rfmakecloud: 0.0.18 -> 0.0.21 (#356963)

2024-11-22 00:35:19 -05:00 · 2024-11-22 00:35:19 -05:00 · a42bdea0a7
commit a42bdea0a7
parent c10f2c7583 f27f1e0931
5 changed files with 123 additions and 29 deletions
--- a/nixos/modules/services/misc/rmfakecloud.nix
+++ b/nixos/modules/services/misc/rmfakecloud.nix
@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 with lib;

@ -6,18 +11,13 @@ let
  cfg = config.services.rmfakecloud;
  serviceDataDir = "/var/lib/rmfakecloud";

-in {
+in
+{
  options = {
    services.rmfakecloud = {
      enable = mkEnableOption "rmfakecloud remarkable self-hosted cloud";

-      package = mkPackageOption pkgs "rmfakecloud" {
-        extraDescription = ''
-          ::: {.note}
-          The default does not include the web user interface.
-          :::
-        '';
-      };
+      package = mkPackageOption pkgs "rmfakecloud" { };

      storageUrl = mkOption {
        type = types.str;
@ -36,7 +36,12 @@ in {
      };

      logLevel = mkOption {
-        type = types.enum [ "info" "debug" "warn" "error" ];
+        type = types.enum [
+          "info"
+          "debug"
+          "warn"
+          "error"
+        ];
        default = "info";
        description = ''
          Logging level.
@ -46,7 +51,9 @@ in {
      extraSettings = mkOption {
        type = with types; attrsOf str;
        default = { };
-        example = { DATADIR = "/custom/path/for/rmfakecloud/data"; };
+        example = {
+          DATADIR = "/custom/path/for/rmfakecloud/data";
+        };
        description = ''
          Extra settings in the form of a set of key-value pairs.
          For tokens and secrets, use `environmentFile` instead.
@ -106,11 +113,9 @@ in {
        Type = "simple";
        Restart = "always";

-        EnvironmentFile =
-          mkIf (cfg.environmentFile != null) cfg.environmentFile;
+        EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;

-        AmbientCapabilities =
-          mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
+        AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];

        DynamicUser = true;
        PrivateDevices = true;
@ -128,7 +133,10 @@ in {
        ProtectProc = "invisible";
        ProcSubset = "pid";
        RemoveIPC = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -876,6 +876,7 @@ in {
  retroarch = handleTest ./retroarch.nix {};
  rke2 = handleTestOn ["aarch64-linux" "x86_64-linux"] ./rke2 {};
  rkvm = handleTest ./rkvm {};
+  rmfakecloud = runTest ./rmfakecloud.nix;
  robustirc-bridge = handleTest ./robustirc-bridge.nix {};
  roundcube = handleTest ./roundcube.nix {};
  rosenpass = handleTest ./rosenpass.nix {};
--- a/nixos/tests/rmfakecloud.nix
+++ b/nixos/tests/rmfakecloud.nix
@ -0,0 +1,67 @@
+{ pkgs, ... }:
+{
+  name = "rmfakecloud";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ martinetd ];
+  };
+
+  nodes.machine = {
+    services.rmfakecloud = {
+      enable = true;
+      storageUrl = "https://local.appspot.com";
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("rmfakecloud.service")
+    machine.wait_for_open_port(3000)
+
+    # first login creates user
+    login_token = machine.succeed("""
+      curl -sSf -b cookie -c cookie -H "Content-Type: application/json" \
+        -d'{"email":"test","password":"test"}' -X POST \
+        http://localhost:3000/ui/api/login
+    """)
+
+    # subsequent different pass or mail should fail, but same login works
+    machine.fail("""
+      curl -sSf -H "Content-Type: application/json" \
+        -d'{"email":"test","password":"test2"}' -X POST \
+        http://localhost:3000/ui/api/login
+    """)
+    machine.fail("""
+      curl -sSf -H "Content-Type: application/json" \
+        -d'{"email":"test2","password":"test"}' -X POST
+        http://localhost:3000/ui/api/login
+    """)
+    machine.succeed("""
+      curl -sSf -H "Content-Type: application/json" \
+        -d'{"email":"test","password":"test"}' -X POST \
+        http://localhost:3000/ui/api/login
+    """)
+
+    # can get code from cookie or bearer
+    machine.succeed("""
+      curl -sSf -b cookie -c cookie http://localhost:3000/ui/api/newcode
+    """)
+    newcode = machine.succeed(f"""
+      curl -sSf -H "Authorization: Bearer {login_token}" \
+        http://localhost:3000/ui/api/newcode
+    """).strip('"')
+
+    # ... but not junk
+    machine.fail(f"""
+      curl -sSf -H "Authorization: Bearer abc{login_token}" \
+          http://localhost:3000/ui/api/newcode
+    """)
+
+    # can connect "device" with said code
+    machine.succeed(f"""
+      curl -sSf -d '{{"code":"{newcode}", "deviceDesc": "desc", "deviceID":"rm100-123"}}' \
+        http://localhost:3000/token/json/2/device/new
+    """)
+
+    # for future improvements
+    machine.log(machine.execute("systemd-analyze security rmfakecloud.service")[1])
+  '';
+}
--- a/pkgs/by-name/rm/rmfakecloud/package.nix
+++ b/pkgs/by-name/rm/rmfakecloud/package.nix
@ -1,36 +1,54 @@
-{ lib, fetchFromGitHub, buildGoModule, callPackage, enableWebui ? true }:
+{
+  lib,
+  fetchFromGitHub,
+  buildGoModule,
+  callPackage,
+  enableWebui ? true,
+  nixosTests,
+}:

 buildGoModule rec {
  pname = "rmfakecloud";
-  version = "0.0.18";
+  version = "0.0.21";

  src = fetchFromGitHub {
    owner = "ddvk";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-J8oB5C5FYZTVq9zopHoL6WYpfTyiiyrQ4YSGu+2eaKw=";
+    hash = "sha256-Opx39FUo4Kzezi96D9iraA8gkqCPVfMf4LhxtVpsuNQ=";
  };

-  vendorHash = "sha256-S43qNDAlDWhrkfSffCooveemR1Z7KXS18t97UoolgBM=";
+  vendorHash = "sha256-9tfxE03brUvCYusmewiqNpCkKyIS9qePqylrzDWrJLY=";

  ui = callPackage ./webui.nix { inherit version src; };

-  postPatch = if enableWebui then ''
-    mkdir -p ui/build
-    cp -r ${ui}/* ui/build
-  '' else ''
-    sed -i '/go:/d' ui/assets.go
-  '';
+  postPatch =
+    if enableWebui then
+      ''
+        mkdir -p ui/build
+        cp -r ${ui}/* ui/build
+      ''
+    else
+      ''
+        sed -i '/go:/d' ui/assets.go
+      '';

  ldflags = [
-    "-s" "-w" "-X main.version=v${version}"
+    "-s"
+    "-w"
+    "-X main.version=v${version}"
  ];

+  passthru.tests.rmfakecloud = nixosTests.rmfakecloud;
+
  meta = with lib; {
    description = "Host your own cloud for the Remarkable";
    homepage = "https://ddvk.github.io/rmfakecloud/";
    license = licenses.agpl3Only;
-    maintainers = with maintainers; [ pacien martinetd ];
+    maintainers = with maintainers; [
+      pacien
+      martinetd
+    ];
    mainProgram = "rmfakecloud";
  };
 }
--- a/pkgs/by-name/rm/rmfakecloud/webui.nix
+++ b/pkgs/by-name/rm/rmfakecloud/webui.nix
@ -7,7 +7,7 @@ stdenv.mkDerivation rec {

  yarnOfflineCache = fetchYarnDeps {
    yarnLock = "${src}/ui/yarn.lock";
-    hash = "sha256-JLCrpzytMKejmW+WlM6yybsoIZiimiJdPG5dSIn1L14=";
+    hash = "sha256-9//uQ4ZLLTf2N1WSwsOwFjBuDmThuMtMXU4SzMljAMM=";
  };

  nativeBuildInputs = [ fixup-yarn-lock yarn nodejs ];