From 908c7daf42258234b3022b206bb9b42c3a224295 Mon Sep 17 00:00:00 2001 From: Philippe Loctaux Date: Sun, 31 Aug 2025 01:44:08 +0200 Subject: [PATCH] services/pocket-id: init - add service for pocket-id (https://pocket-id.org) - exemple with caddy used as reverse proxy --- examples/pocket-id-caddy-unix-socket/.test.sh | 10 ++ .../pocket-id-caddy-unix-socket/devenv.nix | 30 +++++ src/modules/services/pocket-id.nix | 121 ++++++++++++++++++ 3 files changed, 161 insertions(+) create mode 100755 examples/pocket-id-caddy-unix-socket/.test.sh create mode 100644 examples/pocket-id-caddy-unix-socket/devenv.nix create mode 100644 src/modules/services/pocket-id.nix diff --git a/examples/pocket-id-caddy-unix-socket/.test.sh b/examples/pocket-id-caddy-unix-socket/.test.sh new file mode 100755 index 0000000000..08f33cf694 --- /dev/null +++ b/examples/pocket-id-caddy-unix-socket/.test.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +set -euxo pipefail + +wait_for_port 80 + +env | grep UNIX_SOCKET +env | grep TRUST_PROXY +env | grep APP_NAME + +curl -sf "http://localhost/setup" diff --git a/examples/pocket-id-caddy-unix-socket/devenv.nix b/examples/pocket-id-caddy-unix-socket/devenv.nix new file mode 100644 index 0000000000..074ccb79a2 --- /dev/null +++ b/examples/pocket-id-caddy-unix-socket/devenv.nix @@ -0,0 +1,30 @@ +{ pkgs, config, ... }: +{ + packages = [ pkgs.curl ]; # used for the test + + services = { + pocket-id = { + enable = true; + package = pkgs.pocket-id; + + disable_analytics = true; + + # Use caddy to expose pocket-id to the network + app_url = "http://localhost"; + use_unix_socket = true; + + # Define any environment variable + env.APP_NAME = "Devenv"; + }; + + caddy = { + enable = true; + virtualHosts = { + "localhost:80".extraConfig = '' + reverse_proxy unix/${config.env.DEVENV_RUNTIME}/pocket-id.sock + ''; + }; + + }; + }; +} diff --git a/src/modules/services/pocket-id.nix b/src/modules/services/pocket-id.nix new file mode 100644 index 0000000000..70c3ac2b33 --- /dev/null +++ b/src/modules/services/pocket-id.nix @@ -0,0 +1,121 @@ +{ pkgs, config, lib, ... }: +let + cfg = config.services.pocket-id; + types = lib.types; + pocket-id-storage = config.env.DEVENV_STATE + "/pocket-id"; +in +{ + options.services.pocket-id = { + enable = lib.mkEnableOption "Pocket ID server, an OIDC provider. [pocket-id.org](https://pocket-id.org)"; + + package = lib.mkOption { + type = types.package; + default = pkgs.pocket-id; + defaultText = lib.literalExpression "pkgs.pocket-id"; + description = "The pocket-id package to use."; + }; + + app_url = lib.mkOption { + type = types.str; + default = "http://localhost:1411"; + description = '' + Specifies the connection string used to connect to the database. + + This will set the environment variable `APP_URL`. + ''; + }; + + disable_analytics = lib.mkOption { + type = types.bool; + description = '' + Disable heartbeat that gets sent every 24 hours to count how many Pocket ID instances are running. + + See [docs page](https://pocket-id.org/docs/configuration/analytics/). + + This will set the environment variable `ANALYTICS_DISABLED`. + ''; + default = false; + }; + + disable_geolite = lib.mkOption { + type = types.bool; + default = false; + description = '' + Disable usage of GeoLite by setting the download URL for the GeoLite database to an empty string. + + This will set the environment variable `GEOLITE_DB_URL` with an empty string. + ''; + }; + + reverse_proxy = lib.mkOption { + type = types.bool; + default = false; + description = '' + Whether the app is behind a reverse proxy. + + This will set the environment variable `TRUST_PROXY`. + ''; + }; + + use_unix_socket = lib.mkOption { + type = types.bool; + default = false; + description = '' + Make pocket-id listen to a UNIX socket instead of TCP. The socket will be located at `$DEVENV_RUNTIME/pocket-id.sock`. + + This will set the `UNIX_SOCKET` environment variable with the socket location. Pocket ID will ignore the environment variables `HOST` and `PORT`. + + Additionally, the option `reverse_proxy` will be set to `true`. + ''; + }; + + disable_ui_configuration = lib.mkOption { + type = types.bool; + default = false; + description = '' + Disable the ability to configure the UI through the web client. Customization will be done exclusively through environment variables. + + This will set the environment variable `UI_CONFIG_DISABLED`. + ''; + }; + + env = lib.mkOption { + type = types.attrsOf types.str; + default = { }; + description = '' + Additional environment variables for pocket-id. + + See [list of all variables](https://pocket-id.org/docs/configuration/environment-variables). + ''; + }; + + }; + + config = lib.mkIf cfg.enable { + packages = [ cfg.package ]; + + env = { + ANALYTICS_DISABLED = if cfg.disable_analytics then "true" else null; + + APP_URL = cfg.app_url; + + DB_CONNECTION_STRING = "file:${pocket-id-storage}/pocket-id.db"; + UPLOAD_PATH = "${pocket-id-storage}/uploads"; + KEYS_PATH = "${pocket-id-storage}/keys"; + GEOLITE_DB_PATH = "${pocket-id-storage}/GeoLite2-City.mmdb"; + + UNIX_SOCKET = if cfg.use_unix_socket then "${config.env.DEVENV_RUNTIME}/pocket-id.sock" else null; + TRUST_PROXY = if cfg.use_unix_socket or cfg.reverse_proxy then "true" else null; + + GEOLITE_DB_URL = if cfg.disable_geolite then "" else null; + + UI_CONFIG_DISABLED = if cfg.disable_ui_configuration then "true" else null; + } // cfg.env; + + processes.pocket-id.exec = '' + mkdir -p ${pocket-id-storage} + exec "${cfg.package}/bin/pocket-id" + ''; + }; + +}