diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index 3399e7a7ef44..14143c3037c6 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -197,6 +197,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - [your_spotify](https://github.com/Yooooomi/your_spotify), a self hosted Spotify tracking dashboard. Available as [services.your_spotify](#opt-services.your_spotify.enable) +- [FileSender](https://filesender.org/), a file sharing software. Available as [services.filesender](#opt-services.filesender.enable). + ## Backward Incompatibilities {#sec-release-24.05-incompatibilities} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index bd5b79f19faa..70482bffed56 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1353,6 +1353,7 @@ ./services/web-apps/dolibarr.nix ./services/web-apps/engelsystem.nix ./services/web-apps/ethercalc.nix + ./services/web-apps/filesender.nix ./services/web-apps/firefly-iii.nix ./services/web-apps/flarum.nix ./services/web-apps/fluidd.nix diff --git a/nixos/modules/services/web-apps/filesender.md b/nixos/modules/services/web-apps/filesender.md new file mode 100644 index 000000000000..44d066761b9a --- /dev/null +++ b/nixos/modules/services/web-apps/filesender.md @@ -0,0 +1,49 @@ +# FileSender {#module-services-filesender} + +[FileSender](https://filesender.org/software/) is a software that makes it easy to send and receive big files. + +## Quickstart {#module-services-filesender-quickstart} + +FileSender uses [SimpleSAMLphp](https://simplesamlphp.org/) for authentication, which needs to be configured separately. + +Minimal working instance of FileSender that uses password-authentication would look like this: + +```nix +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.filesender = { + enable = true; + localDomain = "filesender.example.com"; + configureNginx = true; + database.createLocally = true; + + settings = { + auth_sp_saml_authentication_source = "default"; + auth_sp_saml_uid_attribute = "uid"; + storage_filesystem_path = ""; + admin = "admin"; + admin_email = "admin@example.com"; + email_reply_to = "noreply@example.com"; + }; + }; + services.simplesamlphp.filesender = { + settings = { + "module.enable".exampleauth = true; + }; + authSources = { + admin = [ "core:AdminPassword" ]; + default = format.lib.mkMixedArray [ "exampleauth:UserPass" ] { + "admin:admin123" = { + uid = [ "admin" ]; + cn = [ "admin" ]; + mail = [ "admin@example.com" ]; + }; + }; + }; + }; +} +``` + +::: {.warning} +Example above uses hardcoded clear-text password, in production you should use other authentication method like LDAP. You can check supported authentication methods [in SimpleSAMLphp documentation](https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html). +::: diff --git a/nixos/modules/services/web-apps/filesender.nix b/nixos/modules/services/web-apps/filesender.nix new file mode 100644 index 000000000000..bc8d465643f2 --- /dev/null +++ b/nixos/modules/services/web-apps/filesender.nix @@ -0,0 +1,253 @@ +{ + config, + lib, + pkgs, + ... +}: +let + format = pkgs.formats.php { finalVariable = "config"; }; + + cfg = config.services.filesender; + simpleSamlCfg = config.services.simplesamlphp.filesender; + fpm = config.services.phpfpm.pools.filesender; + + filesenderConfigDirectory = pkgs.runCommand "filesender-config" { } '' + mkdir $out + cp ${format.generate "config.php" cfg.settings} $out/config.php + ''; +in +{ + meta = { + maintainers = with lib.maintainers; [ nhnn ]; + doc = ./filesender.md; + }; + + options.services.filesender = with lib; { + enable = mkEnableOption "FileSender"; + package = mkPackageOption pkgs "filesender" { }; + user = mkOption { + description = "User under which filesender runs."; + type = types.str; + default = "filesender"; + }; + database = { + createLocally = mkOption { + type = types.bool; + default = true; + description = '' + Create the PostgreSQL database and database user locally. + ''; + }; + hostname = mkOption { + type = types.str; + default = "/run/postgresql"; + description = "Database hostname."; + }; + port = mkOption { + type = types.port; + default = 5432; + description = "Database port."; + }; + name = mkOption { + type = types.str; + default = "filesender"; + description = "Database name."; + }; + user = mkOption { + type = types.str; + default = "filesender"; + description = "Database user."; + }; + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/filesender-dbpassword"; + description = '' + A file containing the password corresponding to + [](#opt-services.filesender.database.user). + ''; + }; + }; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + site_url = mkOption { + type = types.str; + description = "Site URL. Used in emails, to build URLs for logging in, logging out, build URL for upload endpoint for web workers, to include scripts etc."; + }; + admin = mkOption { + type = types.commas; + description = '' + UIDs (as per the configured saml_uid_attribute) of FileSender administrators. + Accounts with these UIDs can access the Admin page through the web UI. + ''; + }; + admin_email = mkOption { + type = types.commas; + description = '' + Email address of FileSender administrator(s). + Emails regarding disk full etc. are sent here. + You should use a role-address here. + ''; + }; + storage_filesystem_path = mkOption { + type = types.nullOr types.str; + description = "When using storage type filesystem this is the absolute path to the file system where uploaded files are stored until they expire. Your FileSender storage root."; + }; + log_facilities = mkOption { + type = format.type; + default = [ { type = "error_log"; } ]; + description = "Defines where FileSender logging is sent. You can sent logging to a file, to syslog or to the default PHP log facility (as configured through your webserver's PHP module). The directive takes an array of one or more logging targets. Logging can be sent to multiple targets simultaneously. Each logging target is a list containing the name of the logging target and a number of attributes which vary per log target. See below for the exact definiation of each log target."; + }; + }; + }; + default = { }; + description = '' + Configuration options used by FileSender. + See [](https://docs.filesender.org/filesender/v2.0/admin/configuration/) + for available options. + ''; + }; + configureNginx = mkOption { + type = types.bool; + default = true; + description = "Configure nginx as a reverse proxy for FileSender."; + }; + localDomain = mkOption { + type = types.str; + example = "filesender.example.org"; + description = "The domain serving your FileSender instance."; + }; + poolSettings = mkOption { + type = + with types; + attrsOf (oneOf [ + str + int + bool + ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = "32"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "2"; + "pm.max_spare_servers" = "4"; + "pm.max_requests" = "500"; + }; + description = '' + Options for FileSender's PHP pool. See the documentation on `php-fpm.conf` for details on configuration directives. + ''; + }; + }; + config = lib.mkIf cfg.enable { + services.simplesamlphp.filesender = { + phpfpmPool = "filesender"; + localDomain = cfg.localDomain; + settings.baseurlpath = lib.mkDefault "https://${cfg.localDomain}/saml"; + }; + + services.phpfpm = { + pools.filesender = { + user = cfg.user; + group = config.services.nginx.group; + phpEnv = { + FILESENDER_CONFIG_DIR = toString filesenderConfigDirectory; + SIMPLESAMLPHP_CONFIG_DIR = toString simpleSamlCfg.configDir; + }; + settings = { + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + } // cfg.poolSettings; + }; + }; + + services.nginx = lib.mkIf cfg.configureNginx { + enable = true; + virtualHosts.${cfg.localDomain} = { + root = "${cfg.package}/www"; + extraConfig = '' + index index.php; + ''; + locations = { + "/".extraConfig = '' + try_files $uri $uri/ /index.php?args; + ''; + "~ [^/]\\.php(/|$)" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${fpm.socket}; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_intercept_errors on; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + ''; + }; + "~ /\\.".extraConfig = "deny all;"; + }; + }; + }; + + services.postgresql = lib.mkIf cfg.database.createLocally { + enable = true; + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { + name = cfg.database.user; + ensureDBOwnership = true; + } + ]; + }; + + services.filesender.settings = lib.mkMerge [ + (lib.mkIf cfg.database.createLocally { + db_host = "/run/postgresql"; + db_port = "5432"; + db_password = "."; # FileSender requires it even when on UNIX socket auth. + }) + (lib.mkIf (!cfg.database.createLocally) { + db_host = cfg.database.hostname; + db_port = toString cfg.database.port; + db_password = format.lib.mkRaw "file_get_contents('${cfg.database.passwordFile}')"; + }) + { + site_url = lib.mkDefault "https://${cfg.localDomain}"; + db_type = "pgsql"; + db_username = cfg.database.user; + db_database = cfg.database.name; + "auth_sp_saml_simplesamlphp_url" = "/saml"; + "auth_sp_saml_simplesamlphp_location" = "${simpleSamlCfg.libDir}"; + } + ]; + + systemd.services.filesender-initdb = { + description = "Init filesender DB"; + + wantedBy = [ + "multi-user.target" + "phpfpm-filesender.service" + ]; + after = [ "postgresql.service" ]; + + restartIfChanged = true; + + serviceConfig = { + Environment = [ + "FILESENDER_CONFIG_DIR=${toString filesenderConfigDirectory}" + "SIMPLESAMLPHP_CONFIG_DIR=${toString simpleSamlCfg.configDir}" + ]; + Type = "oneshot"; + Group = config.services.nginx.group; + User = "filesender"; + ExecStart = "${fpm.phpPackage}/bin/php ${cfg.package}/scripts/upgrade/database.php"; + }; + }; + + users.extraUsers.filesender = lib.mkIf (cfg.user == "filesender") { + home = "/var/lib/filesender"; + group = config.services.nginx.group; + createHome = true; + isSystemUser = true; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 3e4cfce7ae87..8146a9b86026 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -312,6 +312,7 @@ in { fenics = handleTest ./fenics.nix {}; ferm = handleTest ./ferm.nix {}; ferretdb = handleTest ./ferretdb.nix {}; + filesender = handleTest ./filesender.nix {}; filesystems-overlayfs = runTest ./filesystems-overlayfs.nix; firefly-iii = handleTest ./firefly-iii.nix {}; firefox = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox; }; diff --git a/nixos/tests/filesender.nix b/nixos/tests/filesender.nix new file mode 100644 index 000000000000..9274ddbf7e90 --- /dev/null +++ b/nixos/tests/filesender.nix @@ -0,0 +1,137 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "filesender"; + meta = { + maintainers = with lib.maintainers; [ nhnn ]; + broken = pkgs.stdenv.isAarch64; # selenium.common.exceptions.WebDriverException: Message: Unsupported platform/architecture combination: linux/aarch64 + }; + + nodes.filesender = { ... }: let + format = pkgs.formats.php { }; + in { + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.filesender.enable = true; + services.filesender.localDomain = "filesender"; + services.filesender.settings = { + auth_sp_saml_authentication_source = "default"; + auth_sp_saml_uid_attribute = "uid"; + storage_filesystem_path = "/tmp"; + site_url = "http://filesender"; + force_ssl = false; + admin = ""; + admin_email = "admin@localhost"; + email_reply_to = "noreply@localhost"; + }; + services.simplesamlphp.filesender = { + settings = { + baseurlpath = "http://filesender/saml"; + "module.enable".exampleauth = true; + }; + authSources = { + admin = [ "core:AdminPassword" ]; + default = format.lib.mkMixedArray [ "exampleauth:UserPass" ] { + "user:password" = { + uid = [ "user" ]; + cn = [ "user" ]; + mail = [ "user@nixos.org" ]; + }; + }; + }; + }; + }; + + nodes.client = + { pkgs + , nodes + , ... + }: + let + filesenderIP = (builtins.head (nodes.filesender.networking.interfaces.eth1.ipv4.addresses)).address; + in + { + networking.hosts.${filesenderIP} = [ "filesender" ]; + + environment.systemPackages = + let + username = "user"; + password = "password"; + browser-test = + pkgs.writers.writePython3Bin "browser-test" + { + libraries = [ pkgs.python3Packages.selenium ]; + flakeIgnore = [ "E124" "E501" ]; + } '' + from selenium.webdriver.common.by import By + from selenium.webdriver import Firefox + from selenium.webdriver.firefox.options import Options + from selenium.webdriver.firefox.firefox_profile import FirefoxProfile + from selenium.webdriver.firefox.service import Service + from selenium.webdriver.support.ui import WebDriverWait + from selenium.webdriver.support import expected_conditions as EC + from subprocess import STDOUT + import string + import random + import logging + import time + selenium_logger = logging.getLogger("selenium") + selenium_logger.setLevel(logging.DEBUG) + selenium_logger.addHandler(logging.StreamHandler()) + profile = FirefoxProfile() + profile.set_preference("browser.download.folderList", 2) + profile.set_preference("browser.download.manager.showWhenStarting", False) + profile.set_preference("browser.download.dir", "/tmp/firefox") + profile.set_preference("browser.helperApps.neverAsk.saveToDisk", "text/plain;text/txt") + options = Options() + options.profile = profile + options.add_argument('--headless') + service = Service(log_output=STDOUT) + driver = Firefox(options=options) + driver.set_window_size(1024, 768) + driver.implicitly_wait(30) + driver.get('http://filesender/') + wait = WebDriverWait(driver, 20) + wait.until(EC.title_contains("FileSender")) + driver.find_element(By.ID, "btn_logon").click() + wait.until(EC.title_contains("Enter your username and password")) + driver.find_element(By.ID, 'username').send_keys( + '${username}' + ) + driver.find_element(By.ID, 'password').send_keys( + '${password}' + ) + driver.find_element(By.ID, "submit_button").click() + wait.until(EC.title_contains("FileSender")) + wait.until(EC.presence_of_element_located((By.ID, "topmenu_logoff"))) + test_string = "".join(random.choices(string.ascii_uppercase + string.digits, k=20)) + with open("/tmp/test_file.txt", "w") as file: + file.write(test_string) + driver.find_element(By.ID, "files").send_keys("/tmp/test_file.txt") + time.sleep(2) + driver.find_element(By.CSS_SELECTOR, '.start').click() + wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, ".download_link"))) + download_link = driver.find_element(By.CSS_SELECTOR, '.download_link > textarea').get_attribute('value').strip() + driver.get(download_link) + wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, ".download"))) + driver.find_element(By.CSS_SELECTOR, '.download').click() + wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, ".ui-dialog-buttonset > button:nth-child(2)"))) + driver.find_element(By.CSS_SELECTOR, ".ui-dialog-buttonset > button:nth-child(2)").click() + driver.close() + driver.quit() + ''; + in + [ + pkgs.firefox-unwrapped + pkgs.geckodriver + browser-test + ]; + }; + + testScript = '' + start_all() + filesender.wait_for_file("/run/phpfpm/filesender.sock") + filesender.wait_for_open_port(80) + if "If you have received an invitation to access this site as a guest" not in client.wait_until_succeeds("curl -sS -f http://filesender"): + raise Exception("filesender returned invalid html") + client.succeed("browser-test") + ''; +}) diff --git a/pkgs/by-name/fi/filesender/package.nix b/pkgs/by-name/fi/filesender/package.nix index 10816401b7db..6cf4f36fd870 100644 --- a/pkgs/by-name/fi/filesender/package.nix +++ b/pkgs/by-name/fi/filesender/package.nix @@ -4,14 +4,14 @@ lib, nixosTests, }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (finalAttrs: { pname = "filesender"; version = "2.48"; src = fetchFromGitHub { owner = "filesender"; repo = "filesender"; - rev = "filesender-${version}"; + rev = "filesender-${finalAttrs.version}"; hash = "sha256-lXA9XZ5gbfut2EQ5bF2w8rhAEM++8rQseWviKwfRWGk="; }; @@ -22,8 +22,12 @@ stdenv.mkDerivation rec { ]; installPhase = '' + runHook preInstall + mkdir -p $out/ cp -R . $out/ + + runHook postInstall ''; passthru.tests = { @@ -36,4 +40,4 @@ stdenv.mkDerivation rec { license = lib.licenses.bsd3; maintainers = with lib.maintainers; [ nhnn ]; }; -} +}) diff --git a/pkgs/by-name/fi/filesender/separate_mutable_paths.patch b/pkgs/by-name/fi/filesender/separate_mutable_paths.patch index cc618211cb3f..c320e5872168 100644 --- a/pkgs/by-name/fi/filesender/separate_mutable_paths.patch +++ b/pkgs/by-name/fi/filesender/separate_mutable_paths.patch @@ -1,5 +1,5 @@ diff --git a/classes/utils/Config.class.php b/classes/utils/Config.class.php -index a4d819bc..3c2ed287 100644 +index a4d819bc..318defdf 100644 --- a/classes/utils/Config.class.php +++ b/classes/utils/Config.class.php @@ -30,7 +30,7 @@ @@ -16,7 +16,7 @@ index a4d819bc..3c2ed287 100644 // Check if main config exists - $main_config_file = FILESENDER_BASE.'/config/config.php'; -+ $main_config_file = FILESENDER_CONFIG_DIR.'/config/config.php'; ++ $main_config_file = FILESENDER_CONFIG_DIR.'/config.php'; if (!file_exists($main_config_file)) { throw new ConfigFileMissingException($main_config_file); } @@ -25,7 +25,7 @@ index a4d819bc..3c2ed287 100644 // load password file if it is there - $pass_config_file = FILESENDER_BASE.'/config/config-passwords.php'; -+ $pass_config_file = FILESENDER_CONFIG_DIR.'/config/config-passwords.php'; ++ $pass_config_file = FILESENDER_CONFIG_DIR.'/config-passwords.php'; if (file_exists($pass_config_file)) { $config = array(); include_once($pass_config_file); @@ -34,7 +34,7 @@ index a4d819bc..3c2ed287 100644 } - $config_file = FILESENDER_BASE.'/config/'.$virtualhost.'/config.php'; -+ $config_file = FILESENDER_CONFIG_DIR.'/config/'.$virtualhost.'/config.php'; ++ $config_file = FILESENDER_CONFIG_DIR.$virtualhost.'/config.php'; if (!file_exists($config_file)) { throw new ConfigFileMissingException($config_file); } // Should exist even if empty @@ -43,7 +43,7 @@ index a4d819bc..3c2ed287 100644 foreach ($regex_and_configs as $regex => $extra_config_name) { if (preg_match('`'.$regex.'`', $auth_attrs[$attr])) { - $extra_config_file = FILESENDER_BASE.'/config/config-' . $extra_config_name . '.php'; -+ $extra_config_file = FILESENDER_CONFIG_DIR.'/config/config-' . $extra_config_name . '.php'; ++ $extra_config_file = FILESENDER_CONFIG_DIR.'/config-' . $extra_config_name . '.php'; if (file_exists($extra_config_file)) { $config = array(); include_once($extra_config_file); @@ -52,7 +52,7 @@ index a4d819bc..3c2ed287 100644 $overrides_cfg = self::get('config_overrides'); if ($overrides_cfg) { - $overrides_file = FILESENDER_BASE.'/config/'.($virtualhost ? $virtualhost.'/' : '').'config_overrides.json'; -+ $overrides_file = FILESENDER_CONFIG_DIR.'/config/'.($virtualhost ? $virtualhost.'/' : '').'config_overrides.json'; ++ $overrides_file = FILESENDER_CONFIG_DIR.($virtualhost ? $virtualhost.'/' : '').'config_overrides.json'; $overrides = file_exists($overrides_file) ? json_decode(trim(file_get_contents($overrides_file))) : new StdClass(); @@ -61,7 +61,7 @@ index a4d819bc..3c2ed287 100644 { $virtualhosts = array(); - foreach (scandir(FILESENDER_BASE.'/config') as $item) { -+ foreach (scandir(FILESENDER_CONFIG_DIR.'/config') as $item) { ++ foreach (scandir(FILESENDER_CONFIG_DIR) as $item) { if (!preg_match('`^(.+)\.conf\.php$`', $item, $match)) { continue; } @@ -103,7 +103,7 @@ index 5c1e7f61..b1fb57e4 100644 +if(!defined('FILESENDER_BASE') || !defined("FILESENDER_CONFIG_DIR")) die('Missing environment'); -if(!file_exists(FILESENDER_BASE.'/config/config.php')) -++if(!file_exists(FILESENDER_CONFIG_DIR.'/config.php')) ++if(!file_exists(FILESENDER_CONFIG_DIR.'/config.php')) die('Configuration file not found'); ConfigValidator::addCheck('site_url', 'string');