checkmate-server: init at 3.5.1

[robertjakub]

An open-source, self-hosted monitoring tool for tracking server hardware, uptime, response times, and incidents in real-time with beautiful visualisations. Checkmate regularly checks whether a server/website is accessible and performs optimally, providing real-time alerts and reports on the monitored services' availability, downtime, and response time.

Checkmate also has an agent, called Capture, to retrieve data from remote servers. While Capture is not required to run Checkmate, it provides additional insights about your servers' CPU, RAM, disk, and temperature status.

homepage: https://checkmate.so
documentation: https://docs.checkmate.so

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

[robertjakub]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 496025
Commit: d4133fe023f41a0a41dfb258744a5fe93829dffd (subsequent changes)
Merge: 52d4f0e97b75572a2642c0e90c73d43e2914ce2e

Logs: https://github.com/robertjakub/nixpkgs-review-gha/actions/runs/22602877594

---

x86_64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

✅ 1 package built:

• checkmate-server

---

aarch64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

✅ 1 package built:

• checkmate-server

[philiptaron]

Thanks for putting this together! Checkmate looks like a useful monitoring tool, and the overall structure of the package + module + test is solid.

I dug into the upstream source to understand the environment variables, and found a couple of issues that need addressing before this can merge:

REFRESH_TOKEN_SECRET doesn't exist upstream. The module sets REFRESH_TOKEN_SECRET = cfg.settings.tokenTTL in the systemd environment, but the Checkmate server never reads this variable. It only appears once in the entire upstream repo — as a commented-out line in a Helm chart values file. The server's env validation (server/src/validation/envValidation.ts) doesn't include it, and SettingsService doesn't use it. This line should just be removed.

settings.port is misleading. The upstream server hardcodes port 52345 in server/src/index.ts:53 — it's not configurable via an environment variable. The module's port option only affects the nginx proxyPass target URL, so if someone sets it to anything other than 52345, nginx will proxy to the wrong port and things will silently break. I'd suggest either removing the option and hardcoding 52345 in the nginx config, or at minimum documenting that it must match the upstream default.

The test should exercise nginx. Right now the test curls the backend directly on port 52345, but the module sets up nginx as a reverse proxy. It'd be good to also test a request through nginx to validate that the proxy config actually works.

A few smaller things I noticed while reading through:

• mkEnableOption "Enable Checkmate." produces "Whether to enable Enable Checkmate.." — should be something like mkEnableOption "the Checkmate monitoring server"
• inherit (builtins) toString is unnecessary since toString is already in scope
• build-system in package.nix is a Python/buildPythonPackage concept — makeWrapper should go in nativeBuildInputs instead
• The package-lock.json override and the .toFixed() source patch could use comments explaining why they're needed

[robertjakub]

Thanks for putting this together! Checkmate looks like a useful monitoring tool, and the overall structure of the package + module + test is solid.

I dug into the upstream source to understand the environment variables, and found a couple of issues that need addressing before this can merge:

REFRESH_TOKEN_SECRET doesn't exist upstream. [...] This line should just be removed.

removed. it was my mistake.

settings.port is misleading. The upstream server hardcodes port 52345 in server/src/index.ts:53 — it's not configurable via an environment variable. The module's port option only affects the nginx proxyPass target URL, so if someone sets it to anything other than 52345, nginx will proxy to the wrong port and things will silently break. I'd suggest either removing the option and hardcoding 52345 in the nginx config, or at minimum documenting that it must match the upstream default.

the issue is fixed. the support for a PORT env were removed by mistake. The upstream released new version (3.5.1) with appropriate fixes.

The test should exercise nginx. Right now the test curls the backend directly on port 52345, but the module sets up nginx as a reverse proxy. It'd be good to also test a request through nginx to validate that the proxy config actually works.

done.

A few smaller things I noticed while reading through:

• mkEnableOption "Enable Checkmate." produces "Whether to enable Enable Checkmate.." — should be something like mkEnableOption "the Checkmate monitoring server"

fixed.

• build-system in package.nix is a Python/buildPythonPackage concept — makeWrapper should go in nativeBuildInputs instead

fixed.

• The package-lock.json override and the .toFixed() source patch could use comments explaining why they're
  needed

• .toFixed() was a quick hack on version 3.5.0 - removed as currently not needed.
• package-lock.json override - commented. not all dependencies in the upstream version are resolved and due to this, not all modules are cached.