Merge pull request 'working merges with master' (#2) from working into master

Reviewed-on: awkawb/invoice-ninja-nixos#2

Makefile

@@ -11,8 +11,7 @@
 
 # Since all targets are phony, all targets should be listed here
 # One target per line
-.PHONY: boot-graphical-vm \
+.PHONY: boot-vm \
-	boot-vm \
 	build-vm \
 	clean \
 	format-nix-files \
@@ -29,8 +28,8 @@ format-nix-files: ## Format nix files using the nixpkgs-fmt tool
 	find . -name "*.nix" -exec nixpkgs-fmt {} \;
 
 clean: ## Clean build artifacts and shutdown running virtual machines
-	rm result
+	rm result > /dev/null 2>&1
-	rm nixos.qcow2
+	rm nixos.qcow2 > /dev/null 2>&1
 	pkill qemu
 	exit 0
 
@@ -46,6 +45,3 @@ boot-vm: ## Run virtual machine in current terminal
 		-nographic; \
 	reset
 
-boot-graphical-vm: ## Run virtual machine in QEMU window
-	./result/bin/run-nixos-vm
-

default.nix

@@ -7,26 +7,27 @@
 , runtimeDir ? "/run/invoice-ninja"
 }:
 
-let
-  # Helper script to generate an APP_KEY for .env
-  generate-invoice-ninja-app-key = writers.writeBashBin "generate-laravel-key" ''
-    echo "APP_KEY=base64:$(${openssl}/bin/openssl rand -base64 32)"
-  '';
-in
 php.buildComposerProject (finalAttrs: {
   pname = "invoice-ninja";
-  version = "5.10.3";
+  version = "5.10.34";
 
   src = fetchFromGitHub {
     owner = "invoiceninja";
     repo = "invoiceninja";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-QL6L+yT1yRQUTTGYGjaC4zbvzgw4ozgJSP2bYJCf014=";
+    hash = "sha256-2lR2lT8TbDcJ0m3C2ZwdbICPJGSlF9U7I+RC8MxvtOY=";
   };
 
-  vendorHash = "sha256-LGNBgaWWX2a8w9uE3+fVtBDqgbcv69FNnka4HjZKqsQ=";
+  vendorHash = "sha256-Z9gEjZqn8Ew2EnUNyD1dfjt0y+Y+5VjH/q1oFErrorg=";
 
-  propagatedBuildInput = [ generate-invoice-ninja-app-key ];
+  # Patch sources for more restrictive permissions
+  patches = [
+    ./fix-storage-permissions.patch
+    ./disable-react-for-admin.patch
+
+    # FIXME this patch should fix "Health Check" file permissions errors
+    #./fix-base-permissions.patch
+  ];
 
   # Upstream composer.json has invalid license, webpatser/laravel-countries package is pointing
   # to commit-ref, and php required in require and require-dev
@@ -36,21 +37,17 @@ php.buildComposerProject (finalAttrs: {
     mv "$out/share/php/${finalAttrs.pname}"/* $out
     rm -R $out/bootstrap/cache
 
+    rm -rf $out/public/storage
+
     # Move static contents for the NixOS module to pick it up, if needed.
     mv $out/bootstrap $out/bootstrap-static
     mv $out/storage $out/storage-static
-    mv $out/vite.config.ts $out/vite.config.ts.static
-    mv $out/public/images $out/public/images-static
-    mv $out/public/react $out/public/react-static
 
-    ln -s ${dataDir}/public/images $out/public/
+    # Link NixOS module files to derivation output
-    ln -s ${dataDir}/public/react $out/public/
-    ln -s ${dataDir}/vite.config.ts $out/
     ln -s ${dataDir}/.env $out/.env
     ln -s ${dataDir}/storage $out/
     ln -s ${runtimeDir} $out/bootstrap
-
+    ln -s ${dataDir}/storage/app/public $out/public/storage
-    chmod +x $out/artisan
   '';
 
   meta = {

disable-react-for-admin.patch

@@ -0,0 +1,13 @@
+diff --git a/app/Console/Commands/CreateAccount.php b/app/Console/Commands/CreateAccount.php
+index 228f8e8283..1ff3c54a61 100644
+--- a/app/Console/Commands/CreateAccount.php
++++ b/app/Console/Commands/CreateAccount.php
+@@ -79,7 +79,7 @@ class CreateAccount extends Command
+         $company->save();
+ 
+         $account->default_company_id = $company->id;
+-        $account->set_react_as_default_ap = true;
++        $account->set_react_as_default_ap = false;
+         $account->save();
+ 
+         $email = $this->option('email') ?? 'admin@example.com';

fix-base-permissions.patch

@@ -0,0 +1,15 @@
+diff --git a/config/filesystems.php b/config/filesystems.php
+index a104af7a81..3582c519a1 100644
+--- a/config/filesystems.php
++++ b/config/filesystems.php
+@@ -37,8 +37,8 @@ return [
+             'root' => base_path(),
+             'permissions' => [
+                 'file' => [
+-                    'public' => 0664,
+-                    'private' => 0600,
++                    'public' => 0444,
++                    'private' => 0400,
+                 ],
+                 'dir' => [
+                     'public' => 0775,

fix-storage-permissions.patch

@@ -0,0 +1,32 @@
+diff --git a/config/filesystems.php b/config/filesystems.php
+index a104af7a81..5294147710 100644
+--- a/config/filesystems.php
++++ b/config/filesystems.php
+@@ -53,11 +53,11 @@ return [
+             'root' => storage_path('app'),
+             'permissions' => [
+                 'file' => [
+-                    'public' => 0664,
++                    'public' => 0660,
+                     'private' => 0600,
+                 ],
+                 'dir' => [
+-                    'public' => 0775,
++                    'public' => 0770,
+                     'private' => 0700,
+                 ],
+             ],
+@@ -71,11 +71,11 @@ return [
+             'visibility' => 'public',
+             'permissions' => [
+                 'file' => [
+-                    'public' => 0664,
++                    'public' => 0660,
+                     'private' => 0600,
+                 ],
+                 'dir' => [
+-                    'public' => 0775,
++                    'public' => 0770,
+                     'private' => 0700,
+                 ],
+             ],

invoice-ninja.nix

@@ -1,17 +1,21 @@
-{ config, lib, pkgs, ... }:
+{ config
+, lib
+, pkgs
+, modulesPath
+, ... }:
+
 
 let
   cfg = config.services.invoice-ninja;
   user = cfg.user;
   group = cfg.group;
-  testing = pkgs.callPackage ./default.nix { inherit lib; php = pkgs.php; fetchFromGitHub = pkgs.fetchFromGitHub; };
+  invoice-ninja = pkgs.callPackage ./default.nix { inherit (cfg) dataDir runtimeDir; };
-  invoice-ninja = testing.override { inherit (cfg) dataDir runtimeDir; };
   configFile = pkgs.writeText "invoice-ninja-env" (lib.generators.toKeyValue { } cfg.settings);
 
   # PHP environment
   phpPackage = cfg.phpPackage.buildEnv {
     extensions = { enabled, all }: enabled ++ (with all;
-      [ bcmath ctype curl fileinfo gd gmp iconv mbstring mysqli openssl pdo tokenizer zip ]
+      [ bcmath ctype curl fileinfo gd gmp iconv imagick intl mbstring mysqli openssl pdo soap tokenizer zip ]
     );
 
     extraConfig = "memory_limit = 1024M";
@@ -66,6 +70,20 @@ in
       '';
     };
 
+    mail = {
+      mailer = lib.mkOption {
+        type = lib.types.enum [ "sendmail" ];
+        default = "sendmail";
+        description = "Controls the method used by Invoice Ninja to send mail.";
+      };
+      mailFromName = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        example = "Someone";
+        description = "Set the 'To' email header name attribute.";
+      };
+    };
+
     dataDir = lib.mkOption {
       type = lib.types.str;
       default = "/var/lib/invoice-ninja";
@@ -84,13 +102,7 @@ in
       '';
     };
 
-    schedulerInterval = lib.mkOption {
+    hostName = lib.mkOption {
-      type = lib.types.str;
-      default = "1d";
-      description = "How often the Invoice Ninja cron task should run.";
-    };
-
-    domain = lib.mkOption {
       type = lib.types.str;
       default = "localhost";
       description = ''
@@ -101,10 +113,6 @@ in
     phpfpm.settings = lib.mkOption {
       type = with lib.types; attrsOf (oneOf [ int str bool ]);
       default = {
-        "listen.owner" = user;
-        "listen.group" = group;
-        "listen.mode" = "0660";
-
         "pm" = "dynamic";
         "pm.start_servers" = "2";
         "pm.min_spare_servers" = "2";
@@ -116,8 +124,6 @@ in
 
         "php_admin_value[error_log]" = "stderr";
         "php_admin_flag[log_errors]" = true;
-
-        "catch_workers_output" = true;
       };
 
       description = ''
@@ -141,11 +147,23 @@ in
       '';
     };
 
+    adminEmail = lib.mkOption {
+      type = lib.types.str;
+      default = "example@email.com";
+      description = "Email address of the first (admin) account for this Invoice Ninja installation";
+    };
+
+    adminPassword = lib.mkOption {
+      type = lib.types.str;
+      default = "example";
+      description = "Password of the first (admin) account for this Invoice Ninja installation";
+    };
+
     database = {
       createLocally = lib.mkOption {
         type = lib.types.bool;
         default = true;
-        description = "a local database using UNIX socket authentication";
+        description = "A local database using UNIX socket authentication";
       };
 
       name = lib.mkOption {
@@ -155,36 +173,91 @@ in
       };
     };
 
-    enableACME = lib.mkOption {
+    maxUploadSize = lib.mkOption {
-      type = lib.types.bool;
+      type = lib.types.str;
-      default = false;
+      default = "8M";
-      description = ''
+      description = "Maximum allowed upload size to Invoice Ninja.";
-        				Whether an ACME certificate should be used to secure connections to the server.
-        			'';
     };
 
-    nginx = lib.mkOption {
+    msmtp.accounts.invoice-ninja = lib.mkOption {
-      type = lib.types.nullOr (lib.types.submodule
+      type = lib.types.attrs;
-        (import <nixpkgs/nixos/modules/services/web-servers/nginx/vhost-options.nix> {
+      default = {};
-          inherit config lib;
+      example = {
-        }));
+        from = "someone@example.com";
-      default = null;
+        host = "smtp.example";
-      example = ''
+        port = 25;
-        {
+        auth = true;
-          enableACME = true;
+        tls = true;
-          forceHttps = true;
+        tls_starttls = true;
-        }
+        user = "someone";
-      '';
+        passwordeval = "cat /secrets/password.txt";
+      };
       description = ''
-        With this option, you can customize an nginx virtual host which already has sensible defaults
+        Here we define the msmtp configuration for an invoice-ninja account which
-        for Invoice Ninja. Set to {} if you do not need any customization to the virtual host.
+        will be used by Invoice Ninja to send email message.
-        If enabled, then by default, the {option}`serverName` is `''${domain}`. If this is set to
+
-        null (the default), no nginx virtualHost will be configured.
+        It is advised to use the `passwordeval` setting to read the password
+        from a secret file to avoid having it written in the world-readable
+        nix store. The password file must end with a newline (`\n`).
       '';
     };
+
+    webserver = {
+      caddy = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = "Whether to enable the Caddy server to serve Invoice Ninja.";
+        };
+
+        config = lib.mkOption {
+          type = lib.types.submodule (
+            (import (modulesPath + "/services/web-servers/caddy/vhost-options.nix") { cfg = config.services.caddy; }) {
+              inherit lib; config = cfg; name = (if (cfg.hostName == "localhost") then ":80" else cfg.hostName);
+            }
+          );
+          default = { };
+          description = ''
+            Extra configuration for the Caddy virtual host of Invoice Ninja.
+                Set to `{ }` to use the default configuration
+          '';
+        };
+      };
+
+      nginx = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+          description = "Whether to enable Nginx server to serve Invoice Ninja.";
+        };
+
+        config = lib.mkOption {
+          type = lib.types.submodule (
+            (import (modulesPath + "/services/web-servers/nginx/vhost-options.nix") { inherit config lib; })
+          );
+          default = { };
+          description = ''
+            Extra configuration for the Nginx virtual host of Invoice Ninja.
+                Set to `{ }` to use the default configuration
+          '';
+        };
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
+    # FIXME Caddy and Nginx should be mutually exclusive
+    assertions = [
+      {
+        assertion = ((cfg.webserver.nginx.enable -> !cfg.webserver.caddy.enable)
+          && (cfg.webserver.caddy.enable -> !cfg.webserver.nginx.enable));
+        message = ''
+          Both Nginx and Caddy webservers cannot be enable together. Check your configuration
+          and ensure you only enabled one.
+        '';
+      }
+    ];
+
     users.users.invoiceninja = lib.mkIf (cfg.user == "invoiceninja") {
       isSystemUser = true;
       home = cfg.dataDir;
@@ -196,35 +269,57 @@ in
 
     environment.systemPackages = [ invoice-ninja-manage ] ++ extraPrograms;
 
+    programs.msmtp = {
+      inherit (cfg.msmtp) accounts;
+      enable = true;
+    };
+
     services.invoice-ninja.settings =
       let
-        app_http_url = "http://${cfg.domain}";
+        url = ({ hostName, react ? false }: 
-        app_https_url = "https://${cfg.domain}";
+          if (hostName == "localhost")
-        react_http_url = "http://${cfg.domain}:3001";
+            then
-        react_https_url = "https://${cfg.domain}:3001";
+              (if (react == true) then ("http://" + hostName + ":3001") else ("http://" + hostName))
+            else
+              (if (react == true) then ("https://" + hostName + ":3001") else ("https://" + hostName))
+          );
         chromium = lib.lists.findSingle (x: x == pkgs.chromium) "none" "multiple" extraPrograms;
       in
       lib.mkMerge [
-        ({
+        (rec {
           APP_NAME = lib.mkDefault "\"Invoice Ninja\"";
           APP_ENV = lib.mkDefault "production";
           APP_DEBUG = lib.mkDefault false;
-          APP_URL = lib.mkDefault (if (cfg.domain != "localhost") then "${app_https_url}" else "${app_http_url}");
+          EXPANDED_LOGGING = lib.mkDefault true;
-          REACT_URL = lib.mkDefault (if (cfg.domain != "localhost") then "${react_https_url}" else "${react_http_url}");
+          APP_URL = lib.mkDefault (url { hostName = cfg.hostName; });
+          REACT_URL = lib.mkDefault (url { hostName = cfg.hostName; react = true; });
+          MAIL_MAILER = lib.mkDefault cfg.mail.mailer;
+          MAIL_SENDMAIL_PATH = lib.mkDefault (
+            if (cfg.mail.mailer == "sendmail")
+            then
+              ''"/run/wrappers/bin/sendmail -t -a invoice-ninja"''
+            else
+              ""
+          );
+          MAIL_FROM_ADDRESS = lib.mkDefault "${cfg.msmtp.accounts.invoice-ninja.from}";
+          MAIL_FROM_NAME = lib.mkDefault ''"${cfg.mail.mailFromName}"'';
+          ERROR_EMAIL = lib.mkDefault "${cfg.msmtp.accounts.invoice-ninja.from}";
           DB_CONNECTION = lib.mkDefault "mysql";
           MULTI_DB_ENABLED = lib.mkDefault false;
           DEMO_MODE = lib.mkDefault false;
-          BROADCAST_DRIVER = lib.mkDefault "log";
+          BROADCAST_DRIVER = lib.mkDefault "pusher";
           LOG_CHANNEL = lib.mkDefault "stack";
           CACHE_DRIVER = lib.mkDefault "file";
           QUEUE_CONNECTION = lib.mkDefault "database";
           SESSION_DRIVER = lib.mkDefault "file";
           SESSION_LIFETIME = lib.mkDefault "120";
-          REQUIRE_HTTPS = lib.mkDefault (if (cfg.domain != "localhost") then true else false);
+          REQUIRE_HTTPS = lib.mkDefault (if (cfg.hostName != "localhost") then true else false);
           TRUSTED_PROXIES = lib.mkDefault "127.0.0.1";
           NINJA_ENVIRONMENT = lib.mkDefault "selfhost";
+          LOCAL_DOWNLOAD= lib.mkDefault false;
           PDF_GENERATOR = lib.mkDefault "snappdf";
           SNAPPDF_CHROMIUM_PATH = lib.mkDefault "${chromium}/bin/chromium";
+          PRECONFIGURED_INSTALL = lib.mkDefault true;
         })
         (lib.mkIf (cfg.database.createLocally) {
           DB_CONNECTION = lib.mkDefault "mysql";
@@ -235,76 +330,80 @@ in
         })
       ];
 
-    services.phpfpm.pools.invoiceninja = {
+    services.phpfpm.pools.invoice-ninja = {
       inherit user group phpPackage;
-      inherit (cfg.phpfpm) settings;
+
+      settings = {
+        "listen.owner" = user;
+        "listen.group" = group;
+        "listen.mode" = "0660";
+        "catch_workers_output" = true;
+      } // cfg.phpfpm.settings;
+
+      phpOptions = ''
+        post_max_size = ${cfg.maxUploadSize}
+        upload_max_filesize = ${cfg.maxUploadSize}
+        max_execution_time = 600;
+      '';
     };
 
-    users.users."${config.services.nginx.user}" = lib.mkIf (cfg.nginx != null) { extraGroups = [ cfg.group ]; };
+    users.users."${config.services.nginx.user}" = lib.mkIf (cfg.webserver.nginx.enable == true) { extraGroups = [ cfg.group ]; };
-    services.nginx = lib.mkIf (cfg.nginx != null) {
+    services.nginx = lib.mkIf (cfg.webserver.nginx.enable == true) {
-      enable = true;
+      inherit (cfg.webserver.nginx) enable;
 
-      clientMaxBodySize = "20m";
-
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
       recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedOptimisation = true;
 
-      appendHttpConfig = ''
+      clientMaxBodySize = cfg.maxUploadSize;
-        				# Add HSTS header with preloading to HTTPS requests.
-        				# Adding this header to HTTP requests is discouraged
-        				map $scheme $hsts_header {
-        						https   "max-age=31536000; includeSubdomains; preload";
-        				}
-        				add_header Strict-Transport-Security $hsts_header;
 
-        				# Minimize information leaked to other domains
+      virtualHosts."${cfg.hostName}" = lib.mkMerge [
-        				add_header 'Referrer-Policy' 'origin-when-cross-origin';
+        cfg.webserver.nginx.config
-
-        				# Disable embedding as a frame
-        				add_header X-Frame-Options DENY;
-
-        				# Prevent injection of code in other mime types (XSS Attacks)
-        				add_header X-Content-Type-Options nosniff;
-
-        				# This might create errors
-        				proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-        			'';
-
-      virtualHosts."${cfg.domain}" = lib.mkMerge [
-        cfg.nginx
         {
-          inherit (cfg) enableACME;
+          root = lib.mkForce "${invoice-ninja}/public";
-          forceSSL = lib.mkDefault (if cfg.enableACME then true else false);
+          locations = {
-          root = lib.mkForce "${invoice-ninja}/public/";
+            "= /index.php".extraConfig = '' 
-          locations."= /index.php" = {
+              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            extraConfig = ''
+              fastcgi_pass unix:${config.services.phpfpm.pools.invoice-ninja.socket};
-              							fastcgi_pass unix:${config.services.phpfpm.pools.invoiceninja.socket};
+              fastcgi_index index.php;
-              							fastcgi_index index.php;
+            '';
-              						'';
+            "/" = {
-          };
+              tryFiles = "$uri $uri/ /index.php?$query_string";
-          locations."~ \\.php$" = {
+              extraConfig = ''
-            return = 403;
+                if (!-e $request_filename) {
-          };
+                    rewrite ^(.+)$ /index.php?q=$1 last;
-          locations."/" = {
+                }
-            tryFiles = "$uri $uri/ /index.php?$query_string";
+              '';
-            extraConfig = ''
+            };
-              							# Add your rewrite rule for non-existent files
+            "~ \\.php$".extraConfig = "return 403;";
-              							if (!-e $request_filename) {
+            "~ /\\.ht".extraConfig = "deny all;";
-              									rewrite ^(.+)$ /index.php?q=$1 last;
-              							}
-              						'';
-          };
-          locations."~ /\\.ht" = {
-            extraConfig = ''
-              							deny all;
-              						'';
           };
           extraConfig = ''
-            						index index.php index.html index.htm;
+            index index.html index.htm index.php;
-            						error_page 404 /index.php;
+            error_page 404 /index.php;
-            					'';
+          '';
+        }
+      ];
+    };
+
+    users.users."${config.services.caddy.user}" = lib.mkIf (cfg.webserver.caddy.enable == true) { extraGroups = [ cfg.group ]; };
+    services.caddy = lib.mkIf (cfg.webserver.caddy.enable == true) {
+      inherit (cfg.webserver.caddy) enable;
+
+      globalConfig = lib.mkIf (cfg.hostName == "localhost") ''
+        auto_https disable_redirects
+      '';
+
+      virtualHosts."${cfg.hostName}" = lib.mkMerge [
+        cfg.webserver.caddy.config
+        {
+          extraConfig = ''
+            encode zstd gzip
+            root * ${invoice-ninja}/public
+            php_fastcgi unix/${config.services.phpfpm.pools.invoice-ninja.socket}
+            file_server
+          '';
         }
       ];
     };
@@ -325,23 +424,16 @@ in
     # Ensure chromium is available
     systemd.services.phpfpm-invoice-ninja.path = extraPrograms;
 
-    systemd.timers.invoice-ninja-cron = {
+    systemd.services.invoice-ninja-worker = {
-      description = "Invoice Ninja periodic tasks timer";
+      description = "Invoice Ninja periodic tasks";
       after = [ "invoice-ninja-data-setup.service" ];
       requires = [ "phpfpm-invoice-ninja.service" ];
-      wantedBy = [ "timers.target" ];
+      wantedBy = [ "multi-user.target" ];
-
+      reloadTriggers = [ invoice-ninja ];
-      timerConfig = {
+      reload = "${invoice-ninja-manage}/bin/invoice-ninja-manage queue:restart";
-        OnBootSec = cfg.schedulerInterval;
-        OnUnitActiveSec = cfg.schedulerInterval;
-      };
-    };
-
-    systemd.services.invoice-ninja-cron = {
-      description = "Invoice Ninja periodic tasks";
 
       serviceConfig = {
-        ExecStart = "${invoice-ninja-manage}/bin/invoice-ninja-manage schedule:run";
+        ExecStart = "${invoice-ninja-manage}/bin/invoice-ninja-manage queue:work";
         User = user;
         Group = group;
         StateDirectory = lib.mkIf (cfg.dataDir == "/var/lib/invoice-ninja") "invoice-ninja";
@@ -354,7 +446,7 @@ in
       wantedBy = [ "multi-user.target" ];
       after = lib.optional cfg.database.createLocally "mysql.service";
       requires = lib.optional cfg.database.createLocally "mysql.service";
-      path = with pkgs; [ bash invoice-ninja-manage rsync ] ++ extraPrograms;
+      path = with pkgs; [ bash invoice-ninja-manage rsync config.services.mysql.package ] ++ extraPrograms;
 
       serviceConfig = {
         Type = "oneshot";
@@ -367,58 +459,71 @@ in
       };
 
       script = ''
-                # Before running any PHP program, cleanup the code cache.
+        # Before running any PHP program, cleanup the code cache.
-                # It's necessary if you upgrade the application otherwise you might
+        # It's necessary if you upgrade the application otherwise you might
-                # try to import non-existent modules.
+        # try to import non-existent modules.
-                rm -f ${cfg.runtimeDir}/app.php
+        rm -f ${cfg.runtimeDir}/app.php
-                rm -rf ${cfg.runtimeDir}/cache/*
+        rm -rf ${cfg.runtimeDir}/cache/*
 
-                # Concatenate non-secret .env and secret .env
+        # Concatenate non-secret .env and secret .env
-                rm -f ${cfg.dataDir}/.env
+        rm -f ${cfg.dataDir}/.env
-                cp --no-preserve=all ${configFile} ${cfg.dataDir}/.env
+        cp --no-preserve=all ${configFile} ${cfg.dataDir}/.env
-                # echo -e '\n' >> ${cfg.dataDir}/.env
+        echo -e '\n' >> ${cfg.dataDir}/.env
-                cat "$CREDENTIALS_DIRECTORY/env-secrets" >> ${cfg.dataDir}/.env
+        cat "$CREDENTIALS_DIRECTORY/env-secrets" >> ${cfg.dataDir}/.env
 
-                # Link the static storage (package provided) to the runtime storage
+        # Link the static storage (package provided) to the runtime storage
-                # Necessary for cities.json and static images.
+        # Necessary for cities.json and static images.
-                mkdir -p ${cfg.dataDir}/storage
+        rsync -av --no-perms ${invoice-ninja}/storage-static/ ${cfg.dataDir}/storage
-                rsync -av --no-perms ${invoice-ninja}/storage-static/ ${cfg.dataDir}/storage
+        
-                chmod -R +w ${cfg.dataDir}/storage
+        # Link the app.php in the runtime folder.
+        # We cannot link the cache folder only because bootstrap folder needs to be writeable.
+        ln -sf ${invoice-ninja}/bootstrap-static/app.php ${cfg.runtimeDir}/app.php
 
-                chmod g+x ${cfg.dataDir}/storage ${cfg.dataDir}/storage/app
+        # Perform the first migration
-                chmod -R g+rX ${cfg.dataDir}/storage/app/public
+        [[ ! -f ${cfg.dataDir}/.initial-migration ]] && invoice-ninja-manage migrate --force && touch ${cfg.dataDir}/.initial-migration
 
-                # Link the app.php in the runtime folder.
+        # Seed database with records
-                # We cannot link the cache folder only because bootstrap folder needs to be writeable.
+        # Necessary for languages, currencies, countries, etc.
-                ln -sf ${invoice-ninja}/bootstrap-static/app.php ${cfg.runtimeDir}/app.php
+        [[ ! -f ${cfg.dataDir}/.db-seeded ]] && invoice-ninja-manage db:seed --force && touch ${cfg.dataDir}/.db-seeded
 
-        				# Link the static public/images (package provided) to the runtime public/public/images
+        # Create Invoice Ninja admin account
-        				mkdir -p ${cfg.dataDir}/public/images
+        [[ ! -f ${cfg.dataDir}/.admin-created ]] \
-        				rsync -av --no-perms ${invoice-ninja}/public/images-static/ ${cfg.dataDir}/public/images
+          && invoice-ninja-manage ninja:create-account --email=${cfg.adminEmail} --password=${cfg.adminPassword} \
-        				
+          && touch ${cfg.dataDir}/.admin-created
-        				# Link the static public/react (package provided) to the runtime public/public/react
+        
-        				mkdir -p ${cfg.dataDir}/public/react
+        invoice-ninja-manage route:cache
-        				rsync -av --no-perms ${invoice-ninja}/public/react-static/ ${cfg.dataDir}/public/react
+        invoice-ninja-manage view:cache
-
+        invoice-ninja-manage config:cache
-        				chmod -R +w ${cfg.dataDir}/public
-        				chmod -R g+rwX ${cfg.dataDir}/public
-        				
-        				# Link the static vite.config.ts (package provided to the runtime vite.config.ts
-        				rsync -av --no-perms ${invoice-ninja}/vite.config.ts.static ${cfg.dataDir}/vite.config.ts
-        				chmod +w ${cfg.dataDir}/vite.config.ts
-        				chmod g+rw ${cfg.dataDir}/vite.config.ts
-
-                invoice-ninja-manage route:cache
-                invoice-ninja-manage view:cache
-                invoice-ninja-manage config:cache
       '';
     };
 
-    systemd.tmpfiles.rules = [
+    systemd.tmpfiles.settings."10-invoice-ninja" = lib.attrsets.genAttrs [
-      # Cache must live across multiple systemd units runtimes.
+      cfg.dataDir
-      "d ${cfg.runtimeDir}/                         0700 ${user} ${group} - -"
+      "${cfg.dataDir}/storage"
-      "d ${cfg.runtimeDir}/cache                    0700 ${user} ${group} - -"
+      "${cfg.dataDir}/storage/app"
-    ];
+      "${cfg.dataDir}/storage/app/public"
+      "${cfg.dataDir}/storage/framework"
+      "${cfg.dataDir}/storage/framework/cache"
+      "${cfg.dataDir}/storage/framework/sessions"
+      "${cfg.dataDir}/storage/framework/testing"
+      "${cfg.dataDir}/storage/framework/views"
+      "${cfg.dataDir}/storage/logs"
+    ] (n: {
+      d = {
+        user = user;
+        group = group;
+        mode = "0770";
+      };
+    }) // lib.attrsets.genAttrs [
+      cfg.runtimeDir
+      "${cfg.runtimeDir}/cache"
+    ] (n: {
+      d = {
+        user = user;
+        group = group;
+        mode = "0750";
+      };
+    });
   };
 }
 

tests/test-config.nix

@@ -10,16 +10,40 @@
 
   nixpkgs.config.allowUnfree = true;
 
+  environment.etc."msmtp-password" = {
+    enable = true;
+    user = "invoiceninja";
+    group = "invoiceninja";
+    mode = "0440";
+    text = ''
+      3t5h638t3a7y7275
+
+    '';
+  };
+
   users.users.test = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
-    initialPassword = "testing";
+    initialPassword = "test";
   };
 
   services.invoice-ninja = {
     enable = true;
     database.createLocally = true;
-    nginx = { };
+    webserver.caddy.enable = true;
+    webserver.nginx.enable = false;
+    mail.mailFromName = "Andrew Bryant";
+    adminEmail = "billing@allpawcare.com";
+    msmtp.accounts.invoice-ninja = {
+      auth = true;
+      tls = true;
+      tls_starttls = false;
+      from = "billing@allpawcare.com";
+      host = "smtp.fastmail.com";
+      port = 465;
+      user = "awkawb@awkawb.cloud";
+      passwordeval = "cat /etc/msmtp-password";
+    };
     secretFile = ./test-secrets.env;
   };