fleet: init

Co-authored-by: edef <edef@unfathomable.blue>
Change-Id: I36d2c4cca542ed91630b1b832f3c7a7b97b33c65

8 files changed, 297 insertions, 0 deletions

diff --git a/fleet/pkgs/cgiserver/default.nix b/fleet/pkgs/cgiserver/default.nix
new file mode 100644
index 0000000..9e911d5
--- /dev/null
+++ b/fleet/pkgs/cgiserver/default.nix
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ lib, buildGoModule, fetchzip, zstd }:
+
+buildGoModule rec {
+  pname = "cgiserver";
+  version = "1.0.0";
+
+  src = (fetchzip {
+    url = "https://src.anomalous.eu/cgiserver/snapshot/cgiserver-${version}.tar.zst";
+    sha256 = "14bp92sw0w6n5dzs4f7g4fcklh25nc9k0xjx4ia0gi7kn5jwx2mq";
+  }).overrideAttrs ({ nativeBuildInputs, ... }: {
+    nativeBuildInputs = nativeBuildInputs ++ [ zstd ];
+  });
+
+  vendorSha256 = "00jslxzf6p8zs1wxdx3qdb919i80xv4w9ihljd40nnydasshqa4v";
+
+  meta = with lib; {
+    homepage = "https://src.anomalous.eu/cgiserver/about/";
+    description = "Lightweight web server for sandboxing CGI applications";
+    license = licenses.osl3;
+    maintainers = with maintainers; [ V ];
+  };
+}
diff --git a/fleet/pkgs/declarative-git-repository/default.nix b/fleet/pkgs/declarative-git-repository/default.nix
new file mode 100644
index 0000000..f3bb014
--- /dev/null
+++ b/fleet/pkgs/declarative-git-repository/default.nix
@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ lib, writeTextDir, writeText, buildEnv, writeTextFile, bash, writeScript }:
+
+{ path
+, branch ? "trunk"
+, description ? "Unnamed repository; edit this file 'description' to name the repository."
+, config ? {}
+, hooks ? {}
+, user ? "-", group ? "-"
+}:
+
+with lib;
+
+let
+  # As generated by an initial `git init --bare`
+  defaultConfig = {
+    core = {
+      repositoryFormatVersion = 0;
+      fileMode = true;
+      bare = true;
+    };
+  };
+
+  hooksDir = buildEnv {
+    name = "git-repository-hooks";
+    paths = mapAttrsToList (hook: scripts: writeTextFile {
+      name = hook;
+      text = ''
+        #! ${bash}/bin/bash -e
+      '' + concatMapStrings (script: ''
+        ${script} "$@"
+      '') scripts;
+      destination = "/${hook}";
+      executable = true;
+    }) hooks;
+  };
+in writeTextDir "lib/tmpfiles.d/git-repository${replaceStrings [ "/" ] [ "-" ] path}.conf" ''
+  # Root directory needs the correct permissions
+  d ${path} - ${user} ${group}
+
+  # This is the smallest set of paths that Git will still recognise as a valid repository.
+  # Everything else will be automatically filled out after a push or pull.
+  f+ ${path}/HEAD - ${user} ${group} - ref: refs/heads/${branch}
+  d ${path}/objects - ${user} ${group}
+  d ${path}/refs - ${user} ${group}
+
+  # Extra stuff we want to use
+  L+ ${path}/config - - - -  ${writeText "git-repository-config" (generators.toGitINI (recursiveUpdate defaultConfig config))}
+  L+ ${path}/description - - - - ${builtins.toFile "git-repository-description" description}
+  L+ ${path}/hooks - - - - ${hooksDir}
+''
diff --git a/fleet/pkgs/group-readable-archives.patch b/fleet/pkgs/group-readable-archives.patch
new file mode 100644
index 0000000..84b3e07
--- /dev/null
+++ b/fleet/pkgs/group-readable-archives.patch
@@ -0,0 +1,22 @@
+SPDX-FileCopyrightText: V <v@unfathomable.blue>
+SPDX-License-Identifier: OSL-3.0
+--- a/src/mlmmj-process.c
++++ b/src/mlmmj-process.c
+@@ -490,6 +490,9 @@
+ 		{ NULL, 0, NULL }
+ 	};
+ 
++	/* Postfix unconditionally sets this to 0077 */
++	umask(0027);
++
+ 	CHECKFULLPATH(argv[0]);
+ 
+ 	log_set_name(argv[0]);
+@@ -553,7 +556,7 @@
+                 donemailname = concatstr(3, listdir, "/queue/", randomstr);
+ 
+                 donemailfd = open(donemailname, O_RDWR|O_CREAT|O_EXCL,
+-						S_IRUSR|S_IWUSR);
++						S_IRUSR|S_IWUSR|S_IRGRP);
+ 
+         } while ((donemailfd < 0) && (errno == EEXIST));
diff --git a/fleet/pkgs/overlay.nix b/fleet/pkgs/overlay.nix
new file mode 100644
index 0000000..1f645f0
--- /dev/null
+++ b/fleet/pkgs/overlay.nix
@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+final: prev: {
+  cgiserver = final.callPackage ./cgiserver {};
+  declarative-git-repository = final.callPackage ./declarative-git-repository {};
+  public-inbox = final.perlPackages.callPackage ./public-inbox {};
+  public-inbox-init-lite = final.callPackage ./public-inbox-init-lite {};
+
+  # Fixes bundler complaining loudly if $HOME is read-only or unset
+  # Taken from https://github.com/rubygems/rubygems/pull/4724
+  # This is here because the CGit about filter invokes Asciidoctor,
+  # which otherwise causes its log to fill with spurious error messages.
+  # Can be removed once Bundler 2.2.23 or above makes its way into stable.
+  bundler = prev.bundler.overrideAttrs ({ patches ? [], ... }: {
+    patches = patches ++ [ ./permission-warnings-only-when-necessary.patch ];
+    dontBuild = false;
+  });
+
+  # Fixes archives having silly permissions due to Postfix messing with the umask
+  mlmmj = prev.mlmmj.overrideAttrs ({ patches ? [], ... }: {
+    patches = patches ++ [ ./group-readable-archives.patch ];
+  });
+}
diff --git a/fleet/pkgs/permission-warnings-only-when-necessary.patch b/fleet/pkgs/permission-warnings-only-when-necessary.patch
new file mode 100644
index 0000000..4a557a5
--- /dev/null
+++ b/fleet/pkgs/permission-warnings-only-when-necessary.patch
@@ -0,0 +1,50 @@
+SPDX-FileCopyrightText: David Rodríguez <deivid.rodriguez@riseup.net>
+SPDX-License-Identifier: MIT
+--- a/lib/bundler.rb
++++ b/lib/bundler.rb
+@@ -236,8 +236,9 @@ def user_home
+         end
+ 
+         if warning
+-          user_home = tmp_home_path(warning)
+-          Bundler.ui.warn "#{warning}\nBundler will use `#{user_home}' as your home directory temporarily.\n"
++          Bundler.ui.warn "#{warning}\n"
++          user_home = tmp_home_path
++          Bundler.ui.warn "Bundler will use `#{user_home}' as your home directory temporarily.\n"
+           user_home
+         else
+           Pathname.new(home)
+@@ -684,15 +685,13 @@ def configure_gem_home
+       Bundler.rubygems.clear_paths
+     end
+ 
+-    def tmp_home_path(warning)
++    def tmp_home_path
+       Kernel.send(:require, "tmpdir")
+       SharedHelpers.filesystem_access(Dir.tmpdir) do
+         path = Bundler.tmp
+         at_exit { Bundler.rm_rf(path) }
+         path
+       end
+-    rescue RuntimeError => e
+-      raise e.exception("#{warning}\nBundler also failed to create a temporary home directory':\n#{e}")
+     end
+ 
+     # @param env [Hash]
+
+--- a/lib/bundler/settings.rb
++++ b/lib/bundler/settings.rb
+@@ -428,12 +428,8 @@ def printable_value(value, key)
+     def global_config_file
+       if ENV["BUNDLE_CONFIG"] && !ENV["BUNDLE_CONFIG"].empty?
+         Pathname.new(ENV["BUNDLE_CONFIG"])
+-      else
+-        begin
+-          Bundler.user_bundle_path("config")
+-        rescue PermissionError, GenericSystemCallError
+-          nil
+-        end
++      elsif Bundler.rubygems.user_home && !Bundler.rubygems.user_home.empty?
++        Pathname.new(Bundler.rubygems.user_home).join(".bundle/config")
+       end
+     end
diff --git a/fleet/pkgs/public-inbox-init-lite/default.nix b/fleet/pkgs/public-inbox-init-lite/default.nix
new file mode 100644
index 0000000..8704ea3
--- /dev/null
+++ b/fleet/pkgs/public-inbox-init-lite/default.nix
@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ lib, substituteAll, public-inbox, runCommand, makeWrapper, git, xapian }:
+
+let
+  perl = public-inbox.fullperl.withPackages
+    (ps: with ps; [ public-inbox URI DBDSQLite SearchXapian ]);
+
+  subbed = substituteAll {
+    src = ./public-inbox-init-lite;
+    isExecutable = true;
+    inherit (perl) interpreter;
+  };
+in runCommand "public-inbox-init-lite" { nativeBuildInputs = [ makeWrapper ]; } ''
+  makeWrapper ${subbed} $out/bin/public-inbox-init-lite \
+    --prefix PATH : ${lib.makeBinPath [ git xapian ]}
+''
diff --git a/fleet/pkgs/public-inbox-init-lite/public-inbox-init-lite b/fleet/pkgs/public-inbox-init-lite/public-inbox-init-lite
new file mode 100644
index 0000000..f6fd560
--- /dev/null
+++ b/fleet/pkgs/public-inbox-init-lite/public-inbox-init-lite
@@ -0,0 +1,60 @@
+#! @interpreter@ -w
+# SPDX-FileCopyrightText: (C) 2014-2021 all contributors <meta@public-inbox.org>
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+use strict;
+use v5.10.1;
+use Getopt::Long qw/:config gnu_getopt no_ignore_case auto_abbrev/;
+use Fcntl qw(:DEFAULT);
+
+require PublicInbox::Admin;
+PublicInbox::Admin::require_or_die('-base');
+
+my ($indexlevel, $skip_epoch, $skip_artnum, $jobs, $skip_docdata);
+my %opts = (
+	'indexlevel=s' => \$indexlevel,
+	'skip-epoch=i' => \$skip_epoch,
+	'skip-artnum=i' => \$skip_artnum,
+	'jobs=i' => \$jobs,
+	'skip-docdata' => \$skip_docdata,
+);
+GetOptions(%opts) or exit 1;
+PublicInbox::Admin::indexlevel_ok_or_die($indexlevel) if defined $indexlevel;
+my $name = shift @ARGV or exit 1;
+my $inboxdir = shift @ARGV or exit 1;
+my $primary_address = shift @ARGV or exit 1;
+# TODO(V): Error if any more arguments are passed
+
+$inboxdir = PublicInbox::Config::rel2abs_collapsed($inboxdir);
+die "`\\n' not allowed in `$inboxdir'\n" if index($inboxdir, "\n") >= 0;
+
+if (-d "$inboxdir/objects") {
+	die "$inboxdir is a -V1 inbox\n"
+}
+
+my $ibx = PublicInbox::Inbox->new({
+	inboxdir => $inboxdir,
+	name => $name,
+	version => 2,
+	-primary_address => $primary_address,
+	indexlevel => $indexlevel,
+});
+
+my $creat_opt = {};
+if (defined $jobs) {
+	die "--jobs=$jobs must be >= 1\n" if $jobs <= 0;
+	$creat_opt->{nproc} = $jobs;
+}
+
+require PublicInbox::InboxWritable;
+$ibx = PublicInbox::InboxWritable->new($ibx, $creat_opt);
+if ($skip_docdata) {
+	$ibx->{indexlevel} //= 'full'; # ensure init_inbox writes xdb
+	$ibx->{indexlevel} eq 'basic' and
+		die "--skip-docdata ignored with --indexlevel=basic\n";
+	$ibx->{-skip_docdata} = $skip_docdata;
+}
+$ibx->init_inbox(0, $skip_epoch, $skip_artnum);
+
+require PublicInbox::Spawn;
+PublicInbox::Spawn->import(qw(run_die));
diff --git a/fleet/pkgs/public-inbox/default.nix b/fleet/pkgs/public-inbox/default.nix
new file mode 100644
index 0000000..bb5db29
--- /dev/null
+++ b/fleet/pkgs/public-inbox/default.nix
@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+# TODO(V): Enable highlighting support
+
+{ lib, buildPerlPackage, fetchurl, makeWrapper
+, git, xapian
+, URI, DBDSQLite, SearchXapian, Plack, PlackMiddlewareReverseProxy
+, sqlite  # Only used in tests
+}:
+
+buildPerlPackage rec {
+  pname = "public-inbox";
+  version = "unstable-2021-02-10";
+
+  # We need at least fa3f0cbcd1af5008e56c77e3c46ab60b5eca3a13 for public-inbox-watch to work with mlmmj's archive directory at all.
+  # See also: https://public-inbox.org/meta/CAMwyc-SmvBoVOs+vCMNaWOWPT3TCB-7rJ_0bp43QB+pjzbNv-w@mail.gmail.com/
+  src = fetchurl {
+    url = "https://public-inbox.org/public-inbox.git/snapshot/public-inbox-fa3f0cbcd1af5008e56c77e3c46ab60b5eca3a13.tar.gz";
+    sha256 = "03bynml6gw4936cri31ywqq5ackzkjjggksvpqf220xbcl55w93q";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ URI DBDSQLite SearchXapian Plack PlackMiddlewareReverseProxy ];
+
+  checkInputs = [ git sqlite xapian ];
+  # TODO(edef): Only exclude the individual failing tests, not the entire file
+  preCheck = ''
+    rm t/search.t  # Relies on set-gid, which is unavailable in the build sandbox.
+    rm t/spawn.t  # Tries to setpgid to that of pid 1, which (unexpectedly for the test) succeeds in the sandbox.
+  '';
+
+  postFixup = ''
+    for x in $out/bin/*; do
+      wrapProgram $x --prefix PATH : ${lib.makeBinPath [ git xapian ]}
+    done
+  '';
+
+  meta = with lib; {
+    homepage = "https://public-inbox.org/README.html";
+    description = "Git-based mailing-list archive";
+    license = licenses.agpl3Plus;
+    maintainers = with maintainers; [ V ];
+  };
+}