flake.lock: updated flake inputs

Makefile

@@ -1,45 +0,0 @@
-####
-# Target definitions
-####
-
-# Disable echoing of target recipe commands
-# Comment this for debugging
-.SILENT:
-
-# Run target recipes in one shell invocation
-.ONESHELL:
-
-# Since all targets are phony, all targets should be listed here
-# One target per line
-.PHONY: boot-vm \
-	build-vm \
-	clean \
-	format-nix-files \
-	help
-
-# Show the help text
-help:
-	egrep -h '\s##\s' $(MAKEFILE_LIST) \
-		| sort \
-		| awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'
-
-
-format-nix-files: ## Format nix files using the nixpkgs-fmt tool
-	find . -name "*.nix" -exec nixpkgs-fmt {} \;
-
-clean: ## Clean build artifacts and shutdown running virtual machines
-	rm result > /dev/null 2>&1
-	rm nixos.qcow2 > /dev/null 2>&1
-	pkill qemu
-	exit 0
-
-build-vm: clean ## Build virtual machine for testing
-	nix build ".#nixosConfigurations.test.config.system.build.vm"
-
-boot-vm: ## Run virtual machine in current terminal
-	QEMU_KERNEL_PARAMS=console=ttyS0 \
-	QEMU_NET_OPTS=hostfwd=tcp::8080-:80 \
-	QEMU_OPTS=-nographic \
-	./result/bin/run-nixos-vm
-	reset
-

disable-react-for-admin.patch

@@ -1,13 +0,0 @@
-diff --git a/app/Console/Commands/CreateAccount.php b/app/Console/Commands/CreateAccount.php
-index 228f8e8283..1ff3c54a61 100644
---- a/app/Console/Commands/CreateAccount.php
-+++ b/app/Console/Commands/CreateAccount.php
-@@ -79,7 +79,7 @@ class CreateAccount extends Command
-         $company->save();
- 
-         $account->default_company_id = $company->id;
--        $account->set_react_as_default_ap = true;
-+        $account->set_react_as_default_ap = false;
-         $account->save();
- 
-         $email = $this->option('email') ?? 'admin@example.com';

flake.lock

@@ -140,16 +140,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1740339700,
+        "lastModified": 1779102034,
-        "narHash": "sha256-cbrw7EgQhcdFnu6iS3vane53bEagZQy/xyIkDWpCgVE=",
+        "narHash": "sha256-vZJZjLo513IeI8hjzHFc6TDezUd4uCE2Eq4SNO3DNNg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "04ef94c4c1582fd485bbfdb8c4a8ba250e359195",
+        "rev": "687f05a9184cad4eaf905c48b63649e3a86f5433",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -1,7 +1,7 @@
 {
   description = "An Invoice Ninja package and module.";
 
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
 
   outputs =
     { self, nixpkgs, nix, }:

justfile

@@ -0,0 +1,33 @@
+set quiet := true
+
+# Passed to QEMU in boot-vm
+export QEMU_KERNEL_PARAMS := "console=ttyS0"
+export QEMU_NET_OPTS := "hostfwd=tcp::8080-:80"
+export QEMU_OPTS := "-nographic"
+
+[private]
+_default:
+	just --list
+
+[doc('Clean build artifacts and shutdown running virtual machines')]
+[group('maintenance')]
+clean:
+    #!/usr/bin/env bash
+    rm result > /dev/null 2>&1
+    rm nixos.qcow2 > /dev/null 2>&1
+    pkill qemu
+    exit 0
+
+[doc('Build virtual machine for testing')]
+[group('main')]
+build-vm: clean
+    nom build ".#nixosConfigurations.test.config.system.build.vm"
+
+[doc('Run virtual machine in current terminal')]
+[group('main')]
+boot-vm:
+    #!/usr/bin/env bash
+    [ -x result/bin/run-nixos-vm ] && \
+        ./result/bin/run-nixos-vm
+    reset
+

nixos-module/invoiceninja.nix

@@ -498,28 +498,42 @@ in
           addSSL = lib.mkForce (if (cfg.hostname == "localhost") then false else true);
           enableACME = lib.mkForce (if (cfg.hostname == "localhost") then false else true);
           locations = {
+            # Handle Laravel Routes
             "/".tryFiles = "$uri $uri/ /index.php?$query_string";
-            "/".extraConfig = ''
+
-              if (!-e $request_filename) {
+            # PHP Processing
-                rewrite ^(.+)$ /index.php?q=$1 last;
+            "~ \\.php$".extraConfig = ''
-              }
+              include ${config.services.nginx.package}/conf/fastcgi_params;
-              add_header 'Access-Control-Allow-Origin' '*';
+              fastcgi_param SCRIPT_FILENAME $request_filename;
-              add_header 'Access-Control-Allow-Methods' '*';
+              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              add_header 'Access-Control-Max-Age' 0;
-              add_header 'Content-Length' 0;
-              add_header 'Access-Control-Allow-Headers' 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Disposition,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE';
-              add_header 'Access-Control-Expose-Headers' 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE';
-              add_header 'Access-Control-Allow-Credentials' false;
-            '';
-            "~ \\.php$".extraConfig = "return 403;";
-            "= /index.php".extraConfig = ''
               fastcgi_pass unix:${config.services.phpfpm.pools.invoiceninja.socket};
+              fastcgi_index index.php;
             '';
+
+            # Security: Deny access to hidden files
             "~ /\\.ht".extraConfig = "deny all;";
+
+            # Static Files Caching
+            "~* \\.(jpg|jpeg|png|gif|ico|css|js)$".extraConfig = ''
+              expires 1y;
+              add_header Cache-Control "public, immutable";
+            '';
           };
           extraConfig = ''
-            index index.html index.htm index.php;
+            index index.php index.html index.htm;
             error_page 404 /index.php;
+
+            if (!-e $request_filename) {
+              rewrite ^(.+)$ /index.php?q= last;
+            }
+
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Methods' '*';
+            add_header 'Access-Control-Max-Age' 0;
+            add_header 'Content-Length' 0;
+            add_header 'Access-Control-Allow-Headers' 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Disposition,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE';
+            add_header 'Access-Control-Expose-Headers' 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE';
+            add_header 'Access-Control-Allow-Credentials' false;
           '';
         }
         (lib.mkIf (cfg.hostname != "localhost") {
@@ -553,9 +567,8 @@ in
             hostName = lib.mkForce proto_hostname;
             extraConfig = ''
               encode zstd gzip
-              root * ${invoiceninja}/public
+              root ${invoiceninja}/public
               php_fastcgi unix/${config.services.phpfpm.pools.invoiceninja.socket}
-              try_files {path} /index.html
               header {
                 Access-Control-Allow-Origin "*"
                 Access-Control-Allow-Methods "*"

package.nix

@@ -1,37 +1,109 @@
-{ lib
+{ buildNpmPackage
-, php
+, npmHooks
-, openssl
-, writers
 , fetchFromGitHub
+, fetchNpmDeps
+, php82
+, nodejs_22
+, npm-lockfile-fix
 , dataDir ? "/var/lib/invoiceninja"
 , runtimeDir ? "/run/invoiceninja"
 }:
 
-php.buildComposerProject (finalAttrs: {
+let
   pname = "invoiceninja";
-  version = "5.12.13";
 
+  version = "5.13.19";
   src = fetchFromGitHub {
-    owner = "invoiceninja";
+    name = "${pname}";
-    repo = "invoiceninja";
+    owner = pname;
-    rev = "v${finalAttrs.version}";
+    repo = pname;
-    hash = "sha256-/+dmZUxDeC33bBuM2oZwU9wOVtJY0X5/dkhlpbfLkYg=";
+    rev = "v${version}";
+    hash = "sha256-pvZNTiGGX6OqOEqcDrDqqpLD1Ohc/TA4nIRjm2jEp74=";
+
+    postFetch = ''
+      # add missing integrity fields to lockfile
+      ${npm-lockfile-fix}/bin/npm-lockfile-fix $out/package-lock.json
+    '';
   };
 
-  vendorHash = "sha256-NzFOh3XpKC3Ia1Ns9I6xN9N6y1F5dFSEk7bxq/eKZIc=";
+  uiVersion = "03.05.2026.1";
+  uiSrc = fetchFromGitHub {
+    name = "${pname}-ui";
+    owner = pname;
+    repo = "ui";
+    tag = uiVersion;
+    hash = "sha256-BTaWNHTE+9NvavUYs56DdJHmqXy36N5k/crj3rU2Npg=";
 
-  patches = [
+    postFetch = ''
-    ./disable-react-for-admin.patch
+      # add missing integrity fields to lockfile
+      ${npm-lockfile-fix}/bin/npm-lockfile-fix $out/package-lock.json
+    '';
+  };
+  
+  # React frontend
+  ui = buildNpmPackage {
+    pname = "${pname}-ui";
+    version = uiVersion;
+    src = uiSrc;
+
+    nodejs = nodejs_22;
+  
+    npmDepsHash = "sha256-JA5TfXeg7iHVjQdjeU6SSD2JFSLISad8hPowaR1roQw=";
+
+    preConfigure = ''
+      sed -i 's/VITE_IS_TEST=true/VITE_IS_TEST=false/' .env.example
+
+      cp .env.example .env
+      cp ${src}/vite.config.ts.react ./vite.config.js
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir $out
+      cp -a * $out
+
+      runHook postInstall
+    '';
+  };
+in
+
+php82.buildComposerProject (finalAttrs: {
+  inherit src version;
+  pname = "${pname}-composer";
+
+  nativeBuildInputs = [
+    nodejs_22
+    npmHooks.npmConfigHook
+    npmHooks.npmBuildHook
   ];
 
+  vendorHash = "sha256-2CyWKlyCyoCt/WdY7Ta0oEXW2KIkGwhilHtzpBJ5Wnk=";
+
   # Upstream composer.json has invalid license, webpatser/laravel-countries package is pointing
   # to commit-ref, and php required in require and require-dev
   composerStrictValidation = false;
 
+  CYPRESS_INSTALL_BINARY = 0;
+
+  npmDeps = fetchNpmDeps {
+    name = "${pname}-${version}-npm-deps";
+    inherit src;
+    hash = "sha256-WCadsQVj9eusYWJEOaEp5DIkVcbmPFGe6bmKi9NZDDg=";
+  };
+
+  preConfigure = ''
+    cp -r ${ui}/dist/* public/
+    cp public/index.html resources/views/react/index.blade.php
+  '';
+
   postInstall = ''
     mv "$out/share/php/${finalAttrs.pname}"/* $out
-    rm -R $out/bootstrap/cache
 
+    # Remove JS/CSS build artifacts
+    rm -rf $out/node_modules
+
+    rm -r $out/bootstrap/cache
     rm -rf $out/public/storage
 
     # Move static contents for the NixOS module to pick it up, if needed.
@@ -44,16 +116,4 @@ php.buildComposerProject (finalAttrs: {
     ln -s ${dataDir}/storage/app/public $out/public/storage
     ln -s ${runtimeDir} $out/bootstrap
   '';
-
-  meta = {
-    description = "Open-source, self-hosted invoicing application";
-    homepage = "https://www.invoiceninja.com/";
-    license = with lib.licenses; {
-      fullName = "Elastic License 2.0";
-      shortName = "Elastic-2.0";
-      free = false;
-    };
-    platforms = lib.platforms.all;
-  };
 })
-

tests/default.nix

@@ -1,4 +1,4 @@
-{ modulesPath, ... }:
+{ pkgs, modulesPath, ... }:
 
 {
   imports = [
@@ -6,7 +6,7 @@
     ../nixos-module/invoiceninja.nix
   ];
 
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.11";
 
   nixpkgs.config.allowUnfree = true;
 
@@ -18,9 +18,10 @@
 
   services.invoiceninja = {
     enable = true;
-    proxy.server = "caddy";
+    proxy.server = "nginx";
     adminAccount.passwordFile = ./invoice_ninja_test_password;
     secretFile = ./test.env;
+    settings.APP_DEBUG = true;
   };
 
   networking.firewall.enable = false;