diff options
| -rw-r--r-- | flake.lock | 30 | ||||
| -rw-r--r-- | modules/by-name/sh/sharkey/module.nix | 277 | ||||
| -rw-r--r-- | pkgs/by-name/sh/sharkey/package.nix | 176 | ||||
| -rw-r--r-- | tests/by-name/sh/sharkey-cpu/test.nix | 2 |
4 files changed, 79 insertions, 406 deletions
diff --git a/flake.lock b/flake.lock index 0bde9a0..2e89df4 100644 --- a/flake.lock +++ b/flake.lock @@ -141,11 +141,11 @@ ] }, "locked": { - "lastModified": 1751607816, - "narHash": "sha256-5PtrwjqCIJ4DKQhzYdm8RFePBuwb+yTzjV52wWoGSt4=", + "lastModified": 1752113600, + "narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=", "owner": "nix-community", "repo": "disko", - "rev": "da6109c917b48abc1f76dd5c9bf3901c8c80f662", + "rev": "79264292b7e3482e5702932949de9cbb69fedf6d", "type": "github" }, "original": { @@ -292,11 +292,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751675867, - "narHash": "sha256-RdbC7JPst1u7s6RKQYvGo6LVgaud+I91LUdDJLlZjZs=", + "lastModified": 1752244816, + "narHash": "sha256-xi2uQTCjKev5kzfhLFMrOoCPBYnePmvRWtpCVKP4o94=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bccdc925e1f2afd8597dca58df02577a3630047c", + "rev": "739c8f530a2c5e0b9eefc8019d201654264cb974", "type": "github" }, "original": { @@ -308,11 +308,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1751743520, - "narHash": "sha256-gk83D6+0KpugopnV6vrumpVHDrqESFjVr39O9u7NNy8=", + "lastModified": 1752298176, + "narHash": "sha256-wY7/8k5mJbljXxBUX1bDHFVUcMrWdrDT8FNDrcPwLbA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "833775e5731dcd1fd3eb0b61fa7ed2a4fafb4e3e", + "rev": "d3807bc34e7d086b4754e1c842505570e23f9d01", "type": "github" }, "original": { @@ -348,11 +348,11 @@ ] }, "locked": { - "lastModified": 1751769931, - "narHash": "sha256-QR2Rp/41NkA5YxcpvZEKD1S2QE1Pb9U415aK8M/4tJc=", + "lastModified": 1752288212, + "narHash": "sha256-f2PMqtf61mWAM11QoIfGv3hjD2AsJrij4FCzftepuaE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "3ac4f630e375177ea8317e22f5c804156de177e8", + "rev": "678296525a4cce249c608749b171d0b2ceb8b2ff", "type": "github" }, "original": { @@ -412,11 +412,11 @@ ] }, "locked": { - "lastModified": 1750931469, - "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=", + "lastModified": 1752055615, + "narHash": "sha256-19m7P4O/Aw/6+CzncWMAJu89JaKeMh3aMle1CNQSIwM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1", + "rev": "c9d477b5d5bd7f26adddd3f96cfd6a904768d4f9", "type": "github" }, "original": { diff --git a/modules/by-name/sh/sharkey/module.nix b/modules/by-name/sh/sharkey/module.nix index 2b50cf0..d019bd3 100644 --- a/modules/by-name/sh/sharkey/module.nix +++ b/modules/by-name/sh/sharkey/module.nix @@ -1,18 +1,18 @@ -# Source: https://github.com/sodiboo/system/blob/b63c7b27f49043e8701b3ff5e1441cd27d5a2fff/sharkey/module.nix { config, lib, pkgs, - vhackPackages, + pkgsUnstable, + nixpkgs-unstable, ... }: let cfg = config.vhack.sharkey; - - createDB = cfg.database.host == "127.0.0.1" && cfg.database.createLocally; - - settingsFormat = pkgs.formats.yaml {}; - configFile = settingsFormat.generate "sharkey-config.yml" cfg.settings; in { + imports = [ + # TODO(@bpeetz): Remove this import once we update to NixOS 25.11 <2025-07-12> + "${nixpkgs-unstable}/nixos/modules/services/web-apps/sharkey.nix" + ]; + options.vhack.sharkey = { enable = lib.mkEnableOption "sharkey"; @@ -24,254 +24,103 @@ in { package = lib.mkOption { type = lib.types.package; - default = vhackPackages.sharkey; + default = pkgsUnstable.sharkey; defaultText = lib.literalExpression "vhackPackages.sharkey"; description = "Sharkey package to use."; }; - dataDirectory = lib.mkOption { + mediaDirectory = lib.mkOption { type = lib.types.path; default = "/var/lib/sharkey"; description = "The directory where sharkey stores it's data."; - - # This is already set in the package. - readOnly = true; - }; - - database = { - createLocally = lib.mkOption { - description = "Whether to enable local db creation."; - type = lib.types.bool; - default = true; - }; - - host = lib.mkOption { - type = lib.types.str; - default = "127.0.0.1"; - description = "The database host."; - }; - - port = lib.mkOption { - type = lib.types.port; - default = 5432; - description = "The database port."; - }; - - name = lib.mkOption { - type = lib.types.str; - default = "sharkey"; - description = "The database name in postgresql."; - }; }; settings = lib.mkOption { - inherit (settingsFormat) type; + inherit (pkgs.formats.yaml {}) type; default = {}; description = '' - Configuration for Sharkey, see + Extra Configuration for Sharkey, see <link xlink:href="https://activitypub.software/TransFem-org/Sharkey/-/blob/develop/.config/example.yml"/> for supported settings. + + Note, that this is applied on-top of the neccessary config. ''; }; }; config = lib.mkIf cfg.enable { - environment.systemPackages = [cfg.package]; - - vhack = { - nginx.enable = true; + services = { + sharkey = { + enable = true; - sharkey.settings = { - id = "aidx"; + inherit (cfg) package; + openFirewall = false; + setupRedis = true; + setupPostgresql = true; - url = "https://${cfg.fqdn}/"; - port = 5312; + settings = + cfg.settings + // { + url = "https://${cfg.fqdn}/"; + port = 5312; - db = { - inherit (cfg.database) host port; - db = cfg.database.name; - user = cfg.database.name; - pass = "sharkey-password"; - }; - redis = { - path = config.services.redis.servers."sharkey".unixSocket; - }; + inherit (cfg) mediaDirectory; + fulltextSearch.provider = "sqlLike"; + }; }; - persist.directories = [ - { - directory = "${config.services.redis.servers."sharkey".settings.dir}"; - user = "sharkey"; - group = "redis-sharey"; - mode = "0770"; - } - { - directory = "${cfg.dataDirectory}"; - user = "sharkey"; - group = "sharkey"; - mode = "0770"; - } - ]; - }; - - services = { nginx.virtualHosts."${cfg.fqdn}" = { locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.settings.port}"; + proxyPass = "http://127.0.0.1:${toString config.services.sharkey.settings.port}"; proxyWebsockets = true; }; - # proxy_set_header Host $host; - # proxy_http_version 1.1; - # proxy_redirect off; - # - # # If it's behind another reverse proxy or CDN, remove the following. - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto https; - # - # # For WebSocket - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection $connection_upgrade; - # - # # Cache settings - # proxy_cache cache1; - # proxy_cache_lock on; - # proxy_cache_use_stale updating; - # proxy_force_ranges on; - # add_header X-Cache $upstream_cache_status; - enableACME = true; forceSSL = true; }; - - postgresql = lib.mkIf createDB { - enable = true; - settings.port = cfg.database.port; - ensureUsers = [ - { - inherit (cfg.database) name; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [cfg.database.name]; - }; - - redis = { - servers."sharkey" = { - enable = true; - - user = "sharkey"; - - # Disable TCP listening. (We have a UNIX socket) - port = 0; - bind = null; - - settings = { - protected-mode = true; - enable-protected-configs = false; - enable-debug-command = false; - enable-module-command = false; - - supervised = "systemd"; - stop-writes-on-bgsave-error = true; - sanitize-dump-payload = "clients"; - }; - }; - }; }; - systemd.services.postgresql.postStart = '' - $PSQL -tAc "ALTER ROLE ${cfg.database.name} WITH ENCRYPTED PASSWORD 'sharkey-password';" - ''; - systemd.services.sharkey = { - requires = - [ - "redis-sharkey.service" - "network-online.target" - ] - ++ lib.optionals createDB ["postgresql.service"]; - - after = - [ - "redis-sharkey.service" - "network-online.target" - ] - ++ lib.optionals createDB ["postgresql.service"]; - - wantedBy = ["multi-user.target"]; - - environment = { - MISSKEY_CONFIG_YML = "${configFile}"; - NODE_ENV = "production"; - }; + requires = ["network-online.target"]; + + # TODO(@bpeetz): `postgresql.target` is only available in NixOS 25.11, as such we + # need to override this back to the postgresql.service. <2025-07-12> + after = lib.mkForce [ + "network-online.target" + "postgresql.service" + "redis-sharkey.service" + ]; + bindsTo = lib.mkForce [ + "postgresql.service" + "redis-sharkey.service" + ]; serviceConfig = { - Type = "simple"; - - StateDirectory = "sharkey"; - StateDirectoryMode = "0700"; - CacheDirectory = "sharkey"; - RuntimeDirectory = "sharkey"; - RuntimeDirectoryMode = "0700"; - ExecStart = "${lib.getExe cfg.package} migrateandstart"; - - TimeoutSec = 60; - Restart = "no"; - - StandardOutput = "journal"; - StandardError = "journal"; - SyslogIdentifier = "sharkey"; - + # The upstream service uses DynamicUsers, which currently poses issues to our + # directory persisting strategy. User = "sharkey"; Group = "sharkey"; + DynamicUser = lib.mkForce false; + }; + }; - # Bind standard privileged ports - AmbientCapabilities = []; - CapabilityBoundingSet = []; - - ReadWritePaths = [ - "${cfg.dataDirectory}" - ]; + vhack = { + nginx.enable = true; - # Hardening - DeviceAllow = [""]; - LockPersonality = true; - # Probably needed for v8's JIT (crashes with it on). - MemoryDenyWriteExecute = false; - PrivateDevices = true; - PrivateUsers = true; - # Sharkey needs access to the hosts CPUs - ProcSubset = "all"; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_UNIX" # Local communication unix(7) - "AF_INET" # IPv4 Internet protocols ip(7) - "AF_INET6" # IPv6 Internet protocols ipv6(7) - # Needed for nodes `os.networkInterfaces()` function. - "AF_NETLINK" # Kernel user interface device netlink(7) - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "@chown" - "~@mount" - ]; - UMask = "0077"; - }; + persist.directories = [ + { + directory = "${config.services.redis.servers."sharkey".settings.dir}"; + user = "sharkey"; + group = "redis-sharey"; + mode = "0770"; + } + { + directory = "${cfg.mediaDirectory}"; + user = "sharkey"; + group = "sharkey"; + mode = "0700"; + } + ]; }; users = { diff --git a/pkgs/by-name/sh/sharkey/package.nix b/pkgs/by-name/sh/sharkey/package.nix deleted file mode 100644 index a88b7df..0000000 --- a/pkgs/by-name/sh/sharkey/package.nix +++ /dev/null @@ -1,176 +0,0 @@ -# Source: https://github.com/sodiboo/system/blob/b63c7b27f49043e8701b3ff5e1441cd27d5a2fff/sharkey/package.nix -{ - lib, - stdenv, - fetchFromGitLab, - # Build time - makeWrapper, - copyDesktopItems, - jq, - moreutils, - cacert, - python3, - pkg-config, - # Run time - bash, - jemalloc, - ffmpeg-headless, - nodejs, - pnpm_9, - glib, - vips, - pixman, - pango, - cairo, -}: -stdenv.mkDerivation (finalAttrs: { - pname = "sharkey"; - version = "2025.2.3"; - - src = fetchFromGitLab { - owner = "TransFem-org"; - repo = "Sharkey"; - domain = "activitypub.software"; - rev = finalAttrs.version; - hash = "sha256-VBfkJuoQzQ93sUmJNnr1JUjA2GQNgOIuX+j8nAz3bb4="; - fetchSubmodules = true; - }; - - pnpmDeps = stdenv.mkDerivation { - pname = "${finalAttrs.pname}-pnpm-deps"; - inherit (finalAttrs) src version; - - nativeBuildInputs = [ - jq - moreutils - pnpm_9 - cacert - ]; - - # https://github.com/NixOS/nixpkgs/blob/763e59ffedb5c25774387bf99bc725df5df82d10/pkgs/applications/misc/pot/default.nix#L56 - installPhase = '' - export HOME=$(mktemp --directory) - - pnpm config set store-dir $out - pnpm config set side-effects-cache false - pnpm install --force --frozen-lockfile --ignore-scripts - ''; - - fixupPhase = '' - rm --recursive --force $out/v3/tmp - for f in $(find $out -name "*.json"); do - sed --in-place --regexp-extended --expression='s/"checkedAt":[0-9]+,//g' "$f" - jq --sort-keys . "$f" | sponge "$f" - done - ''; - - dontBuild = true; - outputHashMode = "recursive"; - outputHash = "sha256-ALstAaN8dr5qSnc/ly0hv+oaeKrYFQ3GhObYXOv4E6I="; - }; - - nativeBuildInputs = [ - copyDesktopItems - pnpm_9 - nodejs - makeWrapper - python3 - pkg-config - ]; - - buildInputs = [ - glib - vips - - pixman - pango - cairo - ]; - - configurePhase = '' - runHook preConfigure - - export HOME=$(mktemp --directory) - export STORE_PATH=$(mktemp --directory) - - export npm_config_nodedir=${nodejs} - - cp --no-target-directory --recursive "$pnpmDeps" "$STORE_PATH" - chmod --recursive +w "$STORE_PATH" - - pnpm config set store-dir "$STORE_PATH" - pnpm install --offline --frozen-lockfile --ignore-scripts - - ( - cd node_modules/.pnpm/node_modules/v-code-diff - pnpm run postinstall - ) - ( - cd node_modules/.pnpm/node_modules/re2 - pnpm run rebuild - ) - ( - cd node_modules/.pnpm/node_modules/sharp - pnpm run install - ) - ( - cd node_modules/.pnpm/node_modules/canvas - pnpm run install - ) - - runHook postConfigure - ''; - - buildPhase = '' - runHook preBuild - - pnpm build - - runHook postBuild - ''; - - installPhase = let - libPath = lib.makeLibraryPath [ - jemalloc - ffmpeg-headless - stdenv.cc.cc.lib - ]; - - binPath = lib.makeBinPath [ - bash - pnpm_9 - nodejs - ]; - in - # bash - '' - runHook preInstall - - mkdir --parents $out/Sharkey - - ln --symbolic /var/lib/sharkey $out/Sharkey/files - ln --symbolic /run/sharkey $out/Sharkey/.config - cp --recursive * $out/Sharkey - - # We cannot `--set` the PATH, because sharkey runs shellscripts at start (and maybe - # at other times), which need these things. - makeWrapper ${lib.getExe pnpm_9} $out/bin/sharkey \ - --chdir $out/Sharkey \ - --prefix PATH : ${binPath} \ - --prefix LD_LIBRARY_PATH : ${libPath} - - runHook postInstall - ''; - - passthru = { - inherit (finalAttrs) pnpmDeps; - }; - - meta = { - description = "🌎 A Sharkish microblogging platform 🚀"; - homepage = "https://joinsharkey.org"; - license = lib.licenses.gpl3Only; - platforms = ["x86_64-linux" "aarch64-linux"]; - mainProgram = "sharkey"; - }; -}) diff --git a/tests/by-name/sh/sharkey-cpu/test.nix b/tests/by-name/sh/sharkey-cpu/test.nix index 438cfb3..6082806 100644 --- a/tests/by-name/sh/sharkey-cpu/test.nix +++ b/tests/by-name/sh/sharkey-cpu/test.nix @@ -38,7 +38,7 @@ nixos-lib.runTest { }; systemd.services = { # Avoid an error from this service. - "acme-sharkey.server".serviceConfig.ExecStart = pkgs.lib.mkForce "${pkgs.lib.getExe' pkgs.coreutils "true"}"; + "acme-sharkey.server".enable = false; # Test that sharkey's hardening still allows access to the CPUs. sharkey.serviceConfig.ExecStart = let |