From 1feea3fe58cbaa709bdf91925860c2c96680e61d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 23 May 2021 22:07:22 +0200 Subject: [PATCH] Add cryptpad to ressourcerie banon --- .../websites/ressourcerie_banon/cryptpad.nix | 117 ++- nixops/secrets | 2 +- pkgs/cryptpad/bower-packages.nix | 42 + pkgs/cryptpad/default.nix | 70 ++ pkgs/cryptpad/generate.sh | 11 + pkgs/cryptpad/node-env.nix | 567 +++++++++++++ pkgs/cryptpad/node-packages-generated.nix | 754 ++++++++++++++++++ pkgs/cryptpad/node-packages.json | 3 + pkgs/cryptpad/node-packages.nix | 17 + pkgs/default.nix | 1 + 10 files changed, 1580 insertions(+), 4 deletions(-) create mode 100644 pkgs/cryptpad/bower-packages.nix create mode 100644 pkgs/cryptpad/default.nix create mode 100755 pkgs/cryptpad/generate.sh create mode 100644 pkgs/cryptpad/node-env.nix create mode 100644 pkgs/cryptpad/node-packages-generated.nix create mode 100644 pkgs/cryptpad/node-packages.json create mode 100644 pkgs/cryptpad/node-packages.nix diff --git a/modules/private/websites/ressourcerie_banon/cryptpad.nix b/modules/private/websites/ressourcerie_banon/cryptpad.nix index 961302d..09e938b 100644 --- a/modules/private/websites/ressourcerie_banon/cryptpad.nix +++ b/modules/private/websites/ressourcerie_banon/cryptpad.nix @@ -1,7 +1,31 @@ { lib, pkgs, config, ... }: let cfg = config.myServices.websites.ressourcerie_banon.cryptpad; - configFile = "${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js"; + port = config.myEnv.ports.cryptpad_ressourcerie_banon; + configFile = pkgs.writeText "config.js" '' + // ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js + module.exports = { + httpUnsafeOrigin: 'https://${domain}', + httpPort: ${toString port}, + adminEmail: 'devnull@mail.immae.eu', + filePath: './datastore/', + archivePath: './data/archive', + pinPath: './data/pins', + taskPath: './data/tasks', + blockPath: './block', + blobPath: './blob', + blobStagingPath: './data/blobstage', + decreePath: './data/decrees', + logPath: './data/logs', + logToStdout: false, + logLevel: 'info', + logFeedback: false, + verbose: false, + }; + ''; + domain = "pad.le-garage-autonome.org"; + api_domain = "pad.le-garage-autonome.org"; + files_domain = "pad.le-garage-autonome.org"; in { options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad"; @@ -23,11 +47,98 @@ in { WorkingDirectory = "%S/cryptpad/ressourcerie_banon"; }; }; + services.websites.env.production.modules = [ "proxy_wstunnel" ]; services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = { certName = "ressourcerie_banon"; addToCerts = true; - hosts = ["pad.le-garage-autonome.org"]; - root = null; + hosts = [domain]; + root = "${pkgs.cryptpad}/lib/node_modules/cryptpad"; + extraConfig = [ + '' + RewriteEngine On + + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" + Header set X-XSS-Protection "1; mode=block" + Header set X-Content-Type-Options "nosniff" + Header set Access-Control-Allow-Origin "*" + Header set Permissions-Policy "interest-cohort=()" + + Header set Cross-Origin-Resource-Policy "cross-origin" + + Header set Cross-Origin-Opener-Policy "same-origin" + + Header set Cross-Origin-Embedder-Policy "require-corp" + + ErrorDocument 404 /customize.dist/404.html + + + Header set Cache-Control "max-age=31536000" + + + Header set Cache-Control "no-cache" + + + SetEnv styleSrc "'unsafe-inline' 'self' ${domain}" + SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}" + SetEnv fontSrc "'self' data: ${domain}" + SetEnv imgSrc "'self' data: * blob: ${domain}" + SetEnv frameSrc "'self' blob:" + SetEnv mediaSrc "'self' data: * blob: ${domain}" + SetEnv childSrc "https://${domain}" + SetEnv workerSrc "https://${domain}" + SetEnv scriptSrc "'self' resource: ${domain}" + + Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;" + + RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] + RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] + RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L] + + RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L] + + ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1" + ProxyPassReverse /api http://localhost:${toString port}/api + ProxyPreserveHost On + RequestHeader set X-Real-IP %{REMOTE_ADDR}s + + + Header set Cache-Control "max-age=31536000" + Header set Access-Control-Allow-Origin "*" + Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" + Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length" + Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length" + + RewriteCond %{REQUEST_METHOD} OPTIONS + RewriteRule ^(.*)$ $1 [R=204,L] + + + + Header set Cache-Control "max-age=0" + + + RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L] + + RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f + RewriteRule (.*) /www/$1 [L] + + RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f + RewriteRule (.*) /www/$1/index.html [L] + + RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f + RewriteRule (.*) /customize.dist/$1 [L] + + + AllowOverride None + Require all granted + DirectoryIndex index.html + + + AllowOverride None + Require all granted + DirectoryIndex index.html + + '' + ]; }; }; } diff --git a/nixops/secrets b/nixops/secrets index f541869..dc23979 160000 --- a/nixops/secrets +++ b/nixops/secrets @@ -1 +1 @@ -Subproject commit f5418699b19f968c232c3e6cdad79b4df1616c6e +Subproject commit dc2397900948d968bd5e1a32447d486edc626c4c diff --git a/pkgs/cryptpad/bower-packages.nix b/pkgs/cryptpad/bower-packages.nix new file mode 100644 index 0000000..80ce9b5 --- /dev/null +++ b/pkgs/cryptpad/bower-packages.nix @@ -0,0 +1,42 @@ +# Generated by bower2nix v3.2.0 (https://github.com/rvl/bower2nix) +{ fetchbower, buildEnv }: +buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [ + (fetchbower "jquery" "2.1.0" "~2.1.0" "02kwvz93vzpv10qnp7s0dz3al0jh77awwrizb6wadsvgifxssnlr") + (fetchbower "jquery" "2.2.4" "2.2.4" "0kaln93pzjlr4vqf2zvsm9dwgjkrii9xlsqg48hc1vs16cl109rn") + (fetchbower "tweetnacl" "0.12.2" "0.12.2" "1lfzbfrdaly3zyzbcp1p53yhxlrx56k8x04q924kg7l52gblm65g") + (fetchbower "components-font-awesome" "4.7.0" "^4.6.3" "1w27im6ayjrbgjqa0i49ml5d3wy4ld40h9b29hz9myv77bpx4lg1") + (fetchbower "ckeditor" "4.14.0" "4.14.0" "0lw9q0k8c0jlxvf35vrccab9c3c8rgpc6x66czj9si8yy2lyliyp") + (fetchbower "codemirror" "5.56.0+components1" "^5.19.0" "0fv8rxw6dspyv4bl6p2aka57544f45527rallnhnm5scv77qnakm") + (fetchbower "requirejs" "2.3.5" "2.3.5" "05lyvgz914h2w08r24rk0vkk3yxmqrvlg7j3i5av9ffkg9lpzsli") + (fetchbower "marked" "1.1.0" "1.1.0" "1sdgqw9iki9c1pfm4c5h6c956mchbip2jywjrcmrlb75k53flsjz") + (fetchbower "rangy" "rangy-release#1.3.0" "rangy-release#~1.3.0" "13x3wci003p8jyv2ncir0k23bxckx99b3555r0zvgmlwycg7w0zv") + (fetchbower "json.sortify" "2.1.0" "~2.1.0" "1rz9xz0gnm4ak31n10vhslqsw8fw493gjylwj8xsy3bxqq1ygpnh") + (fetchbower "secure-fabric.js" "secure-v1.7.9" "secure-v1.7.9" "1l56mk7hbnsm9cdg5zdcmg95p7a9w96dq0bbl8fp11vs0awjil7a") + (fetchbower "hyperjson" "1.4.0" "~1.4.0" "1n68ls3x4lyhg1yy8i4q3xkgh5xqpyakf45sny4x91mkr68x4bd9") + (fetchbower "chainpad-crypto" "0.2.4" "^0.2.0" "0sqqc2j0pc34ig6319n18i85j03hibqkhz3cbr70vbd8x43vfzby") + (fetchbower "chainpad-listmap" "0.10.0" "^0.10.0" "0qh9pv33v5aqfir9mvm4wqdgryj90b78dl0shn9cxfy9xlc0m8w5") + (fetchbower "chainpad" "5.2.2" "^5.2.0" "1rmh039bqk11xnnh99sqrqksr4idly75y5q4f5wyl9cg4slsqrdp") + (fetchbower "file-saver" "1.3.1" "1.3.1" "065nzkvdiicxnw06z1sjz1sbp9nyis8z839hv6ng1fk25dc5kvkg") + (fetchbower "alertifyjs" "1.0.11" "1.0.11" "0v7323bzq90k35shm3h6azj4wd9la3kbi1va1pw4qyvndkwma69l") + (fetchbower "scrypt-async" "1.2.0" "1.2.0" "0d076ax708p9b8hcmk4f82j925nlnm0hmp0ni45ql37g7iirfpyv") + (fetchbower "require-css" "0.1.10" "0.1.10" "106gz9i76v71q9zx2pnqkkj342m630lvssnw54023a0ljc0gqcwq") + (fetchbower "less" "3.7.1" "3.7.1" "1n7ps4xlbrc9m63b3q62mg3p6i7d5hwchhpjshb0drzj5crvz556") + (fetchbower "bootstrap" "3.1.1" "~3.1.1" "06bhjwa8p7mzbpr3jkgydd804z1nwrkdql66h7jkfml99psv9811") + (fetchbower "bootstrap" "4.5.0" "^v4.0.0" "0cfdn6z8jwx6y8lbbq6xpkfhq2vra0i84nkj9ji2bil1fzgzi40f") + (fetchbower "diff-dom" "2.1.1" "2.1.1" "0nrn6xqlhp0p5ixjxdk8qg3939crkggh1l8swd20d7bsz186l5f1") + (fetchbower "nthen" "0.1.7" "0.1.7" "03yap5ildigaw4rwxmxs37pcwhq415iham8w39zd56ka98gpfxa5") + (fetchbower "open-sans-fontface" "1.4.2" "^1.4.2" "0ksav1fcq640fmdz49ra4prwsrrfj35y2p4shx1jh1j7zxd044nf") + (fetchbower "bootstrap-tokenfield" "0.12.1" "^0.12.1" "0ib1v5k8h360sp19yiy7q92rfaz2554fvwwg2ixmxn01ydqlprw6") + (fetchbower "localforage" "1.8.1" "^1.5.2" "0ci265385racnxvn4g1n672yaxi47msw6k042nxdb5vlpf5g327j") + (fetchbower "html2canvas" "0.4.1" "^0.4.1" "0yg7y90nav068q0i5afc2c221zkddpf28hi0hwc46cawx4180c69") + (fetchbower "croppie" "2.6.5" "^2.5.0" "1j1v5620zi13ad42r358i4ay891abwn6nz357484kgq2bgjj6ccx") + (fetchbower "sortablejs" "1.10.2" "^1.6.0" "10q4gyblhjy7w51clr0k9j7h722l4ybzn5535givwpmp6xagv11v") + (fetchbower "saferphore" "0.0.1" "^0.0.1" "1wfr9wpbm3lswmvy2p0247ydb108h4qh5s286py89k871qh6jwdi") + (fetchbower "jszip" "Stuk/jszip#3.5.0" "Stuk/jszip#^3.1.5" "1ra19d82cq1hrnbw88l8c61bs12kpgxvbfiiwpfi8fhy0l8hcsvk") + (fetchbower "requirejs-plugins" "1.0.3" "^1.0.3" "00s3sdz1ykygx5shldwhhhybwgw7c99vkqd94i5i5x0gl97ifxf5") + (fetchbower "dragula.js" "3.7.2" "3.7.2" "0dbkmrl8bcxiplprmmp9fj96ri5nahb2ql8cc7zwawncv0drvlh0") + (fetchbower "MathJax" "3.0.5" "3.0.5" "087a9av15qj43m8pr3b9g59ncmydhmg40m6dfzsac62ykianh2a0") + (fetchbower "chainpad-netflux" "0.12.0" "^0.12.0" "1miym3fiyi0mxmrkb3c96fgr2zbcbmmb38sg0jr4d3inxf6r00zp") + (fetchbower "netflux-websocket" "0.1.20" "^0.1.20" "1xwqq7nw7fmhglndbplarkdzxfmkq831aqs8nm6qj0hz2ggbibhz") + (fetchbower "es6-promise" "3.3.1" "^3.2.2" "0ai6z5admfs84fdx6663ips49kqgz4x68ays78cic0xfb7pp6vcz") +]; } diff --git a/pkgs/cryptpad/default.nix b/pkgs/cryptpad/default.nix new file mode 100644 index 0000000..1e8c756 --- /dev/null +++ b/pkgs/cryptpad/default.nix @@ -0,0 +1,70 @@ +# taken from nixpkgs to upgrade to latest version +{ stdenv +, pkgs +, lib +, buildBowerComponents +, fetchurl +, nodejs +}: + +let + nodePackages = import ./node-packages.nix { + inherit pkgs nodejs; + inherit (stdenv.hostPlatform) system; + }; + + bowerPackages = buildBowerComponents { + name = "${cryptpad.name}-bower-packages"; + # this list had to be tweaked by hand: + # * add the second jquery ~2.1.0 entry + # * add the second bootstrap ~3.1.1 entry + generated = ./bower-packages.nix; + src = cryptpad.src; + }; + + # find an element in an attribute set + findValue = pred: default: set: + let + list = + lib.concatMap + (name: + let v = set.${name}; in + if pred name v then [v] else [] + ) + (lib.attrNames set) + ; + in + if list == [] then default + else lib.head list + ; + + # The cryptpad package attribute key changes for each release. Get it out + # programatically instead. + cryptpad = findValue + (k: v: v.packageName == "cryptpad") + (throw "cryptpad not found") + nodePackages + ; + + combined = cryptpad.override { + postInstall = '' + out_cryptpad=$out/lib/node_modules/cryptpad + + substituteInPlace $out_cryptpad/lib/workers/index.js --replace "lib/workers/db-worker" "$out_cryptpad/lib/workers/db-worker" + + # add the bower components + ln -sv \ + ${bowerPackages}/bower_components \ + $out_cryptpad/www/bower_components + + # add executable + mkdir $out/bin + cat < $out/bin/cryptpad + #!${stdenv.shell} + exec ${nodejs}/bin/node $out_cryptpad/server.js + EOF + chmod +x $out/bin/cryptpad + ''; + }; +in + combined diff --git a/pkgs/cryptpad/generate.sh b/pkgs/cryptpad/generate.sh new file mode 100755 index 0000000..697b5a7 --- /dev/null +++ b/pkgs/cryptpad/generate.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env nix-shell +#! nix-shell -i bash -I nixpkgs=../../../.. -p nodePackages.node2nix nodePackages.bower2nix +set -euo pipefail + +node2nix --nodejs-12 \ + --input node-packages.json \ + --output node-packages-generated.nix \ + --composition node-packages.nix \ + --node-env ../../../development/node-packages/node-env.nix \ + +# TODO: bower2nix > bower-packages.nix diff --git a/pkgs/cryptpad/node-env.nix b/pkgs/cryptpad/node-env.nix new file mode 100644 index 0000000..c2b7231 --- /dev/null +++ b/pkgs/cryptpad/node-env.nix @@ -0,0 +1,567 @@ +# This file originates from node2nix + +{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile}: + +let + # Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master + utillinux = if pkgs ? utillinux then pkgs.utillinux else pkgs.util-linux; + + python = if nodejs ? python then nodejs.python else python2; + + # Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise + tarWrapper = runCommand "tarWrapper" {} '' + mkdir -p $out/bin + + cat > $out/bin/tar <> $out/nix-support/hydra-build-products + ''; + }; + + includeDependencies = {dependencies}: + lib.optionalString (dependencies != []) + (lib.concatMapStrings (dependency: + '' + # Bundle the dependencies of the package + mkdir -p node_modules + cd node_modules + + # Only include dependencies if they don't exist. They may also be bundled in the package. + if [ ! -e "${dependency.name}" ] + then + ${composePackage dependency} + fi + + cd .. + '' + ) dependencies); + + # Recursively composes the dependencies of a package + composePackage = { name, packageName, src, dependencies ? [], ... }@args: + builtins.addErrorContext "while evaluating node package '${packageName}'" '' + DIR=$(pwd) + cd $TMPDIR + + unpackFile ${src} + + # Make the base dir in which the target dependency resides first + mkdir -p "$(dirname "$DIR/${packageName}")" + + if [ -f "${src}" ] + then + # Figure out what directory has been unpacked + packageDir="$(find . -maxdepth 1 -type d | tail -1)" + + # Restore write permissions to make building work + find "$packageDir" -type d -exec chmod u+x {} \; + chmod -R u+w "$packageDir" + + # Move the extracted tarball into the output folder + mv "$packageDir" "$DIR/${packageName}" + elif [ -d "${src}" ] + then + # Get a stripped name (without hash) of the source directory. + # On old nixpkgs it's already set internally. + if [ -z "$strippedName" ] + then + strippedName="$(stripHash ${src})" + fi + + # Restore write permissions to make building work + chmod -R u+w "$strippedName" + + # Move the extracted directory into the output folder + mv "$strippedName" "$DIR/${packageName}" + fi + + # Unset the stripped name to not confuse the next unpack step + unset strippedName + + # Include the dependencies of the package + cd "$DIR/${packageName}" + ${includeDependencies { inherit dependencies; }} + cd .. + ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."} + ''; + + pinpointDependencies = {dependencies, production}: + let + pinpointDependenciesFromPackageJSON = writeTextFile { + name = "pinpointDependencies.js"; + text = '' + var fs = require('fs'); + var path = require('path'); + + function resolveDependencyVersion(location, name) { + if(location == process.env['NIX_STORE']) { + return null; + } else { + var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json"); + + if(fs.existsSync(dependencyPackageJSON)) { + var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON)); + + if(dependencyPackageObj.name == name) { + return dependencyPackageObj.version; + } + } else { + return resolveDependencyVersion(path.resolve(location, ".."), name); + } + } + } + + function replaceDependencies(dependencies) { + if(typeof dependencies == "object" && dependencies !== null) { + for(var dependency in dependencies) { + var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency); + + if(resolvedVersion === null) { + process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n"); + } else { + dependencies[dependency] = resolvedVersion; + } + } + } + } + + /* Read the package.json configuration */ + var packageObj = JSON.parse(fs.readFileSync('./package.json')); + + /* Pinpoint all dependencies */ + replaceDependencies(packageObj.dependencies); + if(process.argv[2] == "development") { + replaceDependencies(packageObj.devDependencies); + } + replaceDependencies(packageObj.optionalDependencies); + + /* Write the fixed package.json file */ + fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2)); + ''; + }; + in + '' + node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"} + + ${lib.optionalString (dependencies != []) + '' + if [ -d node_modules ] + then + cd node_modules + ${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies} + cd .. + fi + ''} + ''; + + # Recursively traverses all dependencies of a package and pinpoints all + # dependencies in the package.json file to the versions that are actually + # being used. + + pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args: + '' + if [ -d "${packageName}" ] + then + cd "${packageName}" + ${pinpointDependencies { inherit dependencies production; }} + cd .. + ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."} + fi + ''; + + # Extract the Node.js source code which is used to compile packages with + # native bindings + nodeSources = runCommand "node-sources" {} '' + tar --no-same-owner --no-same-permissions -xf ${nodejs.src} + mv node-* $out + ''; + + # Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty) + addIntegrityFieldsScript = writeTextFile { + name = "addintegrityfields.js"; + text = '' + var fs = require('fs'); + var path = require('path'); + + function augmentDependencies(baseDir, dependencies) { + for(var dependencyName in dependencies) { + var dependency = dependencies[dependencyName]; + + // Open package.json and augment metadata fields + var packageJSONDir = path.join(baseDir, "node_modules", dependencyName); + var packageJSONPath = path.join(packageJSONDir, "package.json"); + + if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored + console.log("Adding metadata fields to: "+packageJSONPath); + var packageObj = JSON.parse(fs.readFileSync(packageJSONPath)); + + if(dependency.integrity) { + packageObj["_integrity"] = dependency.integrity; + } else { + packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads. + } + + if(dependency.resolved) { + packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided + } else { + packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories. + } + + if(dependency.from !== undefined) { // Adopt from property if one has been provided + packageObj["_from"] = dependency.from; + } + + fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2)); + } + + // Augment transitive dependencies + if(dependency.dependencies !== undefined) { + augmentDependencies(packageJSONDir, dependency.dependencies); + } + } + } + + if(fs.existsSync("./package-lock.json")) { + var packageLock = JSON.parse(fs.readFileSync("./package-lock.json")); + + if(![1, 2].includes(packageLock.lockfileVersion)) { + process.stderr.write("Sorry, I only understand lock file versions 1 and 2!\n"); + process.exit(1); + } + + if(packageLock.dependencies !== undefined) { + augmentDependencies(".", packageLock.dependencies); + } + } + ''; + }; + + # Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes + reconstructPackageLock = writeTextFile { + name = "addintegrityfields.js"; + text = '' + var fs = require('fs'); + var path = require('path'); + + var packageObj = JSON.parse(fs.readFileSync("package.json")); + + var lockObj = { + name: packageObj.name, + version: packageObj.version, + lockfileVersion: 1, + requires: true, + dependencies: {} + }; + + function augmentPackageJSON(filePath, dependencies) { + var packageJSON = path.join(filePath, "package.json"); + if(fs.existsSync(packageJSON)) { + var packageObj = JSON.parse(fs.readFileSync(packageJSON)); + dependencies[packageObj.name] = { + version: packageObj.version, + integrity: "sha1-000000000000000000000000000=", + dependencies: {} + }; + processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies); + } + } + + function processDependencies(dir, dependencies) { + if(fs.existsSync(dir)) { + var files = fs.readdirSync(dir); + + files.forEach(function(entry) { + var filePath = path.join(dir, entry); + var stats = fs.statSync(filePath); + + if(stats.isDirectory()) { + if(entry.substr(0, 1) == "@") { + // When we encounter a namespace folder, augment all packages belonging to the scope + var pkgFiles = fs.readdirSync(filePath); + + pkgFiles.forEach(function(entry) { + if(stats.isDirectory()) { + var pkgFilePath = path.join(filePath, entry); + augmentPackageJSON(pkgFilePath, dependencies); + } + }); + } else { + augmentPackageJSON(filePath, dependencies); + } + } + }); + } + } + + processDependencies("node_modules", lockObj.dependencies); + + fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2)); + ''; + }; + + prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}: + let + forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com"; + in + '' + # Pinpoint the versions of all dependencies to the ones that are actually being used + echo "pinpointing versions of dependencies..." + source $pinpointDependenciesScriptPath + + # Patch the shebangs of the bundled modules to prevent them from + # calling executables outside the Nix store as much as possible + patchShebangs . + + # Deploy the Node.js package by running npm install. Since the + # dependencies have been provided already by ourselves, it should not + # attempt to install them again, which is good, because we want to make + # it Nix's responsibility. If it needs to install any dependencies + # anyway (e.g. because the dependency parameters are + # incomplete/incorrect), it fails. + # + # The other responsibilities of NPM are kept -- version checks, build + # steps, postprocessing etc. + + export HOME=$TMPDIR + cd "${packageName}" + runHook preRebuild + + ${lib.optionalString bypassCache '' + ${lib.optionalString reconstructLock '' + if [ -f package-lock.json ] + then + echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!" + echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!" + rm package-lock.json + else + echo "No package-lock.json file found, reconstructing..." + fi + + node ${reconstructPackageLock} + ''} + + node ${addIntegrityFieldsScript} + ''} + + npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild + + if [ "''${dontNpmInstall-}" != "1" ] + then + # NPM tries to download packages even when they already exist if npm-shrinkwrap is used. + rm -f npm-shrinkwrap.json + + npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install + fi + ''; + + # Builds and composes an NPM package including all its dependencies + buildNodePackage = + { name + , packageName + , version + , dependencies ? [] + , buildInputs ? [] + , production ? true + , npmFlags ? "" + , dontNpmInstall ? false + , bypassCache ? false + , reconstructLock ? false + , preRebuild ? "" + , dontStrip ? true + , unpackPhase ? "true" + , buildPhase ? "true" + , ... }@args: + + let + extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" ]; + in + stdenv.mkDerivation ({ + name = "node_${name}-${version}"; + buildInputs = [ tarWrapper python nodejs ] + ++ lib.optional (stdenv.isLinux) utillinux + ++ lib.optional (stdenv.isDarwin) libtool + ++ buildInputs; + + inherit nodejs; + + inherit dontStrip; # Stripping may fail a build for some package deployments + inherit dontNpmInstall preRebuild unpackPhase buildPhase; + + compositionScript = composePackage args; + pinpointDependenciesScript = pinpointDependenciesOfPackage args; + + passAsFile = [ "compositionScript" "pinpointDependenciesScript" ]; + + installPhase = '' + # Create and enter a root node_modules/ folder + mkdir -p $out/lib/node_modules + cd $out/lib/node_modules + + # Compose the package and all its dependencies + source $compositionScriptPath + + ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }} + + # Create symlink to the deployed executable folder, if applicable + if [ -d "$out/lib/node_modules/.bin" ] + then + ln -s $out/lib/node_modules/.bin $out/bin + fi + + # Create symlinks to the deployed manual page folders, if applicable + if [ -d "$out/lib/node_modules/${packageName}/man" ] + then + mkdir -p $out/share + for dir in "$out/lib/node_modules/${packageName}/man/"* + do + mkdir -p $out/share/man/$(basename "$dir") + for page in "$dir"/* + do + ln -s $page $out/share/man/$(basename "$dir") + done + done + fi + + # Run post install hook, if provided + runHook postInstall + ''; + } // extraArgs); + + # Builds a node environment (a node_modules folder and a set of binaries) + buildNodeDependencies = + { name + , packageName + , version + , src + , dependencies ? [] + , buildInputs ? [] + , production ? true + , npmFlags ? "" + , dontNpmInstall ? false + , bypassCache ? false + , reconstructLock ? false + , dontStrip ? true + , unpackPhase ? "true" + , buildPhase ? "true" + , ... }@args: + + let + extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ]; + in + stdenv.mkDerivation ({ + name = "node-dependencies-${name}-${version}"; + + buildInputs = [ tarWrapper python nodejs ] + ++ lib.optional (stdenv.isLinux) utillinux + ++ lib.optional (stdenv.isDarwin) libtool + ++ buildInputs; + + inherit dontStrip; # Stripping may fail a build for some package deployments + inherit dontNpmInstall unpackPhase buildPhase; + + includeScript = includeDependencies { inherit dependencies; }; + pinpointDependenciesScript = pinpointDependenciesOfPackage args; + + passAsFile = [ "includeScript" "pinpointDependenciesScript" ]; + + installPhase = '' + mkdir -p $out/${packageName} + cd $out/${packageName} + + source $includeScriptPath + + # Create fake package.json to make the npm commands work properly + cp ${src}/package.json . + chmod 644 package.json + ${lib.optionalString bypassCache '' + if [ -f ${src}/package-lock.json ] + then + cp ${src}/package-lock.json . + fi + ''} + + # Go to the parent folder to make sure that all packages are pinpointed + cd .. + ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."} + + ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }} + + # Expose the executables that were installed + cd .. + ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."} + + mv ${packageName} lib + ln -s $out/lib/node_modules/.bin $out/bin + ''; + } // extraArgs); + + # Builds a development shell + buildNodeShell = + { name + , packageName + , version + , src + , dependencies ? [] + , buildInputs ? [] + , production ? true + , npmFlags ? "" + , dontNpmInstall ? false + , bypassCache ? false + , reconstructLock ? false + , dontStrip ? true + , unpackPhase ? "true" + , buildPhase ? "true" + , ... }@args: + + let + nodeDependencies = buildNodeDependencies args; + in + stdenv.mkDerivation { + name = "node-shell-${name}-${version}"; + + buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs; + buildCommand = '' + mkdir -p $out/bin + cat > $out/bin/shell < { + inherit system; + }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}: + +let + nodeEnv = import ./node-env.nix { + inherit (pkgs) stdenv lib python2 runCommand writeTextFile; + inherit pkgs nodejs; + libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null; + }; +in +import ./node-packages-generated.nix { + inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit; + inherit nodeEnv; +} diff --git a/pkgs/default.nix b/pkgs/default.nix index 25ff9d7..7c120a8 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -9,6 +9,7 @@ rec { boinctui = callPackage ./boinctui {}; cnagios = callPackage ./cnagios { inherit mylibs; }; commento = callPackage ./commento {}; + cryptpad = callPackage ./cryptpad {}; duply = callPackage ./duply {}; flrn = callPackage ./flrn { inherit mylibs; slang = callPackage ./slang_1 {}; }; genius = callPackage ./genius {}; -- 2.41.0