commit 84d7ec6875a450471b5daa93254183ac4651e922 · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2511.section.md

···

       90
        
       

     

       91
        
       - [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).

     

       92
        
       

     

       0
        
       
     

       0
        
       
     

       93
        
       - [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).

     

       94
        
       

     

       95
        
       - [dwl](https://codeberg.org/dwl/dwl), a compact, hackable compositor for Wayland based on wlroots. Available as [programs.dwl](#opt-programs.dwl.enable).

···

       90
        
       

     

       91
        
       - [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).

     

       92
        
       

     

       93
       +
       - [ente](https://github.com/ente-io/ente), a service that provides a fully open source, end-to-end encrypted platform for photos and videos. Available as [services.ente.api](#opt-services.ente.api.enable) and  [services.ente.web](#opt-services.ente.web.enable).

     

       94
       +
       

     

       95
        
       - [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).

     

       96
        
       

     

       97
        
       - [dwl](https://codeberg.org/dwl/dwl), a compact, hackable compositor for Wayland based on wlroots. Available as [programs.dwl](#opt-programs.dwl.enable).

nixos/modules/module-list.nix

···

       1574
        
         ./services/web-apps/echoip.nix

     

       1575
        
         ./services/web-apps/eintopf.nix

     

       1576
        
         ./services/web-apps/engelsystem.nix

     

       0
        
       
     

       1577
        
         ./services/web-apps/ethercalc.nix

     

       1578
        
         ./services/web-apps/fediwall.nix

     

       1579
        
         ./services/web-apps/fider.nix

···

       1574
        
         ./services/web-apps/echoip.nix

     

       1575
        
         ./services/web-apps/eintopf.nix

     

       1576
        
         ./services/web-apps/engelsystem.nix

     

       1577
       +
         ./services/web-apps/ente.nix

     

       1578
        
         ./services/web-apps/ethercalc.nix

     

       1579
        
         ./services/web-apps/fediwall.nix

     

       1580
        
         ./services/web-apps/fider.nix

+178

nixos/modules/services/web-apps/ente.md

···

       1
       +
       # Ente.io {#module-services-ente}

     

       2
       +
       

     

       3
       +
       [Ente](https://ente.io/) is a service that provides a fully open source,

     

       4
       +
       end-to-end encrypted platform for photos and videos.

     

       5
       +
       

     

       6
       +
       ## Quickstart {#module-services-ente-quickstart}

     

       7
       +
       

     

       8
       +
       To host ente, you need the following things:

     

       9
       +
       - S3 storage server (either external or self-hosted like [minio](https://github.com/minio/minio))

     

       10
       +
       - Several subdomains pointing to your server:

     

       11
       +
         - accounts.example.com

     

       12
       +
         - albums.example.com

     

       13
       +
         - api.example.com

     

       14
       +
         - cast.example.com

     

       15
       +
         - photos.example.com

     

       16
       +
         - s3.example.com

     

       17
       +
       

     

       18
       +
       The following example shows how to setup ente with a self-hosted S3 storage via minio.

     

       19
       +
       You can host the minio s3 storage on the same server as ente, but as this isn't

     

       20
       +
       a requirement the example shows the minio and ente setup separately.

     

       21
       +
       We assume that the minio server will be reachable at `https://s3.example.com`.

     

       22
       +
       

     

       23
       +
       ```nix

     

       24
       +
       {

     

       25
       +
         services.minio = {

     

       26
       +
           enable = true;

     

       27
       +
           # ente's config must match this region!

     

       28
       +
           region = "us-east-1";

     

       29
       +
           # Please use a file, agenix or sops-nix to securely store your root user password!

     

       30
       +
           # MINIO_ROOT_USER=your_root_user

     

       31
       +
           # MINIO_ROOT_PASSWORD=a_randomly_generated_long_password

     

       32
       +
           rootCredentialsFile = "/run/secrets/minio-credentials-full";

     

       33
       +
         };

     

       34
       +
       

     

       35
       +
         systemd.services.minio.environment.MINIO_SERVER_URL = "https://s3.example.com";

     

       36
       +
       

     

       37
       +
         # Proxy for minio

     

       38
       +
         networking.firewall.allowedTCPPorts = [

     

       39
       +
           80

     

       40
       +
           443

     

       41
       +
         ];

     

       42
       +
         services.nginx = {

     

       43
       +
           recommendedProxySettings = true;

     

       44
       +
           virtualHosts."s3.example.com" = {

     

       45
       +
             forceSSL = true;

     

       46
       +
             useACME = true;

     

       47
       +
             locations."/".proxyPass = "http://localhost:9000";

     

       48
       +
             # determine max file upload size

     

       49
       +
             extraConfig = ''

     

       50
       +
               client_max_body_size 16G;

     

       51
       +
               proxy_buffering off;

     

       52
       +
               proxy_request_buffering off;

     

       53
       +
             '';

     

       54
       +
           };

     

       55
       +
         };

     

       56
       +
       }

     

       57
       +
       ```

     

       58
       +
       

     

       59
       +
       And the configuration for ente:

     

       60
       +
       

     

       61
       +
       ```nix

     

       62
       +
       {

     

       63
       +
         services.ente = {

     

       64
       +
           web = {

     

       65
       +
             enable = true;

     

       66
       +
             domains = {

     

       67
       +
               accounts = "accounts.example.com";

     

       68
       +
               albums = "albums.example.com";

     

       69
       +
               cast = "cast.example.com";

     

       70
       +
               photos = "photos.example.com";

     

       71
       +
             };

     

       72
       +
           };

     

       73
       +
           api = {

     

       74
       +
             enable = true;

     

       75
       +
             nginx.enable = true;

     

       76
       +
             # Create a local postgres database and set the necessary config in ente

     

       77
       +
             enableLocalDB = true;

     

       78
       +
             domain = "api.example.com";

     

       79
       +
             # You can hide secrets by setting xyz._secret = file instead of xyz = value.

     

       80
       +
             # Make sure to not include any of the secrets used here directly

     

       81
       +
             # in your config. They would be publicly readable in the nix store.

     

       82
       +
             # Use agenix, sops-nix or an equivalent secret management solution.

     

       83
       +
             settings = {

     

       84
       +
               s3 = {

     

       85
       +
                 use_path_style_urls = true;

     

       86
       +
                 b2-eu-cen = {

     

       87
       +
                   endpoint = "https://s3.example.com";

     

       88
       +
                   region = "us-east-1";

     

       89
       +
                   bucket = "ente";

     

       90
       +
                   key._secret = pkgs.writeText "minio_user" "minio_user";

     

       91
       +
                   secret._secret = pkgs.writeText "minio_pw" "minio_pw";

     

       92
       +
                 };

     

       93
       +
               };

     

       94
       +
               key = {

     

       95
       +
                 # generate with: openssl rand -base64 32

     

       96
       +
                 encryption._secret = pkgs.writeText "encryption" "T0sn+zUVFOApdX4jJL4op6BtqqAfyQLH95fu8ASWfno=";

     

       97
       +
                 # generate with: openssl rand -base64 64

     

       98
       +
                 hash._secret = pkgs.writeText "hash" "g/dBZBs1zi9SXQ0EKr4RCt1TGr7ZCKkgrpjyjrQEKovWPu5/ce8dYM6YvMIPL23MMZToVuuG+Z6SGxxTbxg5NQ==";

     

       99
       +
               };

     

       100
       +
               # generate with: openssl rand -base64 32

     

       101
       +
               jwt.secret._secret = pkgs.writeText "jwt" "i2DecQmfGreG6q1vBj5tCokhlN41gcfS2cjOs9Po-u8=";

     

       102
       +
             };

     

       103
       +
           };

     

       104
       +
         };

     

       105
       +
       

     

       106
       +
         networking.firewall.allowedTCPPorts = [

     

       107
       +
           80

     

       108
       +
           443

     

       109
       +
         ];

     

       110
       +
         services.nginx = {

     

       111
       +
           recommendedProxySettings = true; # This is important!

     

       112
       +
           virtualHosts."accounts.${domain}".enableACME = true;

     

       113
       +
           virtualHosts."albums.${domain}".enableACME = true;

     

       114
       +
           virtualHosts."api.${domain}".enableACME = true;

     

       115
       +
           virtualHosts."cast.${domain}".enableACME = true;

     

       116
       +
           virtualHosts."photos.${domain}".enableACME = true;

     

       117
       +
         };

     

       118
       +
       }

     

       119
       +
       ```

     

       120
       +
       

     

       121
       +
       If you have a mail server or smtp relay, you can optionally configure

     

       122
       +
       `services.ente.api.settings.smtp` so ente can send you emails (registration code and possibly

     

       123
       +
       other events). This is optional.

     

       124
       +
       

     

       125
       +
       After starting the minio server, make sure the bucket exists:

     

       126
       +
       

     

       127
       +
       ```

     

       128
       +
       mc alias set minio https://s3.example.com root_user root_password --api s3v4

     

       129
       +
       mc mb -p minio/ente

     

       130
       +
       ```

     

       131
       +
       

     

       132
       +
       Now ente should be ready to go under `https://photos.example.com`.

     

       133
       +
       

     

       134
       +
       ## Registering users {#module-services-ente-registering-users}

     

       135
       +
       

     

       136
       +
       Now you can open photos.example.com and register your user(s).

     

       137
       +
       Beware that the first created account will be considered to be the admin account,

     

       138
       +
       which among some other things allows you to use `ente-cli` to increase storage limits for any user.

     

       139
       +
       

     

       140
       +
       If you have configured smtp, you will get a mail with a verification code,

     

       141
       +
       otherwise you can find the code in the server logs.

     

       142
       +
       

     

       143
       +
       ```

     

       144
       +
       journalctl -eu ente

     

       145
       +
       [...]

     

       146
       +
       ente # [  157.145165] ente[982]: INFO[0141]email.go:130 sendViaTransmail Skipping sending email to a@a.a: Verification code: 134033

     

       147
       +
       ```

     

       148
       +
       

     

       149
       +
       After you have registered your users, you can set

     

       150
       +
       `settings.internal.disable-registration = true;` to prevent

     

       151
       +
       further signups.

     

       152
       +
       

     

       153
       +
       ## Increasing storage limit {#module-services-ente-increasing-storage-limit}

     

       154
       +
       

     

       155
       +
       By default, all users will be on the free plan which is the only plan

     

       156
       +
       available. While adding new plans is possible in theory, it requires some

     

       157
       +
       manual database operations which isn't worthwhile. Instead, use `ente-cli`

     

       158
       +
       with your admin user to modify the storage limit.

     

       159
       +
       

     

       160
       +
       ## iOS background sync

     

       161
       +
       

     

       162
       +
       On iOS, background sync is achived via a silent notification sent by the server

     

       163
       +
       every 30 minutes that allows the phone to sync for about 30 seconds, enough for

     

       164
       +
       all but the largest videos to be synced on background (if the app is brought to

     

       165
       +
       foreground though, sync will resume as normal). To achive this however, a

     

       166
       +
       Firebase account is needed. In the settings option, configure credentials-dir

     

       167
       +
       to point towards the directory where the JSON containing the Firebase

     

       168
       +
       credentials are stored.

     

       169
       +
       

     

       170
       +
       ```nix

     

       171
       +
       {

     

       172
       +
         # This directory should contain your fcm-service-account.json file

     

       173
       +
         services.ente.api.settings = {

     

       174
       +
           credentials-dir = "/path/to/credentials";

     

       175
       +
           # [...]

     

       176
       +
         };

     

       177
       +
       }

     

       178
       +
       ```

+363

nixos/modules/services/web-apps/ente.nix

···

       1
       +
       {

     

       2
       +
         config,

     

       3
       +
         lib,

     

       4
       +
         pkgs,

     

       5
       +
         utils,

     

       6
       +
         ...

     

       7
       +
       }:

     

       8
       +
       let

     

       9
       +
         inherit (lib)

     

       10
       +
           getExe

     

       11
       +
           mkDefault

     

       12
       +
           mkEnableOption

     

       13
       +
           mkIf

     

       14
       +
           mkMerge

     

       15
       +
           mkOption

     

       16
       +
           mkPackageOption

     

       17
       +
           optional

     

       18
       +
           types

     

       19
       +
           ;

     

       20
       +
       

     

       21
       +
         cfgApi = config.services.ente.api;

     

       22
       +
         cfgWeb = config.services.ente.web;

     

       23
       +
       

     

       24
       +
         webPackage =

     

       25
       +
           enteApp:

     

       26
       +
           cfgWeb.package.override {

     

       27
       +
             inherit enteApp;

     

       28
       +
             enteMainUrl = "https://${cfgWeb.domains.photos}";

     

       29
       +
             extraBuildEnv = {

     

       30
       +
               NEXT_PUBLIC_ENTE_ENDPOINT = "https://${cfgWeb.domains.api}";

     

       31
       +
               NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT = "https://${cfgWeb.domains.albums}";

     

       32
       +
               NEXT_TELEMETRY_DISABLED = "1";

     

       33
       +
             };

     

       34
       +
           };

     

       35
       +
       

     

       36
       +
         defaultUser = "ente";

     

       37
       +
         defaultGroup = "ente";

     

       38
       +
         dataDir = "/var/lib/ente";

     

       39
       +
       

     

       40
       +
         yamlFormat = pkgs.formats.yaml { };

     

       41
       +
       in

     

       42
       +
       {

     

       43
       +
         options.services.ente = {

     

       44
       +
           web = {

     

       45
       +
             enable = mkEnableOption "Ente web frontend (Photos, Albums)";

     

       46
       +
             package = mkPackageOption pkgs "ente-web" { };

     

       47
       +
       

     

       48
       +
             domains = {

     

       49
       +
               api = mkOption {

     

       50
       +
                 type = types.str;

     

       51
       +
                 example = "api.ente.example.com";

     

       52
       +
                 description = ''

     

       53
       +
                   The domain under which the api is served. This will NOT serve the api itself,

     

       54
       +
                   but is a required setting to host the frontends! This will automatically be set

     

       55
       +
                   for you if you enable both the api server and web frontends.

     

       56
       +
                 '';

     

       57
       +
               };

     

       58
       +
       

     

       59
       +
               accounts = mkOption {

     

       60
       +
                 type = types.str;

     

       61
       +
                 example = "accounts.ente.example.com";

     

       62
       +
                 description = "The domain under which the accounts frontend will be served.";

     

       63
       +
               };

     

       64
       +
       

     

       65
       +
               cast = mkOption {

     

       66
       +
                 type = types.str;

     

       67
       +
                 example = "cast.ente.example.com";

     

       68
       +
                 description = "The domain under which the cast frontend will be served.";

     

       69
       +
               };

     

       70
       +
       

     

       71
       +
               albums = mkOption {

     

       72
       +
                 type = types.str;

     

       73
       +
                 example = "albums.ente.example.com";

     

       74
       +
                 description = "The domain under which the albums frontend will be served.";

     

       75
       +
               };

     

       76
       +
       

     

       77
       +
               photos = mkOption {

     

       78
       +
                 type = types.str;

     

       79
       +
                 example = "photos.ente.example.com";

     

       80
       +
                 description = "The domain under which the photos frontend will be served.";

     

       81
       +
               };

     

       82
       +
             };

     

       83
       +
           };

     

       84
       +
       

     

       85
       +
           api = {

     

       86
       +
             enable = mkEnableOption "Museum (API server for ente.io)";

     

       87
       +
             package = mkPackageOption pkgs "museum" { };

     

       88
       +
             nginx.enable = mkEnableOption "nginx proxy for the API server";

     

       89
       +
       

     

       90
       +
             user = mkOption {

     

       91
       +
               type = types.str;

     

       92
       +
               default = defaultUser;

     

       93
       +
               description = "User under which museum runs. If you set this option you must make sure the user exists.";

     

       94
       +
             };

     

       95
       +
       

     

       96
       +
             group = mkOption {

     

       97
       +
               type = types.str;

     

       98
       +
               default = defaultGroup;

     

       99
       +
               description = "Group under which museum runs. If you set this option you must make sure the group exists.";

     

       100
       +
             };

     

       101
       +
       

     

       102
       +
             domain = mkOption {

     

       103
       +
               type = types.str;

     

       104
       +
               example = "api.ente.example.com";

     

       105
       +
               description = "The domain under which the api will be served.";

     

       106
       +
             };

     

       107
       +
       

     

       108
       +
             enableLocalDB = mkEnableOption "the automatic creation of a local postgres database for museum.";

     

       109
       +
       

     

       110
       +
             settings = mkOption {

     

       111
       +
               description = ''

     

       112
       +
                 Museum yaml configuration. Refer to upstream [local.yaml](https://github.com/ente-io/ente/blob/main/server/configurations/local.yaml) for more information.

     

       113
       +
                 You can specify secret values in this configuration by setting `somevalue._secret = "/path/to/file"` instead of setting `somevalue` directly.

     

       114
       +
               '';

     

       115
       +
               default = { };

     

       116
       +
               type = types.submodule {

     

       117
       +
                 freeformType = yamlFormat.type;

     

       118
       +
                 options = {

     

       119
       +
                   apps = {

     

       120
       +
                     public-albums = mkOption {

     

       121
       +
                       type = types.str;

     

       122
       +
                       default = "https://albums.ente.io";

     

       123
       +
                       description = ''

     

       124
       +
                         If you're running a self hosted instance and wish to serve public links,

     

       125
       +
                         set this to the URL where your albums web app is running.

     

       126
       +
                       '';

     

       127
       +
                     };

     

       128
       +
       

     

       129
       +
                     cast = mkOption {

     

       130
       +
                       type = types.str;

     

       131
       +
                       default = "https://cast.ente.io";

     

       132
       +
                       description = ''

     

       133
       +
                         Set this to the URL where your cast page is running.

     

       134
       +
                         This is for browser and chromecast casting support.

     

       135
       +
                       '';

     

       136
       +
                     };

     

       137
       +
       

     

       138
       +
                     accounts = mkOption {

     

       139
       +
                       type = types.str;

     

       140
       +
                       default = "https://accounts.ente.io";

     

       141
       +
                       description = ''

     

       142
       +
                         Set this to the URL where your accounts page is running.

     

       143
       +
                         This is primarily for passkey support.

     

       144
       +
                       '';

     

       145
       +
                     };

     

       146
       +
                   };

     

       147
       +
       

     

       148
       +
                   db = {

     

       149
       +
                     host = mkOption {

     

       150
       +
                       type = types.str;

     

       151
       +
                       description = "The database host";

     

       152
       +
                     };

     

       153
       +
       

     

       154
       +
                     port = mkOption {

     

       155
       +
                       type = types.port;

     

       156
       +
                       default = 5432;

     

       157
       +
                       description = "The database port";

     

       158
       +
                     };

     

       159
       +
       

     

       160
       +
                     name = mkOption {

     

       161
       +
                       type = types.str;

     

       162
       +
                       description = "The database name";

     

       163
       +
                     };

     

       164
       +
       

     

       165
       +
                     user = mkOption {

     

       166
       +
                       type = types.str;

     

       167
       +
                       description = "The database user";

     

       168
       +
                     };

     

       169
       +
                   };

     

       170
       +
                 };

     

       171
       +
               };

     

       172
       +
             };

     

       173
       +
           };

     

       174
       +
         };

     

       175
       +
       

     

       176
       +
         config = mkMerge [

     

       177
       +
           (mkIf cfgApi.enable {

     

       178
       +
             services.postgresql = mkIf cfgApi.enableLocalDB {

     

       179
       +
               enable = true;

     

       180
       +
               ensureUsers = [

     

       181
       +
                 {

     

       182
       +
                   name = "ente";

     

       183
       +
                   ensureDBOwnership = true;

     

       184
       +
                 }

     

       185
       +
               ];

     

       186
       +
               ensureDatabases = [ "ente" ];

     

       187
       +
             };

     

       188
       +
       

     

       189
       +
             services.ente.web.domains.api = mkIf cfgWeb.enable cfgApi.domain;

     

       190
       +
             services.ente.api.settings = {

     

       191
       +
               # This will cause logs to be written to stdout/err, which then end up in the journal

     

       192
       +
               log-file = mkDefault "";

     

       193
       +
               db = mkIf cfgApi.enableLocalDB {

     

       194
       +
                 host = "/run/postgresql";

     

       195
       +
                 port = 5432;

     

       196
       +
                 name = "ente";

     

       197
       +
                 user = "ente";

     

       198
       +
               };

     

       199
       +
             };

     

       200
       +
       

     

       201
       +
             systemd.services.ente = {

     

       202
       +
               description = "Ente.io Museum API Server";

     

       203
       +
               after = [ "network.target" ] ++ optional cfgApi.enableLocalDB "postgresql.service";

     

       204
       +
               requires = optional cfgApi.enableLocalDB "postgresql.service";

     

       205
       +
               wantedBy = [ "multi-user.target" ];

     

       206
       +
       

     

       207
       +
               preStart = ''

     

       208
       +
                 # Generate config including secret values. YAML is a superset of JSON, so we can use this here.

     

       209
       +
                 ${utils.genJqSecretsReplacementSnippet cfgApi.settings "/run/ente/local.yaml"}

     

       210
       +
       

     

       211
       +
                 # Setup paths

     

       212
       +
                 mkdir -p ${dataDir}/configurations

     

       213
       +
                 ln -sTf /run/ente/local.yaml ${dataDir}/configurations/local.yaml

     

       214
       +
               '';

     

       215
       +
       

     

       216
       +
               serviceConfig = {

     

       217
       +
                 ExecStart = getExe cfgApi.package;

     

       218
       +
                 Type = "simple";

     

       219
       +
                 Restart = "on-failure";

     

       220
       +
       

     

       221
       +
                 AmbientCapablities = [ ];

     

       222
       +
                 CapabilityBoundingSet = [ ];

     

       223
       +
                 LockPersonality = true;

     

       224
       +
                 MemoryDenyWriteExecute = true;

     

       225
       +
                 NoNewPrivileges = true;

     

       226
       +
                 PrivateMounts = true;

     

       227
       +
                 PrivateTmp = true;

     

       228
       +
                 PrivateUsers = false;

     

       229
       +
                 ProcSubset = "pid";

     

       230
       +
                 ProtectClock = true;

     

       231
       +
                 ProtectControlGroups = true;

     

       232
       +
                 ProtectHome = true;

     

       233
       +
                 ProtectHostname = true;

     

       234
       +
                 ProtectKernelLogs = true;

     

       235
       +
                 ProtectKernelModules = true;

     

       236
       +
                 ProtectKernelTunables = true;

     

       237
       +
                 ProtectProc = "invisible";

     

       238
       +
                 ProtectSystem = "strict";

     

       239
       +
                 RestrictAddressFamilies = [

     

       240
       +
                   "AF_INET"

     

       241
       +
                   "AF_INET6"

     

       242
       +
                   "AF_NETLINK"

     

       243
       +
                   "AF_UNIX"

     

       244
       +
                 ];

     

       245
       +
                 RestrictNamespaces = true;

     

       246
       +
                 RestrictRealtime = true;

     

       247
       +
                 RestrictSUIDSGID = true;

     

       248
       +
                 SystemCallArchitectures = "native";

     

       249
       +
                 SystemCallFilter = "@system-service";

     

       250
       +
                 UMask = "077";

     

       251
       +
       

     

       252
       +
                 BindReadOnlyPaths = [

     

       253
       +
                   "${cfgApi.package}/share/museum/migrations:${dataDir}/migrations"

     

       254
       +
                   "${cfgApi.package}/share/museum/mail-templates:${dataDir}/mail-templates"

     

       255
       +
                   "${cfgApi.package}/share/museum/web-templates:${dataDir}/web-templates"

     

       256
       +
                 ];

     

       257
       +
       

     

       258
       +
                 User = cfgApi.user;

     

       259
       +
                 Group = cfgApi.group;

     

       260
       +
       

     

       261
       +
                 SyslogIdentifier = "ente";

     

       262
       +
                 StateDirectory = "ente";

     

       263
       +
                 WorkingDirectory = dataDir;

     

       264
       +
                 RuntimeDirectory = "ente";

     

       265
       +
               };

     

       266
       +
       

     

       267
       +
               # Environment MUST be called local, otherwise we cannot log to stdout

     

       268
       +
               environment = {

     

       269
       +
                 ENVIRONMENT = "local";

     

       270
       +
                 GIN_MODE = "release";

     

       271
       +
               };

     

       272
       +
             };

     

       273
       +
       

     

       274
       +
             users = {

     

       275
       +
               users = mkIf (cfgApi.user == defaultUser) {

     

       276
       +
                 ${defaultUser} = {

     

       277
       +
                   description = "ente.io museum service user";

     

       278
       +
                   inherit (cfgApi) group;

     

       279
       +
                   isSystemUser = true;

     

       280
       +
                   home = dataDir;

     

       281
       +
                 };

     

       282
       +
               };

     

       283
       +
               groups = mkIf (cfgApi.group == defaultGroup) { ${defaultGroup} = { }; };

     

       284
       +
             };

     

       285
       +
       

     

       286
       +
             services.nginx = mkIf cfgApi.nginx.enable {

     

       287
       +
               enable = true;

     

       288
       +
               upstreams.museum = {

     

       289
       +
                 servers."localhost:8080" = { };

     

       290
       +
                 extraConfig = ''

     

       291
       +
                   zone museum 64k;

     

       292
       +
                   keepalive 20;

     

       293
       +
                 '';

     

       294
       +
               };

     

       295
       +
       

     

       296
       +
               virtualHosts.${cfgApi.domain} = {

     

       297
       +
                 forceSSL = mkDefault true;

     

       298
       +
                 locations."/".proxyPass = "http://museum";

     

       299
       +
                 extraConfig = ''

     

       300
       +
                   client_max_body_size 4M;

     

       301
       +
                 '';

     

       302
       +
               };

     

       303
       +
             };

     

       304
       +
           })

     

       305
       +
           (mkIf cfgWeb.enable {

     

       306
       +
             services.ente.api.settings = mkIf cfgApi.enable {

     

       307
       +
               apps = {

     

       308
       +
                 accounts = "https://${cfgWeb.domains.accounts}";

     

       309
       +
                 cast = "https://${cfgWeb.domains.cast}";

     

       310
       +
                 public-albums = "https://${cfgWeb.domains.albums}";

     

       311
       +
               };

     

       312
       +
       

     

       313
       +
               webauthn = {

     

       314
       +
                 rpid = cfgWeb.domains.accounts;

     

       315
       +
                 rporigins = [ "https://${cfgWeb.domains.accounts}" ];

     

       316
       +
               };

     

       317
       +
             };

     

       318
       +
       

     

       319
       +
             services.nginx =

     

       320
       +
               let

     

       321
       +
                 domainFor = app: cfgWeb.domains.${app};

     

       322
       +
               in

     

       323
       +
               {

     

       324
       +
                 enable = true;

     

       325
       +
                 virtualHosts.${domainFor "accounts"} = {

     

       326
       +
                   forceSSL = mkDefault true;

     

       327
       +
                   locations."/" = {

     

       328
       +
                     root = webPackage "accounts";

     

       329
       +
                     tryFiles = "$uri $uri.html /index.html";

     

       330
       +
                     extraConfig = ''

     

       331
       +
                       add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';

     

       332
       +
                     '';

     

       333
       +
                   };

     

       334
       +
                 };

     

       335
       +
                 virtualHosts.${domainFor "cast"} = {

     

       336
       +
                   forceSSL = mkDefault true;

     

       337
       +
                   locations."/" = {

     

       338
       +
                     root = webPackage "cast";

     

       339
       +
                     tryFiles = "$uri $uri.html /index.html";

     

       340
       +
                     extraConfig = ''

     

       341
       +
                       add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';

     

       342
       +
                     '';

     

       343
       +
                   };

     

       344
       +
                 };

     

       345
       +
                 virtualHosts.${domainFor "photos"} = {

     

       346
       +
                   serverAliases = [

     

       347
       +
                     (domainFor "albums") # the albums app is shared with the photos frontend

     

       348
       +
                   ];

     

       349
       +
                   forceSSL = mkDefault true;

     

       350
       +
                   locations."/" = {

     

       351
       +
                     root = webPackage "photos";

     

       352
       +
                     tryFiles = "$uri $uri.html /index.html";

     

       353
       +
                     extraConfig = ''

     

       354
       +
                       add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';

     

       355
       +
                     '';

     

       356
       +
                   };

     

       357
       +
                 };

     

       358
       +
               };

     

       359
       +
           })

     

       360
       +
         ];

     

       361
       +
       

     

       362
       +
         meta.maintainers = with lib.maintainers; [ oddlama ];

     

       363
       +
       }

nixos/tests/all-tests.nix

···

       482
        
         endlessh-go = runTest ./endlessh-go.nix;

     

       483
        
         engelsystem = runTest ./engelsystem.nix;

     

       484
        
         enlightenment = runTest ./enlightenment.nix;

     

       0
        
       
     

       485
        
         env = runTest ./env.nix;

     

       486
        
         envfs = runTest ./envfs.nix;

     

       487
        
         envoy = runTest {

···

       482
        
         endlessh-go = runTest ./endlessh-go.nix;

     

       483
        
         engelsystem = runTest ./engelsystem.nix;

     

       484
        
         enlightenment = runTest ./enlightenment.nix;

     

       485
       +
         ente = runTest ./ente;

     

       486
        
         env = runTest ./env.nix;

     

       487
        
         envfs = runTest ./envfs.nix;

     

       488
        
         envoy = runTest {

+15

nixos/tests/ente/acme.test.cert.pem

···

       1
       +
       -----BEGIN CERTIFICATE-----

     

       2
       +
       MIICRDCCAcqgAwIBAgIIBx6YLUwhT34wCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV

     

       3
       +
       bWluaWNhIHJvb3QgY2EgNjRhYWY2MB4XDTI1MDUxMzA4NTMyMVoXDTQ1MDUxMzA4

     

       4
       +
       NTMyMVowFDESMBAGA1UEAxMJYWNtZS50ZXN0MHYwEAYHKoZIzj0CAQYFK4EEACID

     

       5
       +
       YgAEcuBBV1FZ9s6D3Iz3+K07BwtcSqDOmk5WGsuL/owdeIQkT5OhqdZ+0v4TA6V3

     

       6
       +
       HLb9fyaEeZ6cG8vX4fMy6wIMi1E38o1cfiTYLjS9mU/GVN+eTsnYdUS8g7uz8p0e

     

       7
       +
       C0X2o4HcMIHZMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI

     

       8
       +
       KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBTNdPze2U/U7/72ULml

     

       9
       +
       V/K/73d2xTB5BgNVHREEcjBwgglhY21lLnRlc3SCEmFjY291bnRzLmFjbWUudGVz

     

       10
       +
       dIIQYWxidW1zLmFjbWUudGVzdIINYXBpLmFjbWUudGVzdIIOY2FzdC5hY21lLnRl

     

       11
       +
       c3SCEHBob3Rvcy5hY21lLnRlc3SCDHMzLmFjbWUudGVzdDAKBggqhkjOPQQDAwNo

     

       12
       +
       ADBlAjB9Eao+y/Wzy+mMw4e4P2OidFxDFv8o1jDlCN5mvXBQrlAoSKVwgkpreKsd

     

       13
       +
       R/3iaacCMQC7CS3XKJVRbOtI6CjVHs7SV9fwCqJ6EaLcUjeNcigxcSRKGfG1ntl+

     

       14
       +
       bt0LubZZd+c=

     

       15
       +
       -----END CERTIFICATE-----

nixos/tests/ente/acme.test.key.pem

···

       1
       +
       -----BEGIN PRIVATE KEY-----

     

       2
       +
       MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDB631W2iczyfu4h/4f/

     

       3
       +
       721JKAsYRAnxLV7oYSUv9rFC+z8CPC7T74Lzmoccr0mR72WhZANiAARy4EFXUVn2

     

       4
       +
       zoPcjPf4rTsHC1xKoM6aTlYay4v+jB14hCRPk6Gp1n7S/hMDpXcctv1/JoR5npwb

     

       5
       +
       y9fh8zLrAgyLUTfyjVx+JNguNL2ZT8ZU355Oydh1RLyDu7PynR4LRfY=

     

       6
       +
       -----END PRIVATE KEY-----

+13

nixos/tests/ente/ca.cert.pem

···

       1
       +
       -----BEGIN CERTIFICATE-----

     

       2
       +
       MIIB/DCCAYKgAwIBAgIIZKr2ScoFkWAwCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV

     

       3
       +
       bWluaWNhIHJvb3QgY2EgNjRhYWY2MCAXDTI1MDUxMzA4NTMyMVoYDzIxMjUwNTEz

     

       4
       +
       MDg1MzIxWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA2NGFhZjYwdjAQBgcq

     

       5
       +
       hkjOPQIBBgUrgQQAIgNiAAST7GqqY2N7XW9SDHXkNOhbLMaIBTtdCpmu4AAEjRzS

     

       6
       +
       /KozwcGfWf98GyMJ+t8bFg9f0mCbWrl1TVhIb3eV7k7oadJYvBNljIBnnkKgmw1b

     

       7
       +
       nzIE0qbzcRWmz0m5ReFNkGCjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQW

     

       8
       +
       MBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud

     

       9
       +
       DgQWBBTNdPze2U/U7/72ULmlV/K/73d2xTAfBgNVHSMEGDAWgBTNdPze2U/U7/72

     

       10
       +
       ULmlV/K/73d2xTAKBggqhkjOPQQDAwNoADBlAjBto95DikOxFmQEv/c5dCbz4eYW

     

       11
       +
       dsB78N+m2nrMgx10pzOvXNkvrt/D3mUbbnZI1DMCMQDQKQ+qPUF+PdDdSc21v778

     

       12
       +
       4Sokp/5SNBUVm7CT0I7OiPTtuLc//r6SK8d9VBQArx0=

     

       13
       +
       -----END CERTIFICATE-----

nixos/tests/ente/ca.key.pem

···

       1
       +
       -----BEGIN PRIVATE KEY-----

     

       2
       +
       MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCIBDkk1pfjwxBpwex2

     

       3
       +
       2izySRuBmJ4Za2aRtbnTbPevhHYs0WL8LTPID47dAt0erFihZANiAAST7GqqY2N7

     

       4
       +
       XW9SDHXkNOhbLMaIBTtdCpmu4AAEjRzS/KozwcGfWf98GyMJ+t8bFg9f0mCbWrl1

     

       5
       +
       TVhIb3eV7k7oadJYvBNljIBnnkKgmw1bnzIE0qbzcRWmz0m5ReFNkGA=

     

       6
       +
       -----END PRIVATE KEY-----

+139

nixos/tests/ente/default.nix

···

       1
       +
       { lib, pkgs, ... }:

     

       2
       +
       let

     

       3
       +
         accessKey = "BKIKJAA5BMMU2RHO6IBB";

     

       4
       +
         secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";

     

       5
       +
         rootCredentialsFile = pkgs.writeText "minio-credentials-full" ''

     

       6
       +
           MINIO_ROOT_USER=${accessKey}

     

       7
       +
           MINIO_ROOT_PASSWORD=${secretKey}

     

       8
       +
         '';

     

       9
       +
       

     

       10
       +
         certs = import ./snakeoil-certs.nix;

     

       11
       +
         domain = certs.domain;

     

       12
       +
       in

     

       13
       +
       {

     

       14
       +
         name = "ente";

     

       15
       +
         meta.maintainers = [ lib.maintainers.oddlama ];

     

       16
       +
       

     

       17
       +
         nodes.minio =

     

       18
       +
           { ... }:

     

       19
       +
           {

     

       20
       +
             environment.systemPackages = [ pkgs.minio-client ];

     

       21
       +
             services.minio = {

     

       22
       +
               enable = true;

     

       23
       +
               inherit rootCredentialsFile;

     

       24
       +
             };

     

       25
       +
       

     

       26
       +
             networking.firewall.allowedTCPPorts = [

     

       27
       +
               9000

     

       28
       +
             ];

     

       29
       +
       

     

       30
       +
             systemd.services.minio.environment = {

     

       31
       +
               MINIO_SERVER_URL = "https://s3.${domain}";

     

       32
       +
             };

     

       33
       +
           };

     

       34
       +
       

     

       35
       +
         nodes.ente =

     

       36
       +
           {

     

       37
       +
             config,

     

       38
       +
             nodes,

     

       39
       +
             lib,

     

       40
       +
             ...

     

       41
       +
           }:

     

       42
       +
           {

     

       43
       +
             security.pki.certificateFiles = [ certs.ca.cert ];

     

       44
       +
       

     

       45
       +
             networking.extraHosts = ''

     

       46
       +
               ${config.networking.primaryIPAddress} accounts.${domain} albums.${domain} api.${domain} cast.${domain} photos.${domain} s3.${domain}

     

       47
       +
             '';

     

       48
       +
       

     

       49
       +
             networking.firewall.allowedTCPPorts = [

     

       50
       +
               80

     

       51
       +
               443

     

       52
       +
             ];

     

       53
       +
       

     

       54
       +
             services.nginx = {

     

       55
       +
               recommendedProxySettings = true;

     

       56
       +
               virtualHosts =

     

       57
       +
                 lib.genAttrs

     

       58
       +
                   [

     

       59
       +
                     "accounts.${domain}"

     

       60
       +
                     "albums.${domain}"

     

       61
       +
                     "api.${domain}"

     

       62
       +
                     "cast.${domain}"

     

       63
       +
                     "photos.${domain}"

     

       64
       +
                   ]

     

       65
       +
                   (_: {

     

       66
       +
                     sslCertificate = certs.${domain}.cert;

     

       67
       +
                     sslCertificateKey = certs.${domain}.key;

     

       68
       +
                   })

     

       69
       +
                 // {

     

       70
       +
                   "s3.${domain}" = {

     

       71
       +
                     forceSSL = true;

     

       72
       +
                     sslCertificate = certs.${domain}.cert;

     

       73
       +
                     sslCertificateKey = certs.${domain}.key;

     

       74
       +
                     locations."/".proxyPass = "http://${nodes.minio.networking.primaryIPAddress}:9000";

     

       75
       +
                     extraConfig = ''

     

       76
       +
                       client_max_body_size 32M;

     

       77
       +
                       proxy_buffering off;

     

       78
       +
                       proxy_request_buffering off;

     

       79
       +
                     '';

     

       80
       +
                   };

     

       81
       +
                 };

     

       82
       +
             };

     

       83
       +
       

     

       84
       +
             services.ente = {

     

       85
       +
               web = {

     

       86
       +
                 enable = true;

     

       87
       +
                 domains = {

     

       88
       +
                   accounts = "accounts.${domain}";

     

       89
       +
                   albums = "albums.${domain}";

     

       90
       +
                   cast = "cast.${domain}";

     

       91
       +
                   photos = "photos.${domain}";

     

       92
       +
                 };

     

       93
       +
               };

     

       94
       +
               api = {

     

       95
       +
                 enable = true;

     

       96
       +
                 nginx.enable = true;

     

       97
       +
                 enableLocalDB = true;

     

       98
       +
                 domain = "api.${domain}";

     

       99
       +
                 settings = {

     

       100
       +
                   s3 = {

     

       101
       +
                     use_path_style_urls = true;

     

       102
       +
                     b2-eu-cen = {

     

       103
       +
                       endpoint = "https://s3.${domain}";

     

       104
       +
                       region = "us-east-1";

     

       105
       +
                       bucket = "ente";

     

       106
       +
                       key._secret = pkgs.writeText "accesskey" accessKey;

     

       107
       +
                       secret._secret = pkgs.writeText "secretkey" secretKey;

     

       108
       +
                     };

     

       109
       +
                   };

     

       110
       +
                   key = {

     

       111
       +
                     encryption._secret = pkgs.writeText "encryption" "T0sn+zUVFOApdX4jJL4op6BtqqAfyQLH95fu8ASWfno=";

     

       112
       +
                     hash._secret = pkgs.writeText "hash" "g/dBZBs1zi9SXQ0EKr4RCt1TGr7ZCKkgrpjyjrQEKovWPu5/ce8dYM6YvMIPL23MMZToVuuG+Z6SGxxTbxg5NQ==";

     

       113
       +
                   };

     

       114
       +
                   jwt.secret._secret = pkgs.writeText "jwt" "i2DecQmfGreG6q1vBj5tCokhlN41gcfS2cjOs9Po-u8=";

     

       115
       +
                 };

     

       116
       +
               };

     

       117
       +
             };

     

       118
       +
           };

     

       119
       +
       

     

       120
       +
         testScript = ''

     

       121
       +
           minio.start()

     

       122
       +
           minio.wait_for_unit("minio.service")

     

       123
       +
           minio.wait_for_open_port(9000)

     

       124
       +
       

     

       125
       +
           # Create a test bucket on the server

     

       126
       +
           minio.succeed("mc alias set minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4")

     

       127
       +
           minio.succeed("mc mb -p minio/ente")

     

       128
       +
       

     

       129
       +
           # Start ente

     

       130
       +
           ente.start()

     

       131
       +
           ente.wait_for_unit("ente.service")

     

       132
       +
           ente.wait_for_unit("nginx.service")

     

       133
       +
       

     

       134
       +
           # Wait until api is up

     

       135
       +
           ente.wait_until_succeeds("journalctl --since -2m --unit ente.service --grep 'We have lift-off.'", timeout=30)

     

       136
       +
           # Wait until photos app is up

     

       137
       +
           ente.wait_until_succeeds("curl -Ls https://photos.${domain}/ | grep -q 'Ente Photos'", timeout=30)

     

       138
       +
         '';

     

       139
       +
       }

+36

nixos/tests/ente/generate-certs.nix

···

       1
       +
       # Minica can provide a CA key and cert, plus a key

     

       2
       +
       # and cert for our fake CA server's Web Front End (WFE).

     

       3
       +
       {

     

       4
       +
         pkgs ? import <nixpkgs> { },

     

       5
       +
         minica ? pkgs.minica,

     

       6
       +
         mkDerivation ? pkgs.stdenv.mkDerivation,

     

       7
       +
       }:

     

       8
       +
       let

     

       9
       +
         conf = import ./snakeoil-certs.nix;

     

       10
       +
         domain = conf.domain;

     

       11
       +
       in

     

       12
       +
       mkDerivation {

     

       13
       +
         name = "test-certs";

     

       14
       +
         buildInputs = [

     

       15
       +
           (minica.overrideAttrs (_old: {

     

       16
       +
             prePatch = ''

     

       17
       +
               sed -i 's_NotAfter: time.Now().AddDate(2, 0, 30),_NotAfter: time.Now().AddDate(20, 0, 0),_' main.go

     

       18
       +
             '';

     

       19
       +
           }))

     

       20
       +
         ];

     

       21
       +
         dontUnpack = true;

     

       22
       +
       

     

       23
       +
         buildPhase = ''

     

       24
       +
           minica \

     

       25
       +
             --ca-key ca.key.pem \

     

       26
       +
             --ca-cert ca.cert.pem \

     

       27
       +
             --domains ${domain},accounts.${domain},albums.${domain},api.${domain},cast.${domain},photos.${domain},s3.${domain}

     

       28
       +
         '';

     

       29
       +
       

     

       30
       +
         installPhase = ''

     

       31
       +
           mkdir -p $out

     

       32
       +
           mv ca.*.pem $out/

     

       33
       +
           mv ${domain}/key.pem $out/${domain}.key.pem

     

       34
       +
           mv ${domain}/cert.pem $out/${domain}.cert.pem

     

       35
       +
         '';

     

       36
       +
       }

+14

nixos/tests/ente/snakeoil-certs.nix

···

       1
       +
       let

     

       2
       +
         domain = "acme.test";

     

       3
       +
       in

     

       4
       +
       {

     

       5
       +
         inherit domain;

     

       6
       +
         ca = {

     

       7
       +
           cert = ./ca.cert.pem;

     

       8
       +
           key = ./ca.key.pem;

     

       9
       +
         };

     

       10
       +
         "${domain}" = {

     

       11
       +
           cert = ./. + "/${domain}.cert.pem";

     

       12
       +
           key = ./. + "/${domain}.key.pem";

     

       13
       +
         };

     

       14
       +
       }