pleroma: 2.6.3 -> 2.7.0 (#333283)

nixos/modules/services/networking/pleroma.nix

@@ -1,7 +1,13 @@
-{ config, options, lib, pkgs, stdenv, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
   cfg = config.services.pleroma;
-in {
+in
+{
   options = {
     services.pleroma = with lib; {
       enable = mkEnableOption "pleroma";
@@ -48,7 +54,7 @@ in {
 
           Have a look to Pleroma section in the NixOS manual for more
           information.
-          '';
+        '';
       };
 
       secretConfigFile = mkOption {
@@ -73,7 +79,7 @@ in {
         group = cfg.group;
         isSystemUser = true;
       };
-      groups."${cfg.group}" = {};
+      groups."${cfg.group}" = { };
     };
 
     environment.systemPackages = [ cfg.package ];
@@ -90,57 +96,79 @@ in {
       import_config "${cfg.secretConfigFile}"
     '';
 
-    systemd.services.pleroma = {
-      description = "Pleroma social network";
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" "postgresql.service" ];
-      wantedBy = [ "multi-user.target" ];
-      restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
-      environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
-      serviceConfig = {
-        User = cfg.user;
-        Group = cfg.group;
-        Type = "exec";
-        WorkingDirectory = "~";
-        StateDirectory = "pleroma pleroma/static pleroma/uploads";
-        StateDirectoryMode = "700";
+    systemd.services =
+      let
+        commonSystemdServiceConfig = {
+          User = cfg.user;
+          Group = cfg.group;
+          WorkingDirectory = "~";
+          StateDirectory = "pleroma pleroma/static pleroma/uploads";
+          StateDirectoryMode = "700";
+          # Systemd sandboxing directives.
+          # Taken from the upstream contrib systemd service at
+          # pleroma/installation/pleroma.service
+          PrivateTmp = true;
+          ProtectHome = true;
+          ProtectSystem = "full";
+          PrivateDevices = false;
+          NoNewPrivileges = true;
+          CapabilityBoundingSet = "~CAP_SYS_ADMIN";
+        };
 
-        # Checking the conf file is there then running the database
-        # migration before each service start, just in case there are
-        # some pending ones.
-        #
-        # It's sub-optimal as we'll always run this, even if pleroma
-        # has not been updated. But the no-op process is pretty fast.
-        # Better be safe than sorry migration-wise.
-        ExecStartPre =
-          let preScript = pkgs.writers.writeBashBin "pleromaStartPre" ''
-            if [ ! -f /var/lib/pleroma/.cookie ]
-            then
-              echo "Creating cookie file"
-              dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie
-            fi
-            ${cfg.package}/bin/pleroma_ctl migrate
-          '';
-          in "${preScript}/bin/pleromaStartPre";
+      in
+      {
+        pleroma-migrations = {
+          description = "Pleroma social network migrations";
+          wants = [ "network-online.target" ];
+          after = [
+            "network-online.target"
+            "postgresql.service"
+          ];
+          wantedBy = [ "pleroma.service" ];
+          environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
+          serviceConfig = commonSystemdServiceConfig // {
+            Type = "oneshot";
+            # Checking the conf file is there then running the database
+            # migration before each service start, just in case there are
+            # some pending ones.
+            #
+            # It's sub-optimal as we'll always run this, even if pleroma
+            # has not been updated. But the no-op process is pretty fast.
+            # Better be safe than sorry migration-wise.
+            ExecStart =
+              let
+                preScript = pkgs.writers.writeBashBin "pleroma-migrations" ''
+                  if [ ! -f /var/lib/pleroma/.cookie ]
+                  then
+                    echo "Creating cookie file"
+                    dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie
+                  fi
+                  ${cfg.package}/bin/pleroma_ctl migrate
+                '';
+              in
+              "${preScript}/bin/pleroma-migrations";
+          };
+          # disksup requires bash
+          path = [ pkgs.bash ];
+        };
 
-        ExecStart = "${cfg.package}/bin/pleroma start";
-        ExecStop = "${cfg.package}/bin/pleroma stop";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-
-        # Systemd sandboxing directives.
-        # Taken from the upstream contrib systemd service at
-        # pleroma/installation/pleroma.service
-        PrivateTmp = true;
-        ProtectHome = true;
-        ProtectSystem = "full";
-        PrivateDevices = false;
-        NoNewPrivileges = true;
-        CapabilityBoundingSet = "~CAP_SYS_ADMIN";
+        pleroma = {
+          description = "Pleroma social network";
+          wants = [ "pleroma-migrations.service" ];
+          after = [ "pleroma-migrations.service" ];
+          wantedBy = [ "multi-user.target" ];
+          restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
+          environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
+          serviceConfig = commonSystemdServiceConfig // {
+            Type = "exec";
+            ExecStart = "${cfg.package}/bin/pleroma start";
+            ExecStop = "${cfg.package}/bin/pleroma stop";
+            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+          };
+          # disksup requires bash
+          path = [ pkgs.bash ];
+        };
       };
-      # disksup requires bash
-      path = [ pkgs.bash ];
-    };
-
   };
   meta.maintainers = with lib.maintainers; [ picnoir ];
   meta.doc = ./pleroma.md;

nixos/tests/pleroma.nix

@@ -32,18 +32,18 @@ import ./make-test-python.nix ({ pkgs, ... }:
     # system one. Overriding this pretty bad default behaviour.
     export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 
-    toot --debug login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" -p "jamy-password"
+    toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" -p 'jamy-password'
     echo "Login OK"
 
     # Send a toot then verify it's part of the public timeline
-    echo "y" | toot post "hello world Jamy here"
+    toot post "hello world Jamy here"
     echo "Send toot OK"
-    echo "y" | toot timeline | grep -c "hello world Jamy here"
+    toot timeline -1 | grep -F -q "hello world Jamy here"
     echo "Get toot from timeline OK"
 
     # Test file upload
-    echo "y" | toot upload ${db-seed} | grep -c "https://pleroma.nixos.test/media"
-    echo "File upload OK"
+    echo "y" | ${pkgs.toot}/bin/toot upload <(dd if=/dev/zero bs=1024 count=1024 status=none) \
+      | grep -F -q "https://pleroma.nixos.test/media"
 
     echo "====================================================="
     echo "=                   SUCCESS                         ="
@@ -244,6 +244,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
 
   testScript = { nodes, ... }: ''
     pleroma.wait_for_unit("postgresql.service")
+    pleroma.wait_until_succeeds("ls /var/lib/pleroma")
     pleroma.succeed("provision-db")
     pleroma.wait_for_file("/var/lib/pleroma")
     pleroma.succeed("provision-secrets")

pkgs/servers/pleroma/Revert-Config-Restrict-permissions-of-OTP-config.patch

@@ -3,7 +3,8 @@ From: Yaya <yaya@uwu.is>
 Date: Sun, 6 Aug 2023 00:02:40 +0000
 Subject: [PATCH] Revert "Config: Restrict permissions of OTP config file"
 
-This reverts commit 4befb3b1d02f32eb2c56f12e4684a7bb3167b0ee.
+This reverts commit 4befb3b1d02f32eb2c56f12e4684a7bb3167b0ee
+and 3b82864bccee1af625dd19faed511d5b76f66f9d.
 
 The Nix store is world readable by design.
 ---
@@ -19,7 +20,7 @@ index 9ec0f975e..91e5f1a54 100644
      with_runtime_config =
        if File.exists?(config_path) do
 -        # <https://git.pleroma.social/pleroma/pleroma/-/issues/3135>
--        %File.Stat{mode: mode} = File.lstat!(config_path)
+-        %File.Stat{mode: mode} = File.stat!(config_path)
 -
 -        if Bitwise.band(mode, 0o007) > 0 do
 -          raise "Configuration at #{config_path} has world-permissions, execute the following: chmod o= #{config_path}"

pkgs/servers/pleroma/default.nix

@@ -1,32 +1,52 @@
-{ lib, beamPackages
-, fetchFromGitHub, fetchFromGitLab, fetchHex
-, file, cmake
-, nixosTests, writeText
-, ...
+{
+  lib,
+  beamPackages,
+  fetchFromGitHub,
+  fetchFromGitLab,
+  fetchHex,
+  file,
+  cmake,
+  nixosTests,
+  writeText,
+  vips,
+  pkg-config,
+  glib,
+  ...
 }:
 
 beamPackages.mixRelease rec {
   pname = "pleroma";
-  version = "2.6.3";
+  version = "2.7.0";
 
   src = fetchFromGitLab {
     domain = "git.pleroma.social";
     owner = "pleroma";
     repo = "pleroma";
     rev = "v${version}";
-    sha256 = "sha256-ZiupcCu6ES/G9rsdNo5+JXOIPhb4CHT2YhKThWiLisw=";
+    sha256 = "sha256-2uKVwjxMLC8jyZWW+ltBRNtOR7RaAb8SPO1iV2wyROc=";
   };
 
-  patches = [
-    ./Revert-Config-Restrict-permissions-of-OTP-config.patch
-  ];
+  patches = [ ./Revert-Config-Restrict-permissions-of-OTP-config.patch ];
 
   mixNixDeps = import ./mix.nix {
     inherit beamPackages lib;
     overrides = final: prev: {
       # mix2nix does not support git dependencies yet,
       # so we need to add them manually
-      prometheus_ex = beamPackages.buildMix rec {
+      captcha = beamPackages.buildMix {
+        name = "captcha";
+        version = "0.1.0";
+
+        src = fetchFromGitLab {
+          domain = "git.pleroma.social";
+          owner = "pleroma/elixir-libraries";
+          repo = "elixir-captcha";
+          rev = "90f6ce7672f70f56708792a98d98bd05176c9176";
+          sha256 = "sha256-s7EuAhmCsQA/4p2NJHJSWB/DZ5hA+7EelPsUOvKr2Po=";
+        };
+        beamDeps = [ ];
+      };
+      prometheus_ex = beamPackages.buildMix {
         name = "prometheus_ex";
         version = "3.0.5";
 
@@ -34,60 +54,28 @@ beamPackages.mixRelease rec {
           owner = "lanodan";
           repo = "prometheus.ex";
           rev = "31f7fbe4b71b79ba27efc2a5085746c4011ceb8f";
-          sha256 = "sha256-2PZP+YnwnHt69HtIAQvjMBqBbfdbkRSoMzb1AL2Zsyc=";
+          hash = "sha256-2PZP+YnwnHt69HtIAQvjMBqBbfdbkRSoMzb1AL2Zsyc=";
         };
         beamDeps = with final; [ prometheus ];
       };
-      captcha = beamPackages.buildMix rec {
-        name = "captcha";
-        version = "0.1.0";
-
-        src = fetchFromGitLab {
-          domain = "git.pleroma.social";
-          group = "pleroma";
-          owner = "elixir-libraries";
-          repo = "elixir-captcha";
-          rev = "90f6ce7672f70f56708792a98d98bd05176c9176";
-          hash = "sha256-s7EuAhmCsQA/4p2NJHJSWB/DZ5hA+7EelPsUOvKr2Po=";
-        };
-        beamDeps = with final; [ ];
-
-        postInstall = "mv priv/* $out/lib/erlang/lib/${name}-${version}/priv/";
-      };
-      remote_ip = beamPackages.buildMix rec {
+      remote_ip = beamPackages.buildMix {
         name = "remote_ip";
         version = "0.1.5";
 
         src = fetchFromGitLab {
           domain = "git.pleroma.social";
-          group = "pleroma";
-          owner = "elixir-libraries";
+          owner = "pleroma/elixir-libraries";
           repo = "remote_ip";
           rev = "b647d0deecaa3acb140854fe4bda5b7e1dc6d1c8";
-          sha256 = "0c7vmakcxlcs3j040018i7bfd6z0yq6fjfig02g5fgakx398s0x6";
+          hash = "sha256-pgON0uhTPVeeAC866Qz24Jvm1okoAECAHJrRzqaq+zA=";
         };
-        beamDeps = with final; [ combine plug inet_cidr ];
-      };
-      prometheus_phx = beamPackages.buildMix rec {
-        name = "prometheus_phx";
-        version = "0.1.1";
-
-        preBuild = ''
-          touch config/prod.exs
-       '';
-        src = fetchFromGitLab {
-          domain = "git.pleroma.social";
-          group = "pleroma";
-          owner = "elixir-libraries";
-          repo = "prometheus-phx";
-          rev = "9cd8f248c9381ffedc799905050abce194a97514";
-          sha256 = "0211z4bxb0bc0zcrhnph9kbbvvi1f2v95madpr96pqzr60y21cam";
-        };
-        beamDeps = with final; [ prometheus_ex ];
-      };
-      majic = prev.majic.override {
-        buildInputs = [ file ];
+        beamDeps = with final; [
+          combine
+          plug
+          inet_cidr
+        ];
       };
+      majic = prev.majic.override { buildInputs = [ file ]; };
       # Some additional build inputs and build fixes
       http_signatures = prev.http_signatures.override {
         patchPhase = ''
@@ -98,8 +86,16 @@ beamPackages.mixRelease rec {
         nativeBuildInputs = [ cmake ];
         dontUseCmakeConfigure = true;
       };
-      syslog = prev.syslog.override {
-        buildPlugins = with beamPackages; [ pc ];
+
+      syslog = prev.syslog.override { buildPlugins = with beamPackages; [ pc ]; };
+
+      vix = prev.vix.override {
+        nativeBuildInputs = [ pkg-config ];
+        buildInputs = [
+          vips
+          glib.dev
+        ];
+        VIX_COMPILATION_MODE = "PLATFORM_PROVIDED_LIBVIPS";
       };
 
       # This needs a different version (1.0.14 -> 1.0.18) to build properly with
@@ -132,25 +128,27 @@ beamPackages.mixRelease rec {
           sha256 = "120znzz0yw1994nk6v28zql9plgapqpv51n9g6qm6md1f4x7gj0z";
         };
 
-        beamDeps = [];
+        beamDeps = [ ];
       };
 
       mime = prev.mime.override {
-        patchPhase = let
-          cfgFile = writeText "config.exs" ''
-            use Mix.Config
-            config :mime, :types, %{
-              "application/activity+json" => ["activity+json"],
-              "application/jrd+json" => ["jrd+json"],
-              "application/ld+json" => ["activity+json"],
-              "application/xml" => ["xml"],
-              "application/xrd+xml" => ["xrd+xml"]
-            }
+        patchPhase =
+          let
+            cfgFile = writeText "config.exs" ''
+              use Mix.Config
+              config :mime, :types, %{
+                "application/activity+json" => ["activity+json"],
+                "application/jrd+json" => ["jrd+json"],
+                "application/ld+json" => ["activity+json"],
+                "application/xml" => ["xml"],
+                "application/xrd+xml" => ["xrd+xml"]
+              }
+            '';
+          in
+          ''
+            mkdir config
+            cp ${cfgFile} config/config.exs
           '';
-        in ''
-          mkdir config
-          cp ${cfgFile} config/config.exs
-        '';
       };
     };
   };
@@ -164,7 +162,11 @@ beamPackages.mixRelease rec {
     description = "ActivityPub microblogging server";
     homepage = "https://git.pleroma.social/pleroma/pleroma";
     license = licenses.agpl3Only;
-    maintainers = with maintainers; [ picnoir kloenk yayayayaka ];
+    maintainers = with maintainers; [
+      picnoir
+      kloenk
+      yayayayaka
+    ];
     platforms = platforms.unix;
   };
 }

pkgs/top-level/all-packages.nix

@@ -11337,8 +11337,8 @@ with pkgs;
   tautulli = python3Packages.callPackage ../servers/tautulli { };
 
   pleroma = callPackage ../servers/pleroma {
-    elixir = elixir_1_14;
-    beamPackages = beamPackages.extend (self: super: { elixir = elixir_1_14; });
+    elixir = elixir_1_17;
+    beamPackages = beamPackages.extend (self: super: { elixir = elixir_1_17; });
   };
 
   plfit = callPackage ../tools/misc/plfit {