selfhostblocks/CHANGELOG.md
2026-05-24 01:37:52 +02:00

502 lines
17 KiB
Markdown

<!---
Template:
## Breaking Changes
## New Features
## User Facing Backwards Compatible Changes
## Fixes
## Other Changes
-->
# Upcoming Release
## Breaking Changes
- Updated simple-nixos-mailserver. Update all options following this pattern:
```diff
- mailserver.mailboxes.<name>.specialUse = "value"
+ mailserver.mailboxes.<name>.special_use = "\\value"
```
Note that simple-nixos-mailserver wanted to upgrade the location of the storage path
to include the ldap UID instead of the email but I kept the email address.
This means there is no migration to do.
# v0.8.0
## Breaking Changes
- Bump of Nextcloud version to 32 and 33 because of nixpkgs bump. All provided apps are verified compatible with Nextcloud 33 thanks to new tests.
## New Features
- Added Immich Public Proxy service
- Add homepage service with dashboard contract implemented by all services
- Add scrutiny service.
- ZFS module now supports setting permissions
- Add landing page for mailserver and dashboard contract integration
## Bug Fixes
- Use configurable dataDir in arr stack
- Forgejo ensures ldap is setup when sso is configured
- Add nixpkgs patches on aarch64-linux too
- Self-signed certs are now idempotent
- Prometheus scrapes metrics at 15s interval instead of 1m
## Other Changes
- Arr stack declares ldap groups, declare ApiKeys and bypasses auth for readarr when sso is enabled
- Forgejo declares ldap group
# v0.7.3
## New Features
- Add [mailserver module](https://shb.skarabox.com/services-mailserver.html) integrating with [Simple NixOS Mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) and allowing full backup of an email provider.
- Bump nixpkgs from https://github.com/NixOS/nixpkgs/commit/5e2a59a5b1a82f89f2c7e598302a9cacebb72a67 to https://github.com/NixOS/nixpkgs/commit/bfc1b8a4574108ceef22f02bafcf6611380c100d. [Full diff](https://github.com/nixos/nixpkgs/compare/5e2a59a5b1a82f89f2c7e598302a9cacebb72a67...bfc1b8a4574108ceef22f02bafcf6611380c100d).
On top of minor changes, the most notable one was:
- Updated Jellyfin LDAP and SSO plugins and configuration. @Codys-Wright
## Bug Fixes
- Fix Restic and Authelia modules referencing systemd services without the `.service` suffix and leading to
# v0.7.2
## New Features
- Forgejo uses secrets contract for smtp password.
- Add [Firefly-iii](https://shb.skarabox.com/services-firefly-iii.html) service.
- Jellyfin can [install plugins declaratively](https://shb.skarabox.com/services-jellyfin.html#services-jellyfin-options-shb.jellyfin.plugins).
(Support is quite crude and WIP).
- Jellyfin configures LDAP and SSO fully declaratively, including installing necessary plugins.
- Nextcloud 32 is fully supported thanks to tests for version 31 and 32.
## Fixes
- Revert Authelia to continue using dots in systemd service names.
This caused issue with nginx name resolution.
## Other Changes
- Authelia uses non deprecated `smtp.address` option.
- Add documentation for Nginx block
- Now a user which is only member of the admin LDAP group of a service can login.
Before, some services required a user to be member of both the user and admin LDAP group.
This is ensured by regression tests going forward.
# v0.7.1
## New Features
- Add a Grafana dashboard showing SSL certificate renewal jobs
## Fixes
- Fix let's encrypt certificate renewal jobs by removing duplicated domain name.
Also adds an assertion to catch these kinds of errors.
## Other Changes
- Reduce number of late SSL renewal alert by merging all metrics corresponding to one CN.
# v0.7.0
## Breaking Changes
- Fix pkgs overrides not being passed to users of SelfHostBlocks.
This will require to update your flake to follow the example in the [Usage](https://shb.skarabox.com/usage.html) section.
## New Features
- Add a Grafana dashboard showing stats on backup jobs
and also an alert if a backup job did not run in the last 24 hours or never succeeded in the last 24 hours.
- Add SSO integration in Grafana.
- Add Paperless service.
## Fixes
- Allow to upload big files in Immich.
- Only enable php-fpm Prometheus exporter if Nextcloud is enabled.
## Other Changes
- Add recipe to setup DNS server with DNSSEC.
# v0.6.1
## New Features
- Implement backup and databasebackup contracts with BorgBackup block.
## Fixes
- Add back erroneously removed Prometheus collectors.
# v0.6.0
## Breaking Changes
- Removed Nextcloud 30, update to Nextcloud 31 then after to 32.
- Removed the `sops` module in the `default` NixOS module. Removed the `all` NixOS module.
## New Features
- Meilisearch configured with production environment and master key.
## Other Changes
- Only import hardcodedsecret module in tests.
- Better usage section in manual.
- Added new demo for minimal SelfHostBlocks setup, which is tested in CI.
- Format all files in repo and make sure they are formatted in CI.
# v0.5.1
## New Features
- Added Karakeep service with SSO integration.
- Add SelfHostBlocks' `lib` into `pkgs.lib.shb`. Integrates with [Skarabox](https://github.com/ibizaman/skarabox/blob/631ff5af0b5c850bb63a3b3df451df9707c0af4e/template/flake.nix#L42-L43) too.
## Other Changes
- Moved implementation guide under contributing section.
# v0.5.0
## Breaking Changes
- Modules in the `nixosModules` output field do not anymore have the `system` in their path.
`selfhostblocks.nixosModules.x86_64-linux.home-assistant` becomes `selfhostblocks.nixosModules.home-assistant`
like it always should have been.
## Fixes
- Added test case making sure a user belonging to a not authorized LDAP group cannot login.
Fixed Open WebUI module.
- Now importing a single module, like `selfhostblocks.nixosModules.home-assistant`, will
import all needed block modules at the same time.
## Other Changes
- Nextcloud module can now setup SSO integration without setting up LDAP integration.
# v0.4.4
## New Features
- Added Pinchflat service with SSO integration. Declarative user creation only supported through SSO integration.
- Added Immich service with SSO integration.
- Added Open WebUI service with SSO integration.
# v0.4.3
## New Features
- Allow user to change their SSO password in Authelia.
- Make Audiobookshelf SSO integration respect admin users.
## Fixes
- Fix permission on Nextcloud systemd service.
- Delete Forgejo backups correctly to avoid them piling up.
## Other Changes
- Add recipes section to the documentation.
# v0.4.2
## New Features
- The LLDAP and Authelia modules gain a debug mode where a mitmdump instance is added so all traffic is printed.
## Fixes
- By default, LLDAP module only enforces groups declaratively. Users that are not defined declaratively
are not anymore deleted by inadvertence.
- SSO integration with most services got fixed. A recent incompatible change in upstream Authelia broke most of them.
- Fixed PostgreSQL and Home Assistant modules after nixpkgs updates.
- Fixed Nextcloud module SSO integration with Authelia.
- Make Nextcloud SSO integration respect admin users.
# v0.4.1
## New Features
- LLDAP now manages users, groups, user attributes and group attributes declaratively.
- Individual modules are exposed in the flake output for each block and service.
- A mitmdump block is added that can be placed between two services and print all requests and responses.
- The SSO setup for Audiobookshelf is now a bit more declarative.
## Other Changes
- Forgejo got a new playwright test to check the LDAP integration.
- Some renaming options have been added retroactively for jellyfin and forgejo.
# v0.4.0
## Breaking Changes
- Rename ldap module to lldap as well as option name `shb.ldap` to `shb.lldap`.
## New Features
- Jellyfin service now waits for Jellyfin server to be fully available before starting.
- Add debug option for Jellyfin.
- Allow to choose port for Jellyfin.
- Make Jellyfin setup including initial admin user declarative.
## Fixes
- Fix Jellyfin redirect URI scheme after update.
## Other Changes
- Add documentation for LLDAP and Authelia block and link to it from other docs.
# v0.3.1
## Breaking Changes
- Default version of Nextcloud is now 30.
- Disable memories app on Nextcloud because it is broken.
## New Features
- Add patchNixpkgs function and pre-patched patchedNixpkgs output.
## Fixes
- Fix secrets passing to Nextcloud service after update.
## Other Changes
- Bump nixpkgs to https://github.com/NixOS/nixpkgs/commit/216207b1e58325f3590277d9102b45273afe9878
# v0.3.0
## New Features
- Add option to add extra args to hledger command.
## Breaking Changes
- Default version of Nextcloud is now 29.
## Fixes
- Home Assistant config gets correctly generated with secrets
even if LDAP integration is not enabled.
- Fix Jellyfin SSO plugin which was left badly configured
after a code refactoring.
## Other Changes
- Add a lot of playwright tests for services.
- Add service implementation manual page to document
how to integrate a service in SHB.
- Add `update-redirects` command to manage the `redirect.json` page.
- Add home-assistant manual.
# v0.2.10
## New Features
- Add `shb.forgejo.users` option to create users declaratively.
## Fixes
- Make Nextcloud create the external storage if it's a local storage
and the directory does not exist yet.
- Disable flow to change password on first login for admin Forgejo user.
This is not necessary since the password comes from some secret store.
## Breaking Changes
- Fix internal link for Home Assistant
which now points to the fqdn. This fixes Voice Assistant
onboarding. This is a breaking change if one relies on
reaching Home Assistant through the IP address but I
don't recommend that. It's much better to have a DNS
server running locally which redirects the fqdn to the
server running Home Assistant.
## Other Changes
- Refactor tests and add playwright tests for services.
# v0.2.9
## New Features
- Add Memories Nextcloud app declaratively configured.
- Add Recognize Nextcloud app declaratively configured.
# v0.2.8
## New Features
- Add dashboard for SSL certificates validity
and alert they did not renew on time.
## Fixes
- Only enable php-fpm exporter when php-fpm is enabled.
## Breaking Changes
- Remove upgrade script from postgres 13 to 14 and 14 to 15.
# v0.2.7
## New Features
- Add dashboard for Nextcloud with PHP-FPM exporter.
- Add voice option to Home-Assistant.
## User Facing Backwards Compatible Changes
- Add hostname and domain labels for scraped Prometheus metrics and Loki logs.
# v0.2.6
## New Features
- Add dashboard for deluge.
# v0.2.5
## Other Changes
- Fix more modules using backup contract.
# v0.2.4
## Other Changes
- Fix modules using backup contract.
# v0.2.3
## Breaking Changes
- Options `before_backup` and `after_backup` for backup contract have been renamed to
`beforeBackup` and `afterBackup`.
- All options using the backup and databasebackup contracts now use the new style.
## Other Changes
- Show how to pin Self Host Blocks flake input to a tag.
# v0.2.2
## User Facing Backwards Compatible Changes
- Fix: add implementation for `sops.nix` module.
## Other Changes
- Use VERSION when rendering manual too.
# v0.2.1
## User Facing Backwards Compatible Changes
- Add `sops.nix` module to `nixosModules.default`.
## Other Changes
- Auto-tagging of git repo when VERSION file gets updated.
- Add VERSION file to track version.
# v0.2.0
## New Features
- Backup:
- Add feature to backup databases with the database backup contract, implemented with `shb.restic.databases`.
## Breaking Changes
- Remove dependency on `sops-nix`.
- Rename `shb.nginx.autheliaProtect` to `shb.nginx.vhosts`. Indeed, the option allows to define a vhost with _optional_ Authelia protection but the former name made it look like Authelia protection was enforced.
- Rename all `shb.arr.*.APIKey` to `shb.arr.*.ApiKey`.
- Remove `shb.vaultwarden.ldapEndpoint` option because it was not used in the implementation anyway.
- Bump Nextcloud default version from 27 to 28. Add support for version 29.
- Deluge config breaks the authFile into an attrset of user to password file. Also deluge has tests now.
- Nextcloud now configures the LDAP app to use the `user_id` from LLDAP as the user ID used in Nextcloud. This makes all source of user - internal, LDAP and SSO - agree on the user ID.
- Authelia options changed:
- `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
- `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
- `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
- `shb.authelia.ldapEndpoint` -> `shb.authelia.ldapHostname` and `shb.authelia.ldapPort`
- `shb.authelia.jwtSecretFile` -> `shb.authelia.jwtSecret.result.path`
- `shb.authelia.ldapAdminPasswordFile` -> `shb.authelia.ldapAdminPassword.result.path`
- `shb.authelia.sessionSecretFile` -> `shb.authelia.sessionSecret.result.path`
- `shb.authelia.storageEncryptionKeyFile` -> `shb.authelia.storageEncryptionKey.result.path`
- `shb.authelia.identityProvidersOIDCIssuerPrivateKeyFile` -> `shb.authelia.identityProvidersOIDCIssuerPrivateKey.result.path`
- `shb.authelia.smtp.passwordFile` -> `shb.authelia.smtp.password.result.path`
- Make Nextcloud automatically disable maintenance mode upon service restart.
- `shb.ldap.ldapUserPasswordFile` -> `shb.ldap.ldapUserPassword.result.path`
- `shb.ldap.jwtSecretFile` -> `shb.ldap.jwtSecret.result.path`
- Jellyfin changes:
- `shb.jellyfin.ldap.passwordFile` -> `shb.jellyfin.ldap.adminPassword.result.path`.
- `shb.jellyfin.sso.secretFile` -> `shb.jellyfin.ldap.sharedSecret.result.path`.
- + `shb.jellyfin.ldap.sharedSecretForAuthelia`.
- Forgejo changes:
- `shb.forgejo.ldap.adminPasswordFile` -> `shb.forgejo.ldap.adminPassword.result.path`.
- `shb.forgejo.sso.secretFile` -> `shb.forgejo.ldap.sharedSecret.result.path`.
- `shb.forgejo.sso.secretFileForAuthelia` -> `shb.forgejo.ldap.sharedSecretForAuthelia.result.path`.
- `shb.forgejo.adminPasswordFile` -> `shb.forgejo.adminPassword.result.path`.
- `shb.forgejo.databasePasswordFile` -> `shb.forgejo.databasePassword.result.path`.
- Backup:
- `shb.restic.instances` options has been split between `shb.restic.instances.request` and `shb.restic.instances.settings`, matching better with contracts.
- Use of secret contract everywhere.
## User Facing Backwards Compatible Changes
- Add mount contract.
- Export torrent metrics.
- Bump chunkSize in Nextcloud to boost performance.
- Fix home-assistant onboarding file generation. Added new VM test.
- OIDC and SMTP config are now optional in Vaultwarden. Added new VM test.
- Add default OIDC config for Authelia. This way, Authelia can start even with no config or only forward auth configs.
- Fix replaceSecrets function. It wasn't working correctly with functions from `lib.generators` and `pkgs.pkgs-lib.formats`. Also more test coverage.
- Add udev extra rules to allow smartctl Prometheus exporter to find NVMe drives.
- Revert Loki to major version 2 because upgrading to version 3 required manual intervention as Loki
refuses to start. So until this issue is tackled, reverting is the best immediate fix.
See https://github.com/NixOS/nixpkgs/commit/8f95320f39d7e4e4a29ee70b8718974295a619f4
- Add prometheus deluge exporter support. It just needs the `shb.deluge.prometheusScraperPasswordFile` option to be set.
## Other Changes
- Add pretty printing of test errors. Instead of:
```
error: testRadarr failed: expected {"services":{"bazarr":{},"jackett":{},"lidarr":{},"nginx":{"enable":true},"radarr":{"dataDir":"/var/lib/radarr","enable":true,"group":"radarr","user":"radarr"},"readarr":{},"sonarr":{}},"shb":{"backup":{"instances":{"radarr":{"excludePatterns":[".db-shm",".db-wal",".mono"],"sourceDirectories":["/var/lib/radarr"]}}},"nginx":{"autheliaProtect":[{"authEndpoint":"https://oidc.example.com","autheliaRules":[{"domain":"radarr.example.com","policy":"bypass","resources":["^/api.*"]},{"domain":"radarr.example.com","policy":"two_factor","subject":["group:arr_user"]}],"domain":"example.com","ssl":null,"subdomain":"radarr","upstream":"http://127.0.0.1:7878"}]}},"systemd":{"services":{"radarr":{"serviceConfig":{"StateDirectoryMode":"0750","UMask":"0027"}}},"tmpfiles":{"rules":["d '/var/lib/radarr' 0750 radarr radarr - -"]}},"users":{"groups":{"radarr":{"members":["backup"]}}}}, but got {"services":{"bazarr":{},"jackett":{},"lidarr":{},"nginx":{"enable":true},"radarr":{"dataDir":"/var/lib/radarr","enable":true,"group":"radarr","user":"radarr"},"readarr":{},"sonarr":{}},"shb":{"backup":{"instances":{"radarr":{"excludePatterns":[".db-shm",".db-wal",".mono"],"sourceDirectories":["/var/lib/radarr"]}}},"nginx":{"vhosts":[{"authEndpoint":"https://oidc.example.com","autheliaRules":[{"domain":"radarr.example.com","policy":"bypass","resources":["^/api.*"]},{"domain":"radarr.example.com","policy":"two_factor","subject":["group:arr_user"]}],"domain":"example.com","ssl":null,"subdomain":"radarr","upstream":"http://127.0.0.1:7878"}]}},"systemd":{"services":{"radarr":{"serviceConfig":{"StateDirectoryMode":"0750","UMask":"0027"}}},"tmpfiles":{"rules":["d '/var/lib/radarr' 0750 radarr radarr - -"]}},"users":{"groups":{"radarr":{"members":["backup"]}}}}
```
You now see:
```
error: testRadarr failed (- expected, + result)
{
"dictionary_item_added": [
"root['shb']['nginx']['vhosts']"
],
"dictionary_item_removed": [
"root['shb']['nginx']['authEndpoint']"
]
}
```
- Made Nextcloud LDAP setup use a hardcoded configID. This makes the detection of an existing config much more robust.
# 0.1.0
Creation of CHANGELOG.md