diff --git a/modules/servers/shiori.nix b/modules/servers/shiori.nix index c3564ab..4c74325 100644 --- a/modules/servers/shiori.nix +++ b/modules/servers/shiori.nix @@ -4,12 +4,13 @@ options.my.servers.shiori.enable = lib.mkEnableOption "enable"; config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) { + sops.secrets.shiori.sopsFile = ../../secrets/env.yaml; services = { shiori = { enable = true; port = 4368; package = pkgs.callPackage ../../pkgs/shiori/shiori.nix { }; - httpSecretKey = "password"; + environmentFile = config.sops.secrets.shiori.path; databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}"; }; nginx = { diff --git a/pkgs/shiori/shiori-service.nix b/pkgs/shiori/shiori-service.nix index 47c2ae6..208b543 100644 --- a/pkgs/shiori/shiori-service.nix +++ b/pkgs/shiori/shiori-service.nix @@ -1,16 +1,15 @@ { config, lib, pkgs, ... }: -with lib; let cfg = config.services.shiori; in { options = { services.shiori = { - enable = mkEnableOption "Shiori simple bookmarks manager"; + enable = lib.mkEnableOption "Shiori simple bookmarks manager"; - package = mkPackageOption pkgs "shiori" { }; + package = lib.mkPackageOption pkgs "shiori" { }; - address = mkOption { - type = types.str; + address = lib.mkOption { + type = lib.types.str; default = ""; description = '' The IP address on which Shiori will listen. @@ -18,53 +17,55 @@ in { ''; }; - port = mkOption { - type = types.port; + port = lib.mkOption { + type = lib.types.port; default = 8080; description = "The port of the Shiori web application"; }; - webRoot = mkOption { - type = types.str; + webRoot = lib.mkOption { + type = lib.types.str; default = "/"; example = "/shiori"; description = "The root of the Shiori web application"; }; - httpSecretKey = mkOption { - type = types.str; - example = "SuperSecretPassword"; - description = - "When empty all sessions will be invalidated on server restart"; + environmentFile = lib.mkOption { + type = lib.types.null or lib.types.path; + default = null; + example = "/path/to/environmentFile"; + description = '' + Path to file containing environment variables. + Useful for passing down secrets. + + ''; }; - databaseUrl = mkOption { - type = types.str; - default = ""; + databaseUrl = lib.mkOption { + type = lib.types.null or lib.types.str; + default = null; example = "postgresql:///shiori?host=/run/postgresql"; description = "The connection URL to connect to MySQL or PostgreSQL"; }; }; }; - config = mkIf cfg.enable { - systemd.services.shiori = with cfg; { + config = lib.mkIf cfg.enable { + systemd.services.shiori = { description = "Shiori simple bookmarks manager"; wantedBy = [ "multi-user.target" ]; - + after = [ "postgresql.service" "mysql.service" ]; environment = { SHIORI_DIR = "/var/lib/shiori"; - } // lib.optionalAttrs (cfg.databaseUrl != "") { + } // lib.optionalAttrs (cfg.databaseUrl != null) { SHIORI_DATABASE_URL = cfg.databaseUrl; - } // lib.optionalAttrs (cfg.httpSecretKey != "") { - SHIORI_HTTP_SECRET_KEY = cfg.httpSecretKey; }; serviceConfig = { ExecStart = - "${package}/bin/shiori server --address '${address}' --port '${ - toString port - }' --webroot '${webRoot}'"; + "${cfg.package}/bin/shiori server --address '${cfg.address}' --port '${ + toString cfg.port + }' --webroot '${cfg.webRoot}'"; DynamicUser = true; StateDirectory = "shiori"; @@ -72,16 +73,17 @@ in { RuntimeDirectory = "shiori"; # Security options - + EnvironmentFile = + lib.optional (cfg.environmentFile != null) cfg.environmentFile; BindReadOnlyPaths = [ "/nix/store" # For SSL certificates, and the resolv.conf "/etc" - ] ++ lib.optional (lib.strings.hasInfix "postgres" cfg.databaseUrl) - "/run/postgresql" - ++ lib.optional (lib.strings.hasInfix "mysql" cfg.databaseUrl) - "/var/run/mysqld"; + ] ++ lib.optional (lib.strings.hasInfix "postgres" cfg.databaseUrl + && config.services.postgresql.enable) "/run/postgresql" + ++ lib.optional (lib.strings.hasInfix "mysql" cfg.databaseUrl + && config.services.mysql.enable) "/var/run/mysqld"; CapabilityBoundingSet = ""; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; @@ -126,5 +128,5 @@ in { }; }; - meta.maintainers = with maintainers; [ minijackson CaptainJawZ ]; + meta.maintainers = with lib.maintainers; [ minijackson CaptainJawZ ]; } diff --git a/pkgs/shiori/shiori.nix b/pkgs/shiori/shiori.nix index 51239ad..bd6a222 100644 --- a/pkgs/shiori/shiori.nix +++ b/pkgs/shiori/shiori.nix @@ -1,10 +1,10 @@ -{ lib, buildGoModule, fetchFromGitHub, nixosTests }: +{ lib, buildGoModule, fetchFromGitHub, nixosTests, installShellFiles }: buildGoModule rec { pname = "shiori"; - version = "1.6.2"; + version = "1.7.0"; - vendorHash = "sha256-LLiBRsh9HsadeHQh4Yvops1r2GfjtvQKt5ZelQnPGdI="; + vendorHash = "sha256-fakRqgoEcdzw9WZuubaxfGfvVrMvb8gV/IwPikMnfRQ="; doCheck = false; @@ -12,17 +12,24 @@ buildGoModule rec { owner = "go-shiori"; repo = pname; rev = "v${version}"; - sha256 = "sha256-1ZZpQXlAHs5MTowCv3sWS3L7X5FTnU/b4trvHPiz+uE="; + sha256 = "sha256-5+hTtvBnj3Nh5HitReVkLift9LTiMYVuuYx5EirN0SA="; }; - passthru.tests = { - smoke-test = nixosTests.shiori; - }; + nativeBuildInputs = [ installShellFiles ]; + postInstall = '' + installShellCompletion --cmd shiori \ + --bash <($out/bin/shiori completion bash) \ + --fish <($out/bin/shiori completion fish) \ + --zsh <($out/bin/shiori completion zsh) + ''; + + # passthru.tests.smoke-test = nixosTests.shiori; # test broken meta = with lib; { description = "Simple bookmark manager built with Go"; + mainProgram = "shiori"; homepage = "https://github.com/go-shiori/shiori"; license = licenses.mit; - maintainers = with maintainers; [ minijackson ]; + maintainers = with maintainers; [ minijackson CaptainJawZ ]; }; } diff --git a/secrets/env.yaml b/secrets/env.yaml index 217b389..32968c9 100644 --- a/secrets/env.yaml +++ b/secrets/env.yaml @@ -1,3 +1,4 @@ +shiori: ENC[AES256_GCM,data:tV7+1GusZvcli8dM86xOD71dc2mzcyfQwMeTh//LDb0=,iv:ED9wR6QjQgwd9Ll/UC5FK3CyYK3b0RniC/D6Y0nGEOI=,tag:X/aopMc2vhnRW2iTphFflQ==,type:str] flame: ENC[AES256_GCM,data:XsYRsA2xs+juWje2Od2Yl2xIvU0OS8xMrtwtcK/0NyyRrg==,iv:FR8lHsNQNCaOy4P+7BsIjNCz+H38i5RlwLYQ4fpB2+w=,tag:61EV7H04pcr1bSX4nSvlpw==,type:str] ryot: ENC[AES256_GCM,data:Vlo6pv2+LuQxvdprI53BoQpngRfUWhqE07o+9ZKLZiaJBC6FCdFbeu37mo7QqGUJ34bHDP87PGU2IDPC69XURbVLy3QpgSqKiQlM56XoXr4Yz+B4MGVkVr384r5bQ6eMoSpIJ25UgMotuYWNgdyixKS+Nu/+pGLtVS/YtQ==,iv:YZs3zAlHuK9fz0OGAX9vQxoaYbzojwXpY++LwIxF6Ig=,tag:t2n8F1ll2ZN44AYDOjmhLQ==,type:str] mealie: ENC[AES256_GCM,data:RjKqDs70lWhGN0LXPp3feQfW/WtfJlR6vX++0hwGtqcA3iepEh2Ab/36YRKbsVRBkglp0u18MusTmP0LSHUpzgCn/c/5ZzzRLGL83K3aQRlg8JtdTvzvEnLQSdE=,iv:GEfa8LwpOhkqWtLk0I5F14zkHcnFjVhVaHeLSFlDkN4=,tag:lkGcFn91hVxraMHCKF7rXQ==,type:str] @@ -46,8 +47,8 @@ sops: QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-25T07:00:26Z" - mac: ENC[AES256_GCM,data:P7jAExu1yUpZejZ7E5XBGoxax8B17QjHzYcwiNjduTv5qi+8bsRVXcwp2LQOkR0kBW2RZMiTTWgMwfNuBL7BKigyuvuFvqQeatRUqCofVFDIaYzm7LZRNOu4+wsjpEV5Zjxhlzv4qWPxB/iaobQSCEp9Ii/T3/TUkP++xSS5M8Q=,iv:GGOrnxOuBKkeR9nUXBTJlDdeNP8My83PRtl7Pdxazt0=,tag:EeoYLrF2yDC8yquiQbYUzA==,type:str] + lastmodified: "2024-06-29T21:28:08Z" + mac: ENC[AES256_GCM,data:uVxwOOVOSeBsiVLXbOGo4cudGoJjn7yVYvWW7WZqPRu5FO32LA1rbZObN0RT4Y8OWFdv297rewTiC3KiGIPAZav91yiwlrXX/koEa4OhwQfkKiPNyPvmJ6e2h+M3gck75wbt1sbT8qnMtsHUjkfNZQiInC5hJyikalTusILke8w=,iv:IhOvHRYgkYP0BEZ60f66/nLU1x8Qk/YwZiNbcXDFOeQ=,tag:gcqBy9HxaX1W7osQHyNzOA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 63e233a..d2d9ffe 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,6 +1,7 @@ jawz-password: ENC[AES256_GCM,data:j5qya2z9bDESQopcBpLBktyBvIuplbq3Ql4TovdAF1BIJHcf4CAjFuCStW0axFEOST6bgJwhcZZvK4rWUyoS47eaFDp2lkiQnQ==,iv:GNEA8v0NR+PGe4yvlm4V6tTJD5NmlswRPH7JnQJUyLk=,tag:dpxDK88cAJSk+XdFF2mDww==,type:str] smtp-password: ENC[AES256_GCM,data:KAIn6lp6JXY39SgMPGP3tQ==,iv:Mgmo9bLT3iIGXw6THqJO6+IuPV65VXo1+vE3PrmS44Y=,tag:8urcnZtccaPJSOuHiZAp5A==,type:str] nextcloud-adminpass: ENC[AES256_GCM,data:g0bnifEbMykPBVwMF14EhT/RWGsnEzJ6sXXmxSJ6kIVDeRr8XVRbFzusxlxAOOlseVwPT6e4Ad8=,iv:Gy0LwUNCw8gnqlwk91qguSEeufIJDtaqNNLX1vZp7vA=,tag:y8H42B1rue0X7/4nG/Whsw==,type:str] +firefly-iii-keyfile: ENC[AES256_GCM,data:HTifd3/5apa9f0RiOh33aRRoVkRskgo/2FV9S01wQSEmKFLg2M9gNNFm6gv2/WCQvNc1,iv:4yLIQQkfqhLixQtAOsbQePNlKOrU2p6Dqw9aLPDoJrM=,tag:uSbAMCy4FWRMU+QhExAE2w==,type:str] resilio: host: ENC[AES256_GCM,data:iITbrqpJSdM52A==,iv:8sahhsUA9iIXNlJYKAkakllQDbYVOsGuwBulK9FyvTU=,tag:zKKHwrEFUkl3Fcd0RJcIjw==,type:str] user: ENC[AES256_GCM,data:31s2ihj2cN9C5Lyr2w==,iv:2MzKiRoDosawbeQ04LUKbfbSVFUUD6uUYynB6B0WNWw=,tag:GR0lXvLZAPof6WE3Verimg==,type:str] @@ -48,8 +49,8 @@ sops: RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-25T00:47:48Z" - mac: ENC[AES256_GCM,data:410HyLmJ4FhCp6pFqAG9Mf7cwIQdalsh6bZ5feAu8P1vcJrTLefZskWIbjD6aQNKucDjS5CMPJd/7oP8wyc2XHKRqFO9CLSJ7wi6OmNaw/qevQxy4PSj5w44gd5/OI5aE2nN+X1R03PYSYEIs5SImwHBxN/fYR+WprAsbO1Ygrw=,iv:fgG5i3+rNtN4YzIL97+6cHP4cL2xXf0pgfsYbetGE2g=,tag:qu7vzzDnhDpW1dwu8TYCXg==,type:str] + lastmodified: "2024-06-29T21:27:25Z" + mac: ENC[AES256_GCM,data:ZmUuxDXxfr6eJcjoC0F2A/JnU+/33jWXjCRWvkWZfduxFayF8bRZNOLgTzXeV//TGNEY38ba/VsTDqOiu0YWRFE7VaQd8xk9uKmzeCi8Djv2fI+TAwXUorrZJ2bUJQ/WCCm7hOQ2OEE1c7icr6YsPTtYC652Itm10FF4PrF+VpI=,iv:vKC/B0cfODXMZ1l2wA0iUaxwZgDwjKPVBekmc/6lSvU=,tag:tE3dmwDjtEEBTPtNM01JQA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1