526 lines
18 KiB
Markdown
526 lines
18 KiB
Markdown
<!---
|
|
|
|
Template:
|
|
|
|
## Breaking Changes
|
|
|
|
## New Features
|
|
|
|
## User Facing Backwards Compatible Changes
|
|
|
|
## Fixes
|
|
|
|
## Other Changes
|
|
|
|
-->
|
|
|
|
# Upcoming Release
|
|
|
|
# v0.9.0
|
|
|
|
Commits: https://github.com/ibizaman/selfhostblocks/compare/v0.8.0...v0.9.0
|
|
|
|
## Breaking Changes
|
|
|
|
- Updated simple-nixos-mailserver. Update all options following this pattern:
|
|
|
|
```diff
|
|
- mailserver.mailboxes.<name>.specialUse = "value"
|
|
+ mailserver.mailboxes.<name>.special_use = "\\value"
|
|
```
|
|
|
|
Note that simple-nixos-mailserver wanted to upgrade the location of the storage path
|
|
to include the ldap UID instead of the email but I kept the email address.
|
|
This means there is no migration to do.
|
|
- Update nixpkgs [from 6201e2 to abd1ea](https://github.com/ibizaman/selfhostblocks/compare/6201e203d09599479a3b3450ed24fa81537ebc4e...abd1ea17fdbedd48cbca770847b39e3a7a09ab5b).
|
|
|
|
## New Features
|
|
|
|
- Add `shb.zfs.snapshotBeforeActivation` option to take a ZFS snapshot of given datasets before activation.
|
|
See [the manual](https://shb.skarabox.com/blocks-zfs.html) for more details.
|
|
- Add [sanoid block](https://shb.skarabox.com/blocks-sanoid.html)
|
|
- Add option to take snapshot before activation with ZFS block.
|
|
|
|
## Fixes
|
|
|
|
- Fix oidc_login build for Nextcloud
|
|
- Fix mailserver build
|
|
|
|
## Other Changes
|
|
|
|
- Harden lldap configuration
|
|
- Convert ZFS block to system and [add documentation](https://shb.skarabox.com/blocks-zfs.html)
|
|
- Switch monitoring log fetching from deprecated promtail to fluent-bit
|
|
- Add test to catch drift for Let's Encrypt DNS provider
|
|
|
|
# [BROKEN] v0.8.0
|
|
|
|
## Breaking Changes
|
|
|
|
- Bump of Nextcloud version to 32 and 33 because of nixpkgs bump. All provided apps are verified compatible with Nextcloud 33 thanks to new tests.
|
|
|
|
## New Features
|
|
|
|
- Added Immich Public Proxy service
|
|
- Add homepage service with dashboard contract implemented by all services
|
|
- Add scrutiny service.
|
|
- ZFS module now supports setting permissions
|
|
- Add landing page for mailserver and dashboard contract integration
|
|
|
|
## Bug Fixes
|
|
|
|
- Use configurable dataDir in arr stack
|
|
- Forgejo ensures ldap is setup when sso is configured
|
|
- Add nixpkgs patches on aarch64-linux too
|
|
- Self-signed certs are now idempotent
|
|
- Prometheus scrapes metrics at 15s interval instead of 1m
|
|
|
|
## Other Changes
|
|
|
|
- Arr stack declares ldap groups, declare ApiKeys and bypasses auth for readarr when sso is enabled
|
|
- Forgejo declares ldap group
|
|
|
|
# v0.7.3
|
|
|
|
## New Features
|
|
|
|
- Add [mailserver module](https://shb.skarabox.com/services-mailserver.html) integrating with [Simple NixOS Mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) and allowing full backup of an email provider.
|
|
- Bump nixpkgs from https://github.com/NixOS/nixpkgs/commit/5e2a59a5b1a82f89f2c7e598302a9cacebb72a67 to https://github.com/NixOS/nixpkgs/commit/bfc1b8a4574108ceef22f02bafcf6611380c100d. [Full diff](https://github.com/nixos/nixpkgs/compare/5e2a59a5b1a82f89f2c7e598302a9cacebb72a67...bfc1b8a4574108ceef22f02bafcf6611380c100d).
|
|
On top of minor changes, the most notable one was:
|
|
- Updated Jellyfin LDAP and SSO plugins and configuration. @Codys-Wright
|
|
|
|
## Bug Fixes
|
|
|
|
- Fix Restic and Authelia modules referencing systemd services without the `.service` suffix and leading to
|
|
|
|
# v0.7.2
|
|
|
|
## New Features
|
|
|
|
- Forgejo uses secrets contract for smtp password.
|
|
- Add [Firefly-iii](https://shb.skarabox.com/services-firefly-iii.html) service.
|
|
- Jellyfin can [install plugins declaratively](https://shb.skarabox.com/services-jellyfin.html#services-jellyfin-options-shb.jellyfin.plugins).
|
|
(Support is quite crude and WIP).
|
|
- Jellyfin configures LDAP and SSO fully declaratively, including installing necessary plugins.
|
|
- Nextcloud 32 is fully supported thanks to tests for version 31 and 32.
|
|
|
|
## Fixes
|
|
|
|
- Revert Authelia to continue using dots in systemd service names.
|
|
This caused issue with nginx name resolution.
|
|
|
|
## Other Changes
|
|
|
|
- Authelia uses non deprecated `smtp.address` option.
|
|
- Add documentation for Nginx block
|
|
- Now a user which is only member of the admin LDAP group of a service can login.
|
|
Before, some services required a user to be member of both the user and admin LDAP group.
|
|
This is ensured by regression tests going forward.
|
|
|
|
# v0.7.1
|
|
|
|
## New Features
|
|
|
|
- Add a Grafana dashboard showing SSL certificate renewal jobs
|
|
|
|
## Fixes
|
|
|
|
- Fix let's encrypt certificate renewal jobs by removing duplicated domain name.
|
|
Also adds an assertion to catch these kinds of errors.
|
|
|
|
## Other Changes
|
|
|
|
- Reduce number of late SSL renewal alert by merging all metrics corresponding to one CN.
|
|
|
|
# v0.7.0
|
|
|
|
## Breaking Changes
|
|
|
|
- Fix pkgs overrides not being passed to users of SelfHostBlocks.
|
|
This will require to update your flake to follow the example in the [Usage](https://shb.skarabox.com/usage.html) section.
|
|
|
|
## New Features
|
|
|
|
- Add a Grafana dashboard showing stats on backup jobs
|
|
and also an alert if a backup job did not run in the last 24 hours or never succeeded in the last 24 hours.
|
|
- Add SSO integration in Grafana.
|
|
- Add Paperless service.
|
|
|
|
## Fixes
|
|
|
|
- Allow to upload big files in Immich.
|
|
- Only enable php-fpm Prometheus exporter if Nextcloud is enabled.
|
|
|
|
## Other Changes
|
|
|
|
- Add recipe to setup DNS server with DNSSEC.
|
|
|
|
# v0.6.1
|
|
|
|
## New Features
|
|
|
|
- Implement backup and databasebackup contracts with BorgBackup block.
|
|
|
|
## Fixes
|
|
|
|
- Add back erroneously removed Prometheus collectors.
|
|
|
|
# v0.6.0
|
|
|
|
## Breaking Changes
|
|
|
|
- Removed Nextcloud 30, update to Nextcloud 31 then after to 32.
|
|
- Removed the `sops` module in the `default` NixOS module. Removed the `all` NixOS module.
|
|
|
|
## New Features
|
|
|
|
- Meilisearch configured with production environment and master key.
|
|
|
|
## Other Changes
|
|
|
|
- Only import hardcodedsecret module in tests.
|
|
- Better usage section in manual.
|
|
- Added new demo for minimal SelfHostBlocks setup, which is tested in CI.
|
|
- Format all files in repo and make sure they are formatted in CI.
|
|
|
|
# v0.5.1
|
|
|
|
## New Features
|
|
|
|
- Added Karakeep service with SSO integration.
|
|
- Add SelfHostBlocks' `lib` into `pkgs.lib.shb`. Integrates with [Skarabox](https://github.com/ibizaman/skarabox/blob/631ff5af0b5c850bb63a3b3df451df9707c0af4e/template/flake.nix#L42-L43) too.
|
|
|
|
## Other Changes
|
|
|
|
- Moved implementation guide under contributing section.
|
|
|
|
# v0.5.0
|
|
|
|
## Breaking Changes
|
|
|
|
- Modules in the `nixosModules` output field do not anymore have the `system` in their path.
|
|
`selfhostblocks.nixosModules.x86_64-linux.home-assistant` becomes `selfhostblocks.nixosModules.home-assistant`
|
|
like it always should have been.
|
|
|
|
## Fixes
|
|
|
|
- Added test case making sure a user belonging to a not authorized LDAP group cannot login.
|
|
Fixed Open WebUI module.
|
|
- Now importing a single module, like `selfhostblocks.nixosModules.home-assistant`, will
|
|
import all needed block modules at the same time.
|
|
|
|
## Other Changes
|
|
|
|
- Nextcloud module can now setup SSO integration without setting up LDAP integration.
|
|
|
|
# v0.4.4
|
|
|
|
## New Features
|
|
|
|
- Added Pinchflat service with SSO integration. Declarative user creation only supported through SSO integration.
|
|
- Added Immich service with SSO integration.
|
|
- Added Open WebUI service with SSO integration.
|
|
|
|
# v0.4.3
|
|
|
|
## New Features
|
|
|
|
- Allow user to change their SSO password in Authelia.
|
|
- Make Audiobookshelf SSO integration respect admin users.
|
|
|
|
## Fixes
|
|
|
|
- Fix permission on Nextcloud systemd service.
|
|
- Delete Forgejo backups correctly to avoid them piling up.
|
|
|
|
## Other Changes
|
|
|
|
- Add recipes section to the documentation.
|
|
|
|
# v0.4.2
|
|
|
|
## New Features
|
|
|
|
- The LLDAP and Authelia modules gain a debug mode where a mitmdump instance is added so all traffic is printed.
|
|
|
|
## Fixes
|
|
|
|
- By default, LLDAP module only enforces groups declaratively. Users that are not defined declaratively
|
|
are not anymore deleted by inadvertence.
|
|
- SSO integration with most services got fixed. A recent incompatible change in upstream Authelia broke most of them.
|
|
- Fixed PostgreSQL and Home Assistant modules after nixpkgs updates.
|
|
- Fixed Nextcloud module SSO integration with Authelia.
|
|
- Make Nextcloud SSO integration respect admin users.
|
|
|
|
# v0.4.1
|
|
|
|
## New Features
|
|
|
|
- LLDAP now manages users, groups, user attributes and group attributes declaratively.
|
|
- Individual modules are exposed in the flake output for each block and service.
|
|
- A mitmdump block is added that can be placed between two services and print all requests and responses.
|
|
- The SSO setup for Audiobookshelf is now a bit more declarative.
|
|
|
|
## Other Changes
|
|
|
|
- Forgejo got a new playwright test to check the LDAP integration.
|
|
- Some renaming options have been added retroactively for jellyfin and forgejo.
|
|
|
|
# v0.4.0
|
|
|
|
## Breaking Changes
|
|
|
|
- Rename ldap module to lldap as well as option name `shb.ldap` to `shb.lldap`.
|
|
|
|
## New Features
|
|
|
|
- Jellyfin service now waits for Jellyfin server to be fully available before starting.
|
|
- Add debug option for Jellyfin.
|
|
- Allow to choose port for Jellyfin.
|
|
- Make Jellyfin setup including initial admin user declarative.
|
|
|
|
## Fixes
|
|
|
|
- Fix Jellyfin redirect URI scheme after update.
|
|
|
|
## Other Changes
|
|
|
|
- Add documentation for LLDAP and Authelia block and link to it from other docs.
|
|
|
|
# v0.3.1
|
|
|
|
## Breaking Changes
|
|
|
|
- Default version of Nextcloud is now 30.
|
|
- Disable memories app on Nextcloud because it is broken.
|
|
|
|
## New Features
|
|
|
|
- Add patchNixpkgs function and pre-patched patchedNixpkgs output.
|
|
|
|
## Fixes
|
|
|
|
- Fix secrets passing to Nextcloud service after update.
|
|
|
|
## Other Changes
|
|
|
|
- Bump nixpkgs to https://github.com/NixOS/nixpkgs/commit/216207b1e58325f3590277d9102b45273afe9878
|
|
|
|
# v0.3.0
|
|
|
|
## New Features
|
|
|
|
- Add option to add extra args to hledger command.
|
|
|
|
## Breaking Changes
|
|
|
|
- Default version of Nextcloud is now 29.
|
|
|
|
## Fixes
|
|
|
|
- Home Assistant config gets correctly generated with secrets
|
|
even if LDAP integration is not enabled.
|
|
- Fix Jellyfin SSO plugin which was left badly configured
|
|
after a code refactoring.
|
|
|
|
## Other Changes
|
|
|
|
- Add a lot of playwright tests for services.
|
|
- Add service implementation manual page to document
|
|
how to integrate a service in SHB.
|
|
- Add `update-redirects` command to manage the `redirect.json` page.
|
|
- Add home-assistant manual.
|
|
|
|
# v0.2.10
|
|
|
|
## New Features
|
|
|
|
- Add `shb.forgejo.users` option to create users declaratively.
|
|
|
|
## Fixes
|
|
|
|
- Make Nextcloud create the external storage if it's a local storage
|
|
and the directory does not exist yet.
|
|
- Disable flow to change password on first login for admin Forgejo user.
|
|
This is not necessary since the password comes from some secret store.
|
|
|
|
## Breaking Changes
|
|
|
|
- Fix internal link for Home Assistant
|
|
which now points to the fqdn. This fixes Voice Assistant
|
|
onboarding. This is a breaking change if one relies on
|
|
reaching Home Assistant through the IP address but I
|
|
don't recommend that. It's much better to have a DNS
|
|
server running locally which redirects the fqdn to the
|
|
server running Home Assistant.
|
|
|
|
## Other Changes
|
|
|
|
- Refactor tests and add playwright tests for services.
|
|
|
|
# v0.2.9
|
|
|
|
## New Features
|
|
|
|
- Add Memories Nextcloud app declaratively configured.
|
|
- Add Recognize Nextcloud app declaratively configured.
|
|
|
|
# v0.2.8
|
|
|
|
## New Features
|
|
|
|
- Add dashboard for SSL certificates validity
|
|
and alert they did not renew on time.
|
|
|
|
## Fixes
|
|
|
|
- Only enable php-fpm exporter when php-fpm is enabled.
|
|
|
|
## Breaking Changes
|
|
|
|
- Remove upgrade script from postgres 13 to 14 and 14 to 15.
|
|
|
|
# v0.2.7
|
|
|
|
## New Features
|
|
|
|
- Add dashboard for Nextcloud with PHP-FPM exporter.
|
|
- Add voice option to Home-Assistant.
|
|
|
|
## User Facing Backwards Compatible Changes
|
|
|
|
- Add hostname and domain labels for scraped Prometheus metrics and Loki logs.
|
|
|
|
# v0.2.6
|
|
|
|
## New Features
|
|
|
|
- Add dashboard for deluge.
|
|
|
|
# v0.2.5
|
|
|
|
## Other Changes
|
|
|
|
- Fix more modules using backup contract.
|
|
|
|
# v0.2.4
|
|
|
|
## Other Changes
|
|
|
|
- Fix modules using backup contract.
|
|
|
|
# v0.2.3
|
|
|
|
## Breaking Changes
|
|
|
|
- Options `before_backup` and `after_backup` for backup contract have been renamed to
|
|
`beforeBackup` and `afterBackup`.
|
|
- All options using the backup and databasebackup contracts now use the new style.
|
|
|
|
## Other Changes
|
|
|
|
- Show how to pin Self Host Blocks flake input to a tag.
|
|
|
|
# v0.2.2
|
|
|
|
## User Facing Backwards Compatible Changes
|
|
|
|
- Fix: add implementation for `sops.nix` module.
|
|
|
|
## Other Changes
|
|
|
|
- Use VERSION when rendering manual too.
|
|
|
|
# v0.2.1
|
|
|
|
## User Facing Backwards Compatible Changes
|
|
|
|
- Add `sops.nix` module to `nixosModules.default`.
|
|
|
|
## Other Changes
|
|
|
|
- Auto-tagging of git repo when VERSION file gets updated.
|
|
- Add VERSION file to track version.
|
|
|
|
# v0.2.0
|
|
|
|
## New Features
|
|
|
|
- Backup:
|
|
- Add feature to backup databases with the database backup contract, implemented with `shb.restic.databases`.
|
|
|
|
## Breaking Changes
|
|
|
|
- Remove dependency on `sops-nix`.
|
|
- Rename `shb.nginx.autheliaProtect` to `shb.nginx.vhosts`. Indeed, the option allows to define a vhost with _optional_ Authelia protection but the former name made it look like Authelia protection was enforced.
|
|
- Rename all `shb.arr.*.APIKey` to `shb.arr.*.ApiKey`.
|
|
- Remove `shb.vaultwarden.ldapEndpoint` option because it was not used in the implementation anyway.
|
|
- Bump Nextcloud default version from 27 to 28. Add support for version 29.
|
|
- Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
|
|
- Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
|
|
- Authelia options changed:
|
|
- `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
|
|
- `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
|
|
- `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
|
|
- `shb.authelia.ldapEndpoint` -> `shb.authelia.ldapHostname` and `shb.authelia.ldapPort`
|
|
- `shb.authelia.jwtSecretFile` -> `shb.authelia.jwtSecret.result.path`
|
|
- `shb.authelia.ldapAdminPasswordFile` -> `shb.authelia.ldapAdminPassword.result.path`
|
|
- `shb.authelia.sessionSecretFile` -> `shb.authelia.sessionSecret.result.path`
|
|
- `shb.authelia.storageEncryptionKeyFile` -> `shb.authelia.storageEncryptionKey.result.path`
|
|
- `shb.authelia.identityProvidersOIDCIssuerPrivateKeyFile` -> `shb.authelia.identityProvidersOIDCIssuerPrivateKey.result.path`
|
|
- `shb.authelia.smtp.passwordFile` -> `shb.authelia.smtp.password.result.path`
|
|
- Make Nextcloud automatically disable maintenance mode upon service restart.
|
|
- `shb.ldap.ldapUserPasswordFile` -> `shb.ldap.ldapUserPassword.result.path`
|
|
- `shb.ldap.jwtSecretFile` -> `shb.ldap.jwtSecret.result.path`
|
|
- Jellyfin changes:
|
|
- `shb.jellyfin.ldap.passwordFile` -> `shb.jellyfin.ldap.adminPassword.result.path`.
|
|
- `shb.jellyfin.sso.secretFile` -> `shb.jellyfin.ldap.sharedSecret.result.path`.
|
|
- + `shb.jellyfin.ldap.sharedSecretForAuthelia`.
|
|
- Forgejo changes:
|
|
- `shb.forgejo.ldap.adminPasswordFile` -> `shb.forgejo.ldap.adminPassword.result.path`.
|
|
- `shb.forgejo.sso.secretFile` -> `shb.forgejo.ldap.sharedSecret.result.path`.
|
|
- `shb.forgejo.sso.secretFileForAuthelia` -> `shb.forgejo.ldap.sharedSecretForAuthelia.result.path`.
|
|
- `shb.forgejo.adminPasswordFile` -> `shb.forgejo.adminPassword.result.path`.
|
|
- `shb.forgejo.databasePasswordFile` -> `shb.forgejo.databasePassword.result.path`.
|
|
- Backup:
|
|
- `shb.restic.instances` options has been split between `shb.restic.instances.request` and `shb.restic.instances.settings`, matching better with contracts.
|
|
- Use of secret contract everywhere.
|
|
|
|
## User Facing Backwards Compatible Changes
|
|
|
|
- Add mount contract.
|
|
- Export torrent metrics.
|
|
- Bump chunkSize in Nextcloud to boost performance.
|
|
- Fix home-assistant onboarding file generation. Added new VM test.
|
|
- OIDC and SMTP config are now optional in Vaultwarden. Added new VM test.
|
|
- Add default OIDC config for Authelia. This way, Authelia can start even with no config or only forward auth configs.
|
|
- Fix replaceSecrets function. It wasn't working correctly with functions from `lib.generators` and `pkgs.pkgs-lib.formats`. Also more test coverage.
|
|
- Add udev extra rules to allow smartctl Prometheus exporter to find NVMe drives.
|
|
- Revert Loki to major version 2 because upgrading to version 3 required manual intervention as Loki
|
|
refuses to start. So until this issue is tackled, reverting is the best immediate fix.
|
|
See https://github.com/NixOS/nixpkgs/commit/8f95320f39d7e4e4a29ee70b8718974295a619f4
|
|
- Add prometheus deluge exporter support. It just needs the `shb.deluge.prometheusScraperPasswordFile` option to be set.
|
|
|
|
## Other Changes
|
|
|
|
- Add pretty printing of test errors. Instead of:
|
|
```
|
|
error: testRadarr failed: expected {"services":{"bazarr":{},"jackett":{},"lidarr":{},"nginx":{"enable":true},"radarr":{"dataDir":"/var/lib/radarr","enable":true,"group":"radarr","user":"radarr"},"readarr":{},"sonarr":{}},"shb":{"backup":{"instances":{"radarr":{"excludePatterns":[".db-shm",".db-wal",".mono"],"sourceDirectories":["/var/lib/radarr"]}}},"nginx":{"autheliaProtect":[{"authEndpoint":"https://oidc.example.com","autheliaRules":[{"domain":"radarr.example.com","policy":"bypass","resources":["^/api.*"]},{"domain":"radarr.example.com","policy":"two_factor","subject":["group:arr_user"]}],"domain":"example.com","ssl":null,"subdomain":"radarr","upstream":"http://127.0.0.1:7878"}]}},"systemd":{"services":{"radarr":{"serviceConfig":{"StateDirectoryMode":"0750","UMask":"0027"}}},"tmpfiles":{"rules":["d '/var/lib/radarr' 0750 radarr radarr - -"]}},"users":{"groups":{"radarr":{"members":["backup"]}}}}, but got {"services":{"bazarr":{},"jackett":{},"lidarr":{},"nginx":{"enable":true},"radarr":{"dataDir":"/var/lib/radarr","enable":true,"group":"radarr","user":"radarr"},"readarr":{},"sonarr":{}},"shb":{"backup":{"instances":{"radarr":{"excludePatterns":[".db-shm",".db-wal",".mono"],"sourceDirectories":["/var/lib/radarr"]}}},"nginx":{"vhosts":[{"authEndpoint":"https://oidc.example.com","autheliaRules":[{"domain":"radarr.example.com","policy":"bypass","resources":["^/api.*"]},{"domain":"radarr.example.com","policy":"two_factor","subject":["group:arr_user"]}],"domain":"example.com","ssl":null,"subdomain":"radarr","upstream":"http://127.0.0.1:7878"}]}},"systemd":{"services":{"radarr":{"serviceConfig":{"StateDirectoryMode":"0750","UMask":"0027"}}},"tmpfiles":{"rules":["d '/var/lib/radarr' 0750 radarr radarr - -"]}},"users":{"groups":{"radarr":{"members":["backup"]}}}}
|
|
```
|
|
You now see:
|
|
```
|
|
error: testRadarr failed (- expected, + result)
|
|
{
|
|
"dictionary_item_added": [
|
|
"root['shb']['nginx']['vhosts']"
|
|
],
|
|
"dictionary_item_removed": [
|
|
"root['shb']['nginx']['authEndpoint']"
|
|
]
|
|
}
|
|
```
|
|
- Made Nextcloud LDAP setup use a hardcoded configID. This makes the detection of an existing config much more robust.
|
|
|
|
# 0.1.0
|
|
|
|
Creation of CHANGELOG.md
|