Benjamin Bädorf 2023-06-26 15:15:19 +02:00
commit df6b127506
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
13 changed files with 5752 additions and 0 deletions

.envrc Normal file
use flake
use flake

.gitignore vendored Normal file
.gitignore

2 Normal file
@ -0,0 +1,2 @@
# OpenProject on NixOS

flake.lock generated Normal file
flake.lock
"nodes": {
"devshell": {
"inputs": {
"nixpkgs": [
"systems": [
"locked": {
"lastModified": 1687173957,
"narHash": "sha256-GOds2bAQcZ94fb9/Nl/aM+r+0wGSi4EKYuZYR8Dw4R8=",
"owner": "numtide",
"repo": "devshell",
"rev": "2cf83bb31720fcc29a999aee28d6da101173e66a",
"type": "github"
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
"nixpkgs": {
"locked": {
"lastModified": 1687358386,
"narHash": "sha256-T3Qx0iL2BJmVgxqsaM3k6Y5n1XflYwLaYrzcFpdS7Yg=",
"owner": "pub-solar",
"repo": "nixpkgs",
"rev": "a22e59a4da3d22503ba6d804d0835e9977236576",
"type": "github"
"original": {
"owner": "pub-solar",
"ref": "ruby-gemfile-relative-modules",
"repo": "nixpkgs",
"type": "github"
"root": {
"inputs": {
"devshell": "devshell",
"nixpkgs": "nixpkgs",
"systems": "systems"
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
"root": "root",
"version": 7

flake.nix Normal file
flake.nix
description = "OpenProject Nix";
# inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
inputs.nixpkgs.url = "github:pub-solar/nixpkgs/ruby-gemfile-relative-modules"; = "github:nix-systems/default";
inputs.devshell.url = "github:numtide/devshell";
inputs.devshell.inputs.nixpkgs.follows = "nixpkgs"; = "systems";
outputs = {self, nixpkgs, systems, devshell }:
eachSystem = nixpkgs.lib.genAttrs (import systems);
# Nixpkgs instantiated for system types in nix-systems
nixpkgsFor = eachSystem (system:
import nixpkgs {
inherit system;
overlays = [
overlays = {
default = (import ./overlay.nix);
devShells = eachSystem (system:
pkgs = nixpkgsFor.${system};
default = pkgs.devshell.mkShell {
# Add additional packages you'd like to be available in your devshell
# PATH here
devshell.packages = with pkgs; [
commands = [
help = pkgs.cachix.meta.description;
name = pkgs.cachix.pname;
package = pkgs.cachix;
bash.extra = ''
packages = eachSystem (system:
pkgs = nixpkgsFor.${system};
openproject = pkgs.openproject;
nixosConfigurations =
system = "x86_64-linux";
pkgs = nixpkgsFor.${system};
test-vm = nixpkgs.lib.nixosSystem {
inherit system pkgs;
modules = [./test-vm/configuration.nix];

node/openproject-app.nix Normal file
@ -0,0 +1,29 @@
{ fetchFromGitHub
, fetchNpmDeps
, runCommand
, nodejs
, yarn
, path
, nodePackages
pinData = import ../srcs/pin.nix;
inherit (pinData) erpnextVersion;
inherit (pinData.hashes) erpnextSrcHash;
src = fetchFromGitHub {
owner = "frappe";
repo = "erpnext";
rev = "v${erpnextVersion}";
hash = erpnextSrcHash;
offlineCache = fetchNpmDeps {
yarnLock = "${src}/yarn.lock";
sha256 = "sha256-Vho4BSbxcsVYExLvUaeoc3xIpbXoCUP/4jw4RwGnWGY=";
mkApp = import ./mk-app.nix {
inherit path runCommand nodejs yarn nodePackages;
in mkApp "erpnext" src offlineCache

@ -0,0 +1,32 @@
{ runCommand
, yarn
runCommand "openproject-frontend-build" {buildInputs = [yarn]; } ''
mkdir -p sites apps
# Cannot symlink because the code which traverses path to find sites
# directory gets confused.
cp -r ${frappe-app}/share/apps/frappe apps/frappe
cp -r ${erpnext-app}/share/apps/erpnext apps/erpnext
cat > sites/apps.txt <<EOF
pushd apps/frappe > /dev/null
yarn --offline production
popd > /dev/null
symlinkPublic() {
find $1/share/apps/$2/$2/public -type d -mindepth 1 -maxdepth 1 | xargs -I '{}' bash -c "ln -s {} sites/assets/$2/"'$(basename {})'
symlinkPublic ${frappe-app} frappe
symlinkPublic ${erpnext-app} erpnext
mkdir -p $out/share/sites
cp -r sites/assets $out/share/sites/assets
ln -s ${frappe-app}/share/apps/frappe/node_modules $out/share/sites/assets/frappe/node_modules
ln -s ${erpnext-app}/share/apps/erpnext/node_modules $out/share/sites/assets/erpnext/node_modules

overlay.nix Normal file
overlay.nix
final: prev: {
openproject = final.callPackage ./ruby/openproject.nix {};

ruby/Gemfile Normal file
ruby/Gemfile
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2023 the OpenProject GmbH
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# See COPYRIGHT and LICENSE files for more details.
source ''
ruby '~> 3.2.1'
gem 'ox'
gem 'actionpack-xml_parser', '~> 2.0.0'
gem 'activemodel-serializers-xml', '~> 1.0.1'
gem 'activerecord-import', '~> 1.4.0'
gem 'activerecord-session_store', '~> 2.0.0'
gem 'rails', '~> 7.0', '>='
gem 'responders', '~> 3.0'
gem 'ffi', '~> 1.15'
gem 'rdoc', '>= 2.4.2'
gem 'doorkeeper', '~> 5.6.6'
# Maintain our own omniauth due to relative URL root issues
# see upstream PR:
gem 'omniauth', git: '', ref: 'fe862f986b2e846e291784d2caa3d90a658c67f0'
gem 'request_store', '~> 1.5.0'
gem 'warden', '~> 1.2'
gem 'warden-basic_auth', '~> 0.2.1'
gem 'will_paginate', '~> 4.0.0'
gem 'friendly_id', '~> 5.5.0'
gem 'acts_as_list', '~> 1.1.0'
gem 'acts_as_tree', '~> 2.9.0'
gem 'awesome_nested_set', '~> 3.5.0'
gem 'closure_tree', '~> 7.4.0'
gem 'rubytree', '~> 2.0.0'
# Only used in down migrations now.
# Is to be removed once the referencing migrations have been squashed.
gem 'typed_dag', '~> 2.0.2', require: false
gem 'addressable', '~> 2.8.0'
# Remove whitespace from model input
gem "auto_strip_attributes", "~> 2.5"
# Provide timezone info for TZInfo used by AR
gem 'tzinfo-data', '~> 1.2023.1'
# to generate html-diffs (e.g. for wiki comparison)
gem 'htmldiff'
# Generate url slugs with #to_url and other string niceties
gem 'stringex', '~> 2.8.5'
# CommonMark markdown parser with GFM extension
gem 'commonmarker', '~> 0.23.9'
# HTML pipeline for transformations on text formatter output
# such as sanitization or additional features
gem 'html-pipeline', '~> 2.14.0'
# Tasklist parsing and renderer
gem 'deckar01-task_list', '~> 2.3.1'
# Requires escape-utils for faster escaping
gem 'escape_utils', '~> 1.3'
# Syntax highlighting used in html-pipeline with rouge
gem 'rouge', '~> 4.1.0'
# HTML sanitization used for html-pipeline
gem 'sanitize', '~> 6.0.1'
# HTML autolinking for mails and urls (replaces autolink)
gem 'rinku', '~> 2.0.4'
# Version parsing with semver
gem 'semantic', '~> 1.6.1'
# generates SVG Graphs
# used for statistics on svn repositories
gem 'svg-graph', '~> 2.2.0'
gem 'date_validator', '~> 0.12.0'
gem 'email_validator', '~> 2.2.3'
gem 'json_schemer', '~> 1.0.1'
gem 'ruby-duration', '~> 3.2.0'
# `config/initializers/mail_starttls_patch.rb` has also been patched to
# fix STARTTLS handling until is
# released.
gem 'mail', '= 2.8.1'
# provide compatible filesystem information for available storage
gem 'sys-filesystem', '~> 1.4.0', require: false
# Faster posix-compliant spawns for 8.0. conversions with pandoc
gem 'posix-spawn', '~> 0.3.13', require: false
gem 'bcrypt', '~> 3.1.6'
gem 'multi_json', '~> 1.15.0'
gem 'oj', '~> 3.15.0'
gem 'daemons'
gem 'delayed_cron_job', '~> 0.9.0'
gem 'delayed_job_active_record', '~> 4.1.5'
gem 'rack-protection', '~> 3.0.0'
# Rack::Attack is a rack middleware to protect your web app from bad clients.
# It allows whitelisting, blacklisting, throttling, and tracking based
# on arbitrary properties of the request.
gem 'rack-attack', '~> 6.6.0'
# CSP headers
gem 'secure_headers', '~> 6.5.0'
# Browser detection for incompatibility checks
gem 'browser', '~> 5.3.0'
# Providing health checks
gem 'okcomputer', '~> 1.18.1'
gem 'gon', '~> 6.4.0'
# Lograge to provide sane and non-verbose logging
gem 'lograge', '~> 0.12.0'
# Structured warnings to selectively disable them in production
gem 'structured_warnings', '~> 0.4.0'
# catch exceptions and send them to any airbrake compatible backend
# don't require by default, instead load on-demand when actually configured
gem 'airbrake', '~> 13.0.0', require: false
gem 'prawn', '~> 2.2'
gem 'md_to_pdf', git: '', tag: 'v0.0.18'
# prawn implicitly depends on matrix gem no longer in ruby core with 3.1
gem 'matrix', '~> 0.4.2'
gem 'meta-tags', '~> 2.18.0'
gem "paper_trail", "~> 12.3"
group :production do
# we use dalli as standard memcache client
# requires memcached 1.4+
gem 'dalli', '~> 3.2.0'
gem 'i18n-js', '~> 3.9.0'
gem 'rails-i18n', '~> 7.0.0'
gem 'sprockets', '~> 3.7.2' # lock sprockets below 4.0
gem 'sprockets-rails', '~> 3.4.2'
gem 'puma', '~> 6.1'
gem 'puma-plugin-statsd', '~> 2.0'
gem 'rack-timeout', '~> 0.6.3', require: "rack/timeout/base"
gem 'nokogiri', '~> 1.15.1'
gem 'carrierwave', '~> 1.3.1'
gem 'carrierwave_direct', '~> 2.1.0'
gem 'fog-aws'
gem 'aws-sdk-core', '~> 3.107'
# File upload via fog + screenshots on travis
gem 'aws-sdk-s3', '~> 1.91'
gem 'openproject-token', '~> 3.0.1'
gem 'plaintext', '~> 0.3.2'
gem 'rest-client', '~> 2.0'
gem 'ruby-progressbar', '~> 1.13.0', require: false
gem 'mini_magick', '~> 4.12.0', require: false
gem 'validate_url'
# Appsignal integration
gem "appsignal", "~> 3.0", require: false
gem 'view_component'
gem 'turbo-rails', "~> 1.1"
group :test do
gem 'launchy', '~> 2.5.0'
gem 'rack-test', '~> 2.1.0'
gem 'shoulda-context', '~> 2.0'
# Test prof provides factories from code
# and other niceties
gem 'test-prof', '~> 1.2.0'
gem 'turbo_tests', github: "crohr/turbo_tests", ref: "fix/runtime-info"
gem 'rack_session_access'
gem 'rspec', '~> 3.12.0'
# also add to development group, so "spec" rake task gets loaded
gem 'rspec-rails', '~> 6.0.0', group: :development
# Retry failures within the same environment
gem 'retriable', '~> 3.1.1'
gem 'rspec-retry', '~> 0.6.1'
# XML comparison tests
gem 'compare-xml', '~> 0.66', require: false
# brings back testing for 'assigns' and 'assert_template' extracted in rails 5
gem 'rails-controller-testing', '~> 1.0.2'
gem 'capybara', '~> 3.39.0'
gem 'capybara-screenshot', '~> 1.0.17'
gem 'selenium-webdriver', '~> 4.0'
gem 'webdrivers', '~> 5.2.0'
gem 'fuubar', '~> 2.5.0'
gem 'timecop', '~> 0.9.0'
# Mock backend requests (for ruby tests)
gem 'webmock', '~> 3.12', require: false
# Mock selenium requests through proxy (for feature tests)
gem 'puffing-billy', '~> 3.1.0'
gem 'table_print', '~> 1.5.6'
gem 'equivalent-xml', '~> 0.6'
gem 'json_spec', '~> 1.1.4'
gem 'shoulda-matchers', '~> 5.0', require: nil
gem 'parallel_tests', '~> 4.0'
group :ldap do
gem 'net-ldap', '~> 0.18.0'
group :development do
gem 'listen', '~> 3.8.0' # Use for event-based reloaders
gem 'letter_opener'
gem 'spring'
gem 'spring-commands-rspec'
# Gems for living styleguide
gem 'livingstyleguide', '~> 2.1.0'
gem 'sassc-rails'
gem 'colored2'
# git hooks manager
gem 'lefthook', require: false
group :development, :test do
gem 'dotenv-rails'
# Require factory_bot for usage with openproject plugins testing
gem 'factory_bot', '~> 6.2.0'
# require factory_bot_rails for convenience in core development
gem 'factory_bot_rails', '~> 6.2.0'
# Tracing and profiling gems
gem 'flamegraph', require: false
gem 'rack-mini-profiler', require: false
gem 'ruby-prof', require: false
gem 'stackprof', require: false
# REPL with debug commands
gem 'debug'
gem 'pry-byebug', '~> 3.10.0', platforms: [:mri]
gem 'pry-rails', '~> 0.3.6'
gem 'pry-rescue', '~> 1.5.2'
# ruby linting
gem 'rubocop', require: false
gem 'rubocop-rails', require: false
gem 'rubocop-rspec', require: false
# Brakeman scanner
gem 'brakeman', '~> 6.0.0'
gem 'bootsnap', '~> 1.16.0', require: false
# API gems
gem 'grape', '~> 1.7.0'
gem 'grape_logging', '~> 1.8.4'
gem 'roar', '~> 1.2.0'
# CORS for API
gem 'rack-cors', '~> 2.0.0'
# Gmail API
gem 'google-apis-gmail_v1', require: false
gem 'googleauth', require: false
# Required for contracts
gem 'disposable', '~> 0.6.2'
platforms :mri, :mingw, :x64_mingw do
group :postgres do
gem 'pg', '~> 1.5.0'
# Support application loading when no database exists yet.
gem 'activerecord-nulldb-adapter', '~> 0.9.0'
# Have application level locks on the database to have a mutex shared between workers/hosts.
# We e.g. employ this to safeguard the creation of journals.
gem 'with_advisory_lock', '~> 4.6.0'
# Defines OpenProject (CE) modules and their dependencies
# the dependencies from the gemspec from a git repo are ignored
# see also
gem 'omniauth-saml', '~> 1.10.1'
group :development, :test do
gem 'ladle'
gem 'omniauth-openid_connect-providers',
git: '',
ref: 'a6c0c3ed78fac79cf4d007e40d4029e524ec7751'
gem 'omniauth-openid-connect',
git: '',
ref: 'efddc061a72791db019259768a4656c0435709e8'
group :opf_plugins do
# included so that engines can reference OpenProject::Version
$:.push File.expand_path("../lib", __FILE__)
gem 'openproject-auth_plugins', path: 'modules/auth_plugins'
gem 'openproject-auth_saml', path: 'modules/auth_saml'
gem 'openproject-openid_connect', path: 'modules/openid_connect'
gem 'openproject-documents', path: 'modules/documents'
gem 'openproject-xls_export', path: 'modules/xls_export'
gem 'costs', path: 'modules/costs'
gem 'openproject-reporting', path: 'modules/reporting'
gem 'openproject-meeting', path: 'modules/meeting'
gem 'openproject-pdf_export', path: 'modules/pdf_export'
gem "openproject-backlogs", path: 'modules/backlogs'
gem 'openproject-avatars', path: 'modules/avatars'
gem 'openproject-two_factor_authentication', path: 'modules/two_factor_authentication'
gem 'openproject-webhooks', path: 'modules/webhooks'
gem 'openproject-github_integration', path: 'modules/github_integration'
gem 'openproject-ldap_groups', path: 'modules/ldap_groups'
gem 'openproject-recaptcha', path: 'modules/recaptcha'
gem 'openproject-job_status', path: 'modules/job_status'
gem 'grids', path: 'modules/grids'
gem 'my_page', path: 'modules/my_page'
gem 'dashboards', path: 'modules/dashboards'
gem 'openproject-boards', path: 'modules/boards'
gem 'overviews', path: 'modules/overviews'
gem 'budgets', path: 'modules/budgets'
gem 'openproject-team_planner', path: 'modules/team_planner'
gem 'openproject-calendar', path: 'modules/calendar'
gem 'openproject-storages', path: 'modules/storages'
gem 'openproject-bim', path: 'modules/bim'
# Load Gemfile.local, Gemfile.plugins and custom Gemfiles
gemfiles = Dir.glob File.expand_path('{Gemfile.plugins,Gemfile.local}', __dir__)
gemfiles.each do |file|
# We use send to allow dependabot to function
# don't use eval_gemfile(file) here as it will break dependabot!
send(:eval_gemfile, file) if File.readable?(file)

ruby/Gemfile.lock

File diff suppressed because it is too large Load diff

ruby/gemset.nix

File diff suppressed because it is too large Load diff

ruby/openproject.nix Normal file
ruby/openproject.nix
{ lib
, stdenv
, fetchFromGitHub
, bundlerEnv
, fetchNpmDeps
, ruby_3_2
, defaultGemConfig
, makeWrapper
, which
, nixosTests
version = "12.5.7";
rubyEnv = bundlerEnv {
name = "openproject-env-${version}";
ruby = ruby_3_2;
gemdir = ./.;
groups = [ "development" "ldap" "markdown" "common_mark" "minimagick" "test" ];
src = fetchFromGitHub {
owner = "opf";
repo = "openproject";
rev = "53b19adcd5e6feffec0d0daa47f5ff480f3ab04b";
hash = "sha256-3YniGdLmOh71cqJ5EzT+tpwN1Ru9NiC/2CL8aDEEmNA=";
offlineNpmCache = fetchNpmDeps {
src = src + "/frontend";
hash = "sha256-cGrgMwhh/WfahMd8TbzHZ6PruU+4V7cogWJp8gMCIlI=";
stdenv.mkDerivation rec {
pname = "openproject";
inherit version;
inherit src;
nativeBuildInputs = [ makeWrapper which ];
buildInputs = [ rubyEnv rubyEnv.wrappedRuby rubyEnv.bundler ];
buildPhase = ''
echo 'link node_modules'
ln -s ${offlineNpmCache}/node_modules ./frontend/node_modules
export PATH="${offlineNpmCache}/bin:$PATH"
echo 'wrap ruby'
export BUNDLE_GEMFILE=./Gemfile
ruby -e 'puts ENV["BUNDLE_GEMFILE"]'
echo 'rake assets:prepare_op'
bundle exec rake assets:prepare_op
echo 'rake openproject:plugins:register_frontend'
bundle exec rake openproject:plugins:register_frontend
echo 'npm build:ci'
(cd frontend && npm run build:ci)
echo 'rake assets:rebuild_manifest'
bundle exec rake assets:rebuild_manifest
installPhase = ''
echo "installPhase!"
makeWrapper ${rubyEnv.wrappedRuby}/bin/ruby $out/bin/rdm-mailhandler.rb --add-flags $out/share/redmine/extra/mail_handler/rdm-mailhandler.rb
meta = with lib; {
homepage = "";
platforms = platforms.linux;
maintainers = with maintainers; [ ];
license = licenses.gpl3;

test-vm/configuration.nix Normal file
@ -0,0 +1,111 @@
{ pkgs, lib, config, modulesPath, ... }:
imports = [
config = {
services.qemuGuest.enable = true;
system.stateVersion = "23.05";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
autoResize = true;
boot = {
growPartition = true;
loader.timeout = 5;
virtualisation = {
diskSize = 8000; # MB
memorySize = 2048; # MB
# We don't want to use tmpfs, otherwise the nix store's size will be bounded
# by a fraction of available RAM.
writableStoreUseTmpfs = false;
forwardPorts = [{
guest.port = 22;
host.port = 2222;
} {
guest.port = 9090;
host.port = 9090;
} {
guest.port = 8081;
host.port = 8081;
# So that we can ssh into the VM, see e.g.
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "yes";
# Give root an empty password to ssh in.
users.extraUsers.root.password = "";
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU"
users.mutableUsers = false;
networking.firewall.enable = false;
environment.systemPackages = with pkgs; [
services.redis.servers = {
# Queue, naming it "" makes it use default values.
"".enable = true;
socketio = {
enable = true;
port = 12311;
users.users.openproject = {
description = "User to run openproject";
group = "openproject";
isSystemUser = true;
home = "/var/lib/openproject";
createHome = true;
}; = {
enable = true;
wantedBy = [ "" ];
after = [ "mysql.service" "redis.service" "redis-socketio.service" ];
description = "ERPNext";
confinement = {
enable = true;
packages = [ pkgs.mariadb-client pkgs.nodejs penv ];
script = ''
export PYTHON_PATH=${penv}/${pkgs.python3.sitePackages}
export PATH="${pkgs.mariadb-client}/bin:${pkgs.nodejs}/bin:${penv}/bin:$PATH"
# Initialize the DB
# Start the server
serviceConfig = {
User = "erpnext";
NoNewPrivileges = true;
Type = "simple";
BindReadOnlyPaths = [
BindPaths = [