Merge pull request #30 from archtika/devel

Update flake and use remote Nix module from nixpkgs
2025-11-22 02:41:35 +01:00 · 2025-03-09 17:37:05 +01:00
parent 33acb2578c f85a7b3023
commit 09f1b1c533
8 changed files with 18 additions and 324 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1735471104,
+        "lastModified": 1741379970,
-        "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=",
+        "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4",
+        "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -38,7 +38,7 @@
          web = pkgs.mkShell {
            packages = with pkgs; [ nodejs ];
            shellHook = ''
-              export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
+              export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright.browsers}
              export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
            '';
          };
--- a/nix/deploy/prod/default.nix
+++ b/nix/deploy/prod/default.nix
@@ -8,7 +8,6 @@ in
  imports = [
    ./hardware-configuration.nix
    ../shared.nix
    ../../module.nix
  ];
  networking.hostName = "archtika-demo";
--- a/nix/deploy/qs/default.nix
+++ b/nix/deploy/qs/default.nix
@@ -6,7 +6,6 @@ in
  imports = [
    ./hardware-configuration.nix
    ../shared.nix
    ../../module.nix
  ];
  networking.hostName = "archtika-qs";
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -1,304 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    mkEnableOption
    mkOption
    mkIf
    mkPackageOption
    types
    ;
  cfg = config.services.archtika;
 in
 {
  options.services.archtika = {
    enable = mkEnableOption "Whether to enable the archtika service";
    package = mkPackageOption pkgs "archtika" { };
    user = mkOption {
      type = types.str;
      default = "archtika";
      description = "User account under which archtika runs.";
    };
    group = mkOption {
      type = types.str;
      default = "archtika";
      description = "Group under which archtika runs.";
    };
    databaseName = mkOption {
      type = types.str;
      default = "archtika";
      description = "Name of the PostgreSQL database for archtika.";
    };
    apiPort = mkOption {
      type = types.port;
      default = 5000;
      description = "Port on which the API runs.";
    };
    apiAdminPort = mkOption {
      type = types.port;
      default = 7500;
      description = "Port on which the API admin server runs.";
    };
    webAppPort = mkOption {
      type = types.port;
      default = 10000;
      description = "Port on which the web application runs.";
    };
    domain = mkOption {
      type = types.str;
      description = "Domain to use for the application.";
    };
    settings = mkOption {
      description = "Settings for the running archtika application.";
      type = types.submodule {
        options = {
          disableRegistration = mkOption {
            type = types.bool;
            default = false;
            description = "By default any user can create an account. That behavior can be disabled with this option.";
          };
          maxUserWebsites = mkOption {
            type = types.ints.positive;
            default = 2;
            description = "Maximum number of websites allowed per user by default.";
          };
          maxWebsiteStorageSize = mkOption {
            type = types.ints.positive;
            default = 50;
            description = "Maximum amount of disk space in MB allowed per user website by default.";
          };
        };
      };
    };
  };
  config = mkIf cfg.enable (
    let
      baseHardenedSystemdOptions = {
        CapabilityBoundingSet = "";
        LockPersonality = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";
        RemoveIPC = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
          "~@resources"
        ];
        ReadWritePaths = [ "/var/www/archtika-websites" ];
      };
    in
    {
      users.users.${cfg.user} = {
        isSystemUser = true;
        group = cfg.group;
      };
      users.groups.${cfg.group} = {
        members = [
          "nginx"
          "postgres"
        ];
      };
      systemd.tmpfiles.settings."10-archtika" = {
        "/var/www" = {
          d = {
            mode = "0755";
            user = "root";
            group = "root";
          };
        };
        "/var/www/archtika-websites" = {
          d = {
            mode = "0770";
            user = cfg.user;
            group = cfg.group;
          };
        };
      };
      systemd.services.archtika-api = {
        description = "archtika API service";
        wantedBy = [ "multi-user.target" ];
        after = [
          "network.target"
          "postgresql.service"
        ];
        path = [ config.services.postgresql.package ];
        serviceConfig = baseHardenedSystemdOptions // {
          User = cfg.user;
          Group = cfg.group;
          Restart = "always";
          WorkingDirectory = "${cfg.package}/rest-api";
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
            "AF_UNIX"
          ];
        };
        script =
          let
            dbUrl = user: "postgres://${user}@/${cfg.databaseName}?host=/var/run/postgresql";
          in
          ''
            JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64)
            psql ${dbUrl "postgres"} \
              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" \
              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}" \
              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}"
            ${lib.getExe pkgs.dbmate} --url "${dbUrl "postgres"}&sslmode=disable" --migrations-dir ${cfg.package}/rest-api/db/migrations up
            PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" \
            PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} \
            PGRST_SERVER_PORT=${toString cfg.apiPort} \
            PGRST_DB_SCHEMAS="api" \
            PGRST_DB_ANON_ROLE="anon" \
            PGRST_OPENAPI_MODE="ignore-privileges" \
            PGRST_DB_URI=${dbUrl "authenticator"} \
            PGRST_JWT_SECRET="$JWT_SECRET" \
            ${lib.getExe pkgs.postgrest}
          '';
      };
      systemd.services.archtika-web = {
        description = "archtika Web App service";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig = baseHardenedSystemdOptions // {
          User = cfg.user;
          Group = cfg.group;
          Restart = "always";
          WorkingDirectory = "${cfg.package}/web-app";
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
          ];
        };
        environment = {
          REGISTRATION_IS_DISABLED = toString cfg.settings.disableRegistration;
          BODY_SIZE_LIMIT = "10M";
          ORIGIN = "https://${cfg.domain}";
          PORT = toString cfg.webAppPort;
        };
        script = "${lib.getExe pkgs.nodejs} ${cfg.package}/web-app";
      };
      services.postgresql = {
        enable = true;
        ensureDatabases = [ cfg.databaseName ];
        extensions = ps: with ps; [ pgjwt ];
        authentication = lib.mkOverride 11 ''
          local all all trust
        '';
      };
      systemd.services.postgresql = {
        path = with pkgs; [
          gnutar
          gzip
        ];
        serviceConfig = {
          ReadWritePaths = [ "/var/www/archtika-websites" ];
          SystemCallFilter = [ "@system-service" ];
        };
      };
      services.nginx = {
        enable = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        recommendedZstdSettings = true;
        recommendedOptimisation = true;
        appendHttpConfig = ''
          map $http_cookie $archtika_auth_header {
            default "";
            "~*session_token=([^;]+)" "Bearer $1";
          }
        '';
        virtualHosts = {
          "${cfg.domain}" = {
            useACMEHost = cfg.domain;
            forceSSL = true;
            locations = {
              "/" = {
                proxyPass = "http://127.0.0.1:${toString cfg.webAppPort}";
              };
              "/previews/" = {
                alias = "/var/www/archtika-websites/previews/";
                index = "index.html";
                tryFiles = "$uri $uri/ $uri.html =404";
              };
              "/api/rpc/export_articles_zip" = {
                proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/rpc/export_articles_zip";
                extraConfig = ''
                  default_type application/json;
                  proxy_set_header Authorization $archtika_auth_header;
                '';
              };
              "/api/" = {
                proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/";
                extraConfig = ''
                  default_type application/json;
                '';
              };
              "/api/rpc/register" = mkIf cfg.settings.disableRegistration {
                extraConfig = ''
                  deny all;
                '';
              };
            };
          };
          "~^(?<subdomain>.+)\\.${cfg.domain}$" = {
            useACMEHost = cfg.domain;
            forceSSL = true;
            locations = {
              "/" = {
                root = "/var/www/archtika-websites/$subdomain";
                index = "index.html";
                tryFiles = "$uri $uri/ $uri.html =404";
              };
            };
          };
        };
      };
    }
  );
 }
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -10,7 +10,7 @@ let
  web = buildNpmPackage {
    name = "web-app";
    src = ../web-app;
-    npmDepsHash = "sha256-RTyo7K/Hr1hBGtcBKynrziUInl91JqZl84NkJg16ufA=";
+    npmDepsHash = "sha256-VC5aoKqbH/Z7CTeYI6ERjW2o4a/qb0HPACLDdJaGIx0=";
    npmFlags = [ "--legacy-peer-deps" ];
    installPhase = ''
      mkdir -p $out/web-app
--- a/web-app/package-lock.json
+++ b/web-app/package-lock.json
@@ -15,7 +15,7 @@
        "marked-highlight": "2.1.4"
      },
      "devDependencies": {
-        "@playwright/test": "1.47.0",
+        "@playwright/test": "1.50.1",
        "@sveltejs/adapter-auto": "3.2.5",
        "@sveltejs/adapter-node": "5.2.3",
        "@sveltejs/kit": "2.5.28",
@@ -768,13 +768,13 @@
      }
    },
    "node_modules/@playwright/test": {
-      "version": "1.47.0",
+      "version": "1.50.1",
-      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.47.0.tgz",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.50.1.tgz",
-      "integrity": "sha512-SgAdlSwYVpToI4e/IH19IHHWvoijAYH5hu2MWSXptRypLSnzj51PcGD+rsOXFayde4P9ZLi+loXVwArg6IUkCA==",
+      "integrity": "sha512-Jii3aBg+CEDpgnuDxEp/h7BimHcUTDlpEtce89xEumlJ5ef2hqepZ+PWp1DDpYC/VO9fmWVI1IlEaoI5fK9FXQ==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
-        "playwright": "1.47.0"
+        "playwright": "1.50.1"
      },
      "bin": {
        "playwright": "cli.js"
@@ -3674,13 +3674,13 @@
      }
    },
    "node_modules/playwright": {
-      "version": "1.47.0",
+      "version": "1.50.1",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.47.0.tgz",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.50.1.tgz",
-      "integrity": "sha512-jOWiRq2pdNAX/mwLiwFYnPHpEZ4rM+fRSQpRHwEwZlP2PUANvL3+aJOF/bvISMhFD30rqMxUB4RJx9aQbfh4Ww==",
+      "integrity": "sha512-G8rwsOQJ63XG6BbKj2w5rHeavFjy5zynBA9zsJMMtBoe/Uf757oG12NXz6e6OirF7RCrTVAKFXbLmn1RbL7Qaw==",
      "dev": true,
      "license": "Apache-2.0",
      "dependencies": {
-        "playwright-core": "1.47.0"
+        "playwright-core": "1.50.1"
      },
      "bin": {
        "playwright": "cli.js"
@@ -3693,9 +3693,9 @@
      }
    },
    "node_modules/playwright-core": {
-      "version": "1.47.0",
+      "version": "1.50.1",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.47.0.tgz",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.50.1.tgz",
-      "integrity": "sha512-1DyHT8OqkcfCkYUD9zzUTfg7EfTd+6a8MkD/NWOvjo0u/SCNd5YmY/lJwFvUZOxJbWNds+ei7ic2+R/cRz/PDg==",
+      "integrity": "sha512-ra9fsNWayuYumt+NiM069M6OkcRb1FZSK8bgi66AtpFoWkg2+y0bJSNmkFrWhMbEBbVKC/EruAHH3g0zmtwGmQ==",
      "dev": true,
      "license": "Apache-2.0",
      "bin": {
--- a/web-app/package.json
+++ b/web-app/package.json
@@ -14,7 +14,7 @@
    "gents": "pg-to-ts generate -c postgres://postgres@127.0.0.1:15432/archtika -o src/lib/db-schema.ts -s internal --datesAsStrings"
  },
  "devDependencies": {
-    "@playwright/test": "1.47.0",
+    "@playwright/test": "1.50.1",
    "@sveltejs/adapter-auto": "3.2.5",
    "@sveltejs/adapter-node": "5.2.3",
    "@sveltejs/kit": "2.5.28",