVKP4o94=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bccdc925e1f2afd8597dca58df02577a3630047c",
+        "rev": "739c8f530a2c5e0b9eefc8019d201654264cb974",
         "type": "github"
       },
       "original": {
@@ -308,11 +308,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1751743520,
-        "narHash": "sha256-gk83D6+0KpugopnV6vrumpVHDrqESFjVr39O9u7NNy8=",
+        "lastModified": 1752298176,
+        "narHash": "sha256-wY7/8k5mJbljXxBUX1bDHFVUcMrWdrDT8FNDrcPwLbA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "833775e5731dcd1fd3eb0b61fa7ed2a4fafb4e3e",
+        "rev": "d3807bc34e7d086b4754e1c842505570e23f9d01",
         "type": "github"
       },
       "original": {
@@ -348,11 +348,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751769931,
-        "narHash": "sha256-QR2Rp/41NkA5YxcpvZEKD1S2QE1Pb9U415aK8M/4tJc=",
+        "lastModified": 1752288212,
+        "narHash": "sha256-f2PMqtf61mWAM11QoIfGv3hjD2AsJrij4FCzftepuaE=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "3ac4f630e375177ea8317e22f5c804156de177e8",
+        "rev": "678296525a4cce249c608749b171d0b2ceb8b2ff",
         "type": "github"
       },
       "original": {
@@ -412,11 +412,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750931469,
-        "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
+        "lastModified": 1752055615,
+        "narHash": "sha256-19m7P4O/Aw/6+CzncWMAJu89JaKeMh3aMle1CNQSIwM=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
+        "rev": "c9d477b5d5bd7f26adddd3f96cfd6a904768d4f9",
         "type": "github"
       },
       "original": {
diff --git a/modules/by-name/sh/sharkey/module.nix b/modules/by-name/sh/sharkey/module.nix
index 2b50cf0..d019bd3 100644
--- a/modules/by-name/sh/sharkey/module.nix
+++ b/modules/by-name/sh/sharkey/module.nix
@@ -1,18 +1,18 @@
-# Source: https://github.com/sodiboo/system/blob/b63c7b27f49043e8701b3ff5e1441cd27d5a2fff/sharkey/module.nix
 {
   config,
   lib,
   pkgs,
-  vhackPackages,
+  pkgsUnstable,
+  nixpkgs-unstable,
   ...
 }: let
   cfg = config.vhack.sharkey;
-
-  createDB = cfg.database.host == "127.0.0.1" && cfg.database.createLocally;
-
-  settingsFormat = pkgs.formats.yaml {};
-  configFile = settingsFormat.generate "sharkey-config.yml" cfg.settings;
 in {
+  imports = [
+    # TODO(@bpeetz): Remove this import once we update to NixOS 25.11 <2025-07-12>
+    "${nixpkgs-unstable}/nixos/modules/services/web-apps/sharkey.nix"
+  ];
+
   options.vhack.sharkey = {
     enable = lib.mkEnableOption "sharkey";
 
@@ -24,254 +24,103 @@ in {
 
     package = lib.mkOption {
       type = lib.types.package;
-      default = vhackPackages.sharkey;
+      default = pkgsUnstable.sharkey;
       defaultText = lib.literalExpression "vhackPackages.sharkey";
       description = "Sharkey package to use.";
     };
 
-    dataDirectory = lib.mkOption {
+    mediaDirectory = lib.mkOption {
       type = lib.types.path;
       default = "/var/lib/sharkey";
       description = "The directory where sharkey stores it's data.";
-
-      # This is already set in the package.
-      readOnly = true;
-    };
-
-    database = {
-      createLocally = lib.mkOption {
-        description = "Whether to enable local db creation.";
-        type = lib.types.bool;
-        default = true;
-      };
-
-      host = lib.mkOption {
-        type = lib.types.str;
-        default = "127.0.0.1";
-        description = "The database host.";
-      };
-
-      port = lib.mkOption {
-        type = lib.types.port;
-        default = 5432;
-        description = "The database port.";
-      };
-
-      name = lib.mkOption {
-        type = lib.types.str;
-        default = "sharkey";
-        description = "The database name in postgresql.";
-      };
     };
 
     settings = lib.mkOption {
-      inherit (settingsFormat) type;
+      inherit (pkgs.formats.yaml {}) type;
       default = {};
       description = ''
-        Configuration for Sharkey, see
+        Extra Configuration for Sharkey, see
         <link xlink:href="https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/.config/example.yml"/>
         for supported settings.
+
+        Note, that this is applied on-top of the neccessary config.
       '';
     };
   };
 
   config = lib.mkIf cfg.enable {
-    environment.systemPackages = [cfg.package];
-
-    vhack = {
-      nginx.enable = true;
+    services = {
+      sharkey = {
+        enable = true;
 
-      sharkey.settings = {
-        id = "aidx";
+        inherit (cfg) package;
+        openFirewall = false;
+        setupRedis = true;
+        setupPostgresql = true;
 
-        url = "https://${cfg.fqdn}/";
-        port = 5312;
+        settings =
+          cfg.settings
+          // {
+            url = "https://${cfg.fqdn}/";
+            port = 5312;
 
-        db = {
-          inherit (cfg.database) host port;
-          db = cfg.database.name;
-          user = cfg.database.name;
-          pass = "sharkey-password";
-        };
-        redis = {
-          path = config.services.redis.servers."sharkey".unixSocket;
-        };
+            inherit (cfg) mediaDirectory;
+            fulltextSearch.provider = "sqlLike";
+          };
       };
 
-      persist.directories = [
-        {
-          directory = "${config.services.redis.servers."sharkey".settings.dir}";
-          user = "sharkey";
-          group = "redis-sharey";
-          mode = "0770";
-        }
-        {
-          directory = "${cfg.dataDirectory}";
-          user = "sharkey";
-          group = "sharkey";
-          mode = "0770";
-        }
-      ];
-    };
-
-    services = {
       nginx.virtualHosts."${cfg.fqdn}" = {
         locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString cfg.settings.port}";
+          proxyPass = "http://127.0.0.1:${toString config.services.sharkey.settings.port}";
           proxyWebsockets = true;
         };
 
-        # proxy_set_header Host $host;
-        # proxy_http_version 1.1;
-        # proxy_redirect off;
-        #
-        # # If it's behind another reverse proxy or CDN, remove the following.
-        # proxy_set_header X-Real-IP $remote_addr;
-        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        # proxy_set_header X-Forwarded-Proto https;
-        #
-        # # For WebSocket
-        # proxy_set_header Upgrade $http_upgrade;
-        # proxy_set_header Connection $connection_upgrade;
-        #
-        # # Cache settings
-        # proxy_cache cache1;
-        # proxy_cache_lock on;
-        # proxy_cache_use_stale updating;
-        # proxy_force_ranges on;
-        # add_header X-Cache $upstream_cache_status;
-
         enableACME = true;
         forceSSL = true;
       };
-
-      postgresql = lib.mkIf createDB {
-        enable = true;
-        settings.port = cfg.database.port;
-        ensureUsers = [
-          {
-            inherit (cfg.database) name;
-            ensureDBOwnership = true;
-          }
-        ];
-        ensureDatabases = [cfg.database.name];
-      };
-
-      redis = {
-        servers."sharkey" = {
-          enable = true;
-
-          user = "sharkey";
-
-          # Disable TCP listening. (We have a UNIX socket)
-          port = 0;
-          bind = null;
-
-          settings = {
-            protected-mode = true;
-            enable-protected-configs = false;
-            enable-debug-command = false;
-            enable-module-command = false;
-
-            supervised = "systemd";
-            stop-writes-on-bgsave-error = true;
-            sanitize-dump-payload = "clients";
-          };
-        };
-      };
     };
 
-    systemd.services.postgresql.postStart = ''
-      $PSQL -tAc "ALTER ROLE ${cfg.database.name} WITH ENCRYPTED PASSWORD 'sharkey-password';"
-    '';
-
     systemd.services.sharkey = {
-      requires =
-        [
-          "redis-sharkey.service"
-          "network-online.target"
-        ]
-        ++ lib.optionals createDB ["postgresql.service"];
-
-      after =
-        [
-          "redis-sharkey.service"
-          "network-online.target"
-        ]
-        ++ lib.optionals createDB ["postgresql.service"];
+      requires = ["network-online.target"];
 
-      wantedBy = ["multi-user.target"];
-
-      environment = {
-        MISSKEY_CONFIG_YML = "${configFile}";
-        NODE_ENV = "production";
-      };
+      # TODO(@bpeetz): `postgresql.target` is only available in NixOS 25.11, as such we
+      # need to override this back to the postgresql.service. <2025-07-12>
+      after = lib.mkForce [
+        "network-online.target"
+        "postgresql.service"
+        "redis-sharkey.service"
+      ];
+      bindsTo = lib.mkForce [
+        "postgresql.service"
+        "redis-sharkey.service"
+      ];
 
       serviceConfig = {
-        Type = "simple";
-
-        StateDirectory = "sharkey";
-        StateDirectoryMode = "0700";
-        CacheDirectory = "sharkey";
-        RuntimeDirectory = "sharkey";
-        RuntimeDirectoryMode = "0700";
-        ExecStart = "${lib.getExe cfg.package} migrateandstart";
-
-        TimeoutSec = 60;
-        Restart = "no";
-
-        StandardOutput = "journal";
-        StandardError = "journal";
-        SyslogIdentifier = "sharkey";
-
+        # The upstream service uses DynamicUsers, which currently poses issues to our
+        # directory persisting strategy.
         User = "sharkey";
         Group = "sharkey";
+        DynamicUser = lib.mkForce false;
+      };
+    };
 
-        # Bind standard privileged ports
-        AmbientCapabilities = [];
-        CapabilityBoundingSet = [];
-
-        ReadWritePaths = [
-          "${cfg.dataDirectory}"
-        ];
+    vhack = {
+      nginx.enable = true;
 
-        # Hardening
-        DeviceAllow = [""];
-        LockPersonality = true;
-        # Probably needed for v8's JIT (crashes with it on).
-        MemoryDenyWriteExecute = false;
-        PrivateDevices = true;
-        PrivateUsers = true;
-        # Sharkey needs access to the hosts CPUs
-        ProcSubset = "all";
-        PrivateTmp = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RestrictAddressFamilies = [
-          "AF_UNIX" # Local communication                        unix(7)
-          "AF_INET" # IPv4 Internet protocols                    ip(7)
-          "AF_INET6" # IPv6 Internet protocols                   ipv6(7)
-          # Needed for nodes `os.networkInterfaces()` function.
-          "AF_NETLINK" # Kernel user interface device            netlink(7)
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "@chown"
-          "~@mount"
-        ];
-        UMask = "0077";
-      };
+      persist.directories = [
+        {
+          directory = "${config.services.redis.servers."sharkey".settings.dir}";
+          user = "sharkey";
+          group = "redis-sharey";
+          mode = "0770";
+        }
+        {
+          directory = "${cfg.mediaDirectory}";
+          user = "sharkey";
+          group = "sharkey";
+          mode = "0700";
+        }
+      ];
     };
 
     users = {
diff --git a/pkgs/by-name/sh/sharkey/package.nix b/pkgs/by-name/sh/sharkey/package.nix
deleted file mode 100644
index a88b7df..0000000
--- a/pkgs/by-name/sh/sharkey/package.nix
+++ /dev/null
@@ -1,176 +0,0 @@
-# Source: https://github.com/sodiboo/system/blob/b63c7b27f49043e8701b3ff5e1441cd27d5a2fff/sharkey/package.nix
-{
-  lib,
-  stdenv,
-  fetchFromGitLab,
-  # Build time
-  makeWrapper,
-  copyDesktopItems,
-  jq,
-  moreutils,
-  cacert,
-  python3,
-  pkg-config,
-  # Run time
-  bash,
-  jemalloc,
-  ffmpeg-headless,
-  nodejs,
-  pnpm_9,
-  glib,
-  vips,
-  pixman,
-  pango,
-  cairo,
-}:
-stdenv.mkDerivation (finalAttrs: {
-  pname = "sharkey";
-  version = "2025.2.3";
-
-  src = fetchFromGitLab {
-    owner = "TransFem-org";
-    repo = "Sharkey";
-    domain = "activitypub.software";
-    rev = finalAttrs.version;
-    hash = "sha256-VBfkJuoQzQ93sUmJNnr1JUjA2GQNgOIuX+j8nAz3bb4=";
-    fetchSubmodules = true;
-  };
-
-  pnpmDeps = stdenv.mkDerivation {
-    pname = "${finalAttrs.pname}-pnpm-deps";
-    inherit (finalAttrs) src version;
-
-    nativeBuildInputs = [
-      jq
-      moreutils
-      pnpm_9
-      cacert
-    ];
-
-    # https://github.com/NixOS/nixpkgs/blob/763e59ffedb5c25774387bf99bc725df5df82d10/pkgs/applications/misc/pot/default.nix#L56
-    installPhase = ''
-      export HOME=$(mktemp --directory)
-
-      pnpm config set store-dir $out
-      pnpm config set side-effects-cache false
-      pnpm install --force --frozen-lockfile --ignore-scripts
-    '';
-
-    fixupPhase = ''
-      rm --recursive --force $out/v3/tmp
-      for f in $(find $out -name "*.json"); do
-        sed --in-place --regexp-extended --expression='s/"checkedAt":[0-9]+,//g' "$f"
-        jq --sort-keys . "$f" | sponge "$f"
-      done
-    '';
-
-    dontBuild = true;
-    outputHashMode = "recursive";
-    outputHash = "sha256-ALstAaN8dr5qSnc/ly0hv+oaeKrYFQ3GhObYXOv4E6I=";
-  };
-
-  nativeBuildInputs = [
-    copyDesktopItems
-    pnpm_9
-    nodejs
-    makeWrapper
-    python3
-    pkg-config
-  ];
-
-  buildInputs = [
-    glib
-    vips
-
-    pixman
-    pango
-    cairo
-  ];
-
-  configurePhase = ''
-    runHook preConfigure
-
-    export HOME=$(mktemp --directory)
-    export STORE_PATH=$(mktemp --directory)
-
-    export npm_config_nodedir=${nodejs}
-
-    cp --no-target-directory --recursive "$pnpmDeps" "$STORE_PATH"
-    chmod --recursive +w "$STORE_PATH"
-
-    pnpm config set store-dir "$STORE_PATH"
-    pnpm install --offline --frozen-lockfile --ignore-scripts
-
-    (
-      cd node_modules/.pnpm/node_modules/v-code-diff
-      pnpm run postinstall
-    )
-    (
-      cd node_modules/.pnpm/node_modules/re2
-      pnpm run rebuild
-    )
-    (
-      cd node_modules/.pnpm/node_modules/sharp
-      pnpm run install
-    )
-    (
-      cd node_modules/.pnpm/node_modules/canvas
-      pnpm run install
-    )
-
-    runHook postConfigure
-  '';
-
-  buildPhase = ''
-    runHook preBuild
-
-    pnpm build
-
-    runHook postBuild
-  '';
-
-  installPhase = let
-    libPath = lib.makeLibraryPath [
-      jemalloc
-      ffmpeg-headless
-      stdenv.cc.cc.lib
-    ];
-
-    binPath = lib.makeBinPath [
-      bash
-      pnpm_9
-      nodejs
-    ];
-  in
-    # bash
-    ''
-      runHook preInstall
-
-      mkdir --parents $out/Sharkey
-
-      ln --symbolic /var/lib/sharkey $out/Sharkey/files
-      ln --symbolic /run/sharkey $out/Sharkey/.config
-      cp --recursive * $out/Sharkey
-
-      # We cannot `--set` the PATH, because sharkey runs shellscripts at start (and maybe
-      # at other times), which need these things.
-      makeWrapper ${lib.getExe pnpm_9} $out/bin/sharkey \
-        --chdir $out/Sharkey \
-        --prefix PATH : ${binPath} \
-        --prefix LD_LIBRARY_PATH : ${libPath}
-
-      runHook postInstall
-    '';
-
-  passthru = {
-    inherit (finalAttrs) pnpmDeps;
-  };
-
-  meta = {
-    description = "🌎 A Sharkish microblogging platform 🚀";
-    homepage = "https://joinsharkey.org";
-    license = lib.licenses.gpl3Only;
-    platforms = ["x86_64-linux" "aarch64-linux"];
-    mainProgram = "sharkey";
-  };
-})
diff --git a/tests/by-name/sh/sharkey-cpu/test.nix b/tests/by-name/sh/sharkey-cpu/test.nix
index 438cfb3..6082806 100644
--- a/tests/by-name/sh/sharkey-cpu/test.nix
+++ b/tests/by-name/sh/sharkey-cpu/test.nix
@@ -38,7 +38,7 @@ nixos-lib.runTest {
       };
       systemd.services = {
         # Avoid an error from this service.
-        "acme-sharkey.server".serviceConfig.ExecStart = pkgs.lib.mkForce "${pkgs.lib.getExe' pkgs.coreutils "true"}";
+        "acme-sharkey.server".enable = false;
 
         # Test that sharkey's hardening still allows access to the CPUs.
         sharkey.serviceConfig.ExecStart = let