Merge branch 'wip/ryot-secret'

2023-06-26 13:17:37 +02:00 · 2023-06-26 13:17:37 +02:00 · 520f23a088
parent 856d6caa9d 3080cdab80
commit 520f23a088
14 changed files with 9798 additions and 2994 deletions
--- a/hosts/gitea/pkgs/ryot/default.nix
+++ b/hosts/gitea/pkgs/ryot/default.nix
@ -4,12 +4,12 @@
  craneLib,
 }: let
  pname = "ryot";
-  version = "v1.0.0-beta.52";
+  version = "v1.4.0";
  src = pkgs.fetchFromGitHub {
    owner = "ignisda";
    repo = pname;
    rev = version;
-    sha256 = "sha256-iyLOHRnc0UfSOVnDweKdlWSs5sv9F7ZC9FEXIum8XKM=";
+    sha256 = "sha256-CodqKpo7bEQI+Fqav3AJCMIC+2BdxwDuQirxrzq79jg=";
  };
  nodeDependencies = (pkgs.callPackage ./node {}).nodeDependencies;
  cargoDependencies = craneLib.vendorCargoDeps {
--- a/hosts/gitea/pkgs/ryot/node/default.nix
+++ b/hosts/gitea/pkgs/ryot/node/default.nix
@ -2,7 +2,7 @@

 {pkgs ? import <nixpkgs> {
    inherit system;
-  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
+  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs_14"}:

 let
  nodeEnv = import ./node-env.nix {
--- a/hosts/gitea/pkgs/ryot/node/frontend-package.json
+++ b/hosts/gitea/pkgs/ryot/node/frontend-package.json
@ -15,22 +15,20 @@
 		"@ryot/generated": "workspace:*",
 		"@ryot/graphql": "workspace:*",
 		"@tabler/icons-react": "2.16.0",
-		"@tanstack/react-query": "4.29.3",
+		"@tanstack/react-query": "4.29.15",
 		"dayjs": "1.11.7",
 		"embla-carousel-react": "7.1.0",
 		"human-format": "1.2.0",
 		"humanize-duration-ts": "2.1.1",
 		"lodash": "4.17.21",
 		"luxon": "3.3.0",
-		"next": "13.3.0",
+		"next": "13.4.6",
+		"next-pwa": "5.6.0",
 		"react": "18.2.0",
 		"react-cookie": "4.1.1",
 		"react-dom": "18.2.0",
-		"react-markdown": "8.0.7",
-		"slugify": "1.6.6",
 		"tiny-invariant": "1.3.1",
 		"ts-pattern": "4.3.0",
-		"typescript": "5.0.4",
 		"zod": "3.21.4"
 	},
 	"devDependencies": {
--- a/hosts/gitea/pkgs/ryot/node/graphql-package.json
+++ b/hosts/gitea/pkgs/ryot/node/graphql-package.json
@ -2,7 +2,7 @@
 	"name": "@ryot/graphql",
 	"dependencies": {
 		"@ryot/generated": "workspace:*",
-		"graphql-request": "6.0.0",
+		"graphql-request": "6.1.0",
 		"graphql-scalars": "1.21.3"
 	}
 }
--- a/hosts/gitea/pkgs/ryot/node/node-env.nix
+++ b/hosts/gitea/pkgs/ryot/node/node-env.nix
@ -165,7 +165,11 @@ let
          if(process.argv[2] == "development") {
              replaceDependencies(packageObj.devDependencies);
          }
+          else {
+              packageObj.devDependencies = {};
+          }
          replaceDependencies(packageObj.optionalDependencies);
+          replaceDependencies(packageObj.peerDependencies);

          /* Write the fixed package.json file */
          fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
@ -270,7 +274,7 @@ let

  # Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
  reconstructPackageLock = writeTextFile {
-    name = "addintegrityfields.js";
+    name = "reconstructpackagelock.js";
    text = ''
      var fs = require('fs');
      var path = require('path');
@ -280,25 +284,43 @@ let
      var lockObj = {
          name: packageObj.name,
          version: packageObj.version,
-          lockfileVersion: 1,
+          lockfileVersion: 2,
          requires: true,
+          packages: {
+              "": {
+                  name: packageObj.name,
+                  version: packageObj.version,
+                  license: packageObj.license,
+                  bin: packageObj.bin,
+                  dependencies: packageObj.dependencies,
+                  engines: packageObj.engines,
+                  optionalDependencies: packageObj.optionalDependencies
+              }
+          },
          dependencies: {}
      };

-      function augmentPackageJSON(filePath, dependencies) {
+      function augmentPackageJSON(filePath, packages, dependencies) {
          var packageJSON = path.join(filePath, "package.json");
          if(fs.existsSync(packageJSON)) {
              var packageObj = JSON.parse(fs.readFileSync(packageJSON));
+              packages[filePath] = {
+                  version: packageObj.version,
+                  integrity: "sha1-000000000000000000000000000=",
+                  dependencies: packageObj.dependencies,
+                  engines: packageObj.engines,
+                  optionalDependencies: packageObj.optionalDependencies
+              };
              dependencies[packageObj.name] = {
                  version: packageObj.version,
                  integrity: "sha1-000000000000000000000000000=",
                  dependencies: {}
              };
-              processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
+              processDependencies(path.join(filePath, "node_modules"), packages, dependencies[packageObj.name].dependencies);
          }
      }

-      function processDependencies(dir, dependencies) {
+      function processDependencies(dir, packages, dependencies) {
          if(fs.existsSync(dir)) {
              var files = fs.readdirSync(dir);

@ -314,23 +336,84 @@ let
                          pkgFiles.forEach(function(entry) {
                              if(stats.isDirectory()) {
                                  var pkgFilePath = path.join(filePath, entry);
-                                  augmentPackageJSON(pkgFilePath, dependencies);
+                                  augmentPackageJSON(pkgFilePath, packages, dependencies);
                              }
                          });
                      } else {
-                          augmentPackageJSON(filePath, dependencies);
+                          augmentPackageJSON(filePath, packages, dependencies);
                      }
                  }
              });
          }
      }

-      processDependencies("node_modules", lockObj.dependencies);
+      processDependencies("node_modules", lockObj.packages, lockObj.dependencies);

      fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
    '';
  };

+  # Script that links bins defined in package.json to the node_modules bin directory
+  # NPM does not do this for top-level packages itself anymore as of v7
+  linkBinsScript = writeTextFile {
+    name = "linkbins.js";
+    text = ''
+      var fs = require('fs');
+      var path = require('path');
+
+      var packageObj = JSON.parse(fs.readFileSync("package.json"));
+
+      var nodeModules = Array(packageObj.name.split("/").length).fill("..").join(path.sep);
+
+      if(packageObj.bin !== undefined) {
+          fs.mkdirSync(path.join(nodeModules, ".bin"))
+
+          if(typeof packageObj.bin == "object") {
+              Object.keys(packageObj.bin).forEach(function(exe) {
+                  if(fs.existsSync(packageObj.bin[exe])) {
+                      console.log("linking bin '" + exe + "'");
+                      fs.symlinkSync(
+                          path.join("..", packageObj.name, packageObj.bin[exe]),
+                          path.join(nodeModules, ".bin", exe)
+                      );
+                  }
+                  else {
+                      console.log("skipping non-existent bin '" + exe + "'");
+                  }
+              })
+          }
+          else {
+              if(fs.existsSync(packageObj.bin)) {
+                  console.log("linking bin '" + packageObj.bin + "'");
+                  fs.symlinkSync(
+                      path.join("..", packageObj.name, packageObj.bin),
+                      path.join(nodeModules, ".bin", packageObj.name.split("/").pop())
+                  );
+              }
+              else {
+                  console.log("skipping non-existent bin '" + packageObj.bin + "'");
+              }
+          }
+      }
+      else if(packageObj.directories !== undefined && packageObj.directories.bin !== undefined) {
+          fs.mkdirSync(path.join(nodeModules, ".bin"))
+
+          fs.readdirSync(packageObj.directories.bin).forEach(function(exe) {
+              if(fs.existsSync(path.join(packageObj.directories.bin, exe))) {
+                  console.log("linking bin '" + exe + "'");
+                  fs.symlinkSync(
+                      path.join("..", packageObj.name, packageObj.directories.bin, exe),
+                      path.join(nodeModules, ".bin", exe)
+                  );
+              }
+              else {
+                  console.log("skipping non-existent bin '" + exe + "'");
+              }
+          })
+      }
+    '';
+  };
+
  prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
    let
      forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
@ -377,13 +460,18 @@ let

        npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild

+        runHook postRebuild
+
        if [ "''${dontNpmInstall-}" != "1" ]
        then
            # NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
            rm -f npm-shrinkwrap.json

-            npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
+            npm ${forceOfflineFlag} --nodedir=${nodeSources} --no-bin-links --ignore-scripts ${npmFlags} ${lib.optionalString production "--production"} install
        fi
+
+        # Link executables defined in package.json
+        node ${linkBinsScript}
    '';

  # Builds and composes an NPM package including all its dependencies
@ -442,12 +530,15 @@ let
        then
            ln -s $out/lib/node_modules/.bin $out/bin

-            # Patch the shebang lines of all the executables
+            # Fixup all executables
            ls $out/bin/* | while read i
            do
                file="$(readlink -f "$i")"
                chmod u+rwx "$file"
-                patchShebangs "$file"
+                if isScript "$file"
+                then
+                    sed -i 's/\r$//' "$file"  # convert crlf to lf
+                fi
            done
        fi

--- a/hosts/gitea/pkgs/ryot/node/node-packages.nix
+++ b/hosts/gitea/pkgs/ryot/node/node-packages.nix
--- a/hosts/gitea/pkgs/ryot/node/package-lock.json
+++ b/hosts/gitea/pkgs/ryot/node/package-lock.json
--- a/hosts/gitea/pkgs/ryot/node/package.json
+++ b/hosts/gitea/pkgs/ryot/node/package.json
@ -1,11 +1,11 @@
 {
  "name": "ryot",
  "dependencies": {
-    "graphql-request": "6.0.0",
+    "graphql-request": "6.1.0",
    "graphql-scalars": "1.21.3",
    "rome": "12.1.0",
    "tsconfig-moon": "1.3.0",
-    "typescript": "5.0.4",
+    "typescript": "5.1.3",
    "@emotion/react": "11.10.6",
    "@emotion/server": "11.10.0",
    "@mantine/carousel": "6.0.8",
@ -17,19 +17,18 @@
    "@mantine/next": "6.0.8",
    "@mantine/notifications": "6.0.8",
    "@tabler/icons-react": "2.16.0",
-    "@tanstack/react-query": "4.29.3",
+    "@tanstack/react-query": "4.29.15",
    "dayjs": "1.11.7",
    "embla-carousel-react": "7.1.0",
    "human-format": "1.2.0",
    "humanize-duration-ts": "2.1.1",
    "lodash": "4.17.21",
    "luxon": "3.3.0",
-    "next": "13.3.0",
+    "next": "13.4.6",
+    "next-pwa": "5.6.0",
    "react": "18.2.0",
    "react-cookie": "4.1.1",
    "react-dom": "18.2.0",
-    "react-markdown": "8.0.7",
-    "slugify": "1.6.6",
    "tiny-invariant": "1.3.1",
    "ts-pattern": "4.3.0",
    "zod": "3.21.4",
--- a/hosts/gitea/pkgs/ryot/node/ryot-package.json
+++ b/hosts/gitea/pkgs/ryot/node/ryot-package.json
@ -11,6 +11,6 @@
 	"devDependencies": {
 		"rome": "12.1.0",
 		"tsconfig-moon": "1.3.0",
-		"typescript": "5.0.2"
+		"typescript": "5.1.3"
 	}
 }
--- a/hosts/gitea/services/default.nix
+++ b/hosts/gitea/services/default.nix
@ -4,6 +4,6 @@
    ./postgres.nix
    ./nginx.nix
    ./sshd.nix
-    ./ryot.nix
+    ./ryot
  ];
 }
--- a/hosts/gitea/services/ryot.nix
+++ b/hosts/gitea/services/ryot.nix
@ -1,14 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}: {
-  services.ryot = rec {
-    enable = true;
-    database.socket = "/var/run/postgresql";
-    cors_urls = ["https://ryot.pid1.sh" "https://ryot.nyx" "http://192.168.1.7:8001"];
-    port = 8001;
-    https = false;
-  };
-  networking.firewall.allowedTCPPorts = [config.services.ryot.port];
-}
--- a/hosts/gitea/services/ryot/.gitattributes
+++ b/hosts/gitea/services/ryot/.gitattributes
@ -0,0 +1 @@
+secrets.nix filter=git-crypt diff=git-crypt
--- a/hosts/gitea/services/ryot/default.nix
+++ b/hosts/gitea/services/ryot/default.nix
@ -0,0 +1,30 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  optHashedImport = {
+    path,
+    sha256,
+  }: let
+    hash = builtins.hashFile "sha256" path;
+  in
+    if hash != sha256
+    then builtins.trace "hash mismatch of ${path}:\nwanted: ${sha256}\ngot: ${hash}" []
+    else [path];
+in {
+  imports = optHashedImport {
+    path = ./secrets.nix;
+    sha256 = "ed57a9ae39e7cff41216ba87100fa4b129e989a735172d6769a6e7a5fca9b85f";
+  };
+
+  services.ryot = rec {
+    enable = true;
+    database.socket = "/var/run/postgresql";
+    cors_urls = ["https://ryot.pid1.sh" "https://ryot.nyx" "http://192.168.1.7:8001"];
+    port = 8001;
+    https = false;
+  };
+  networking.firewall.allowedTCPPorts = [config.services.ryot.port];
+}
--- a/hosts/gitea/services/ryot/secrets.nix
+++ b/hosts/gitea/services/ryot/secrets.nix