nixos/gancio: use unix socket between nginx and gancio

2024-09-09 15:20:59 +02:00 · 2024-09-09 15:20:59 +02:00 · 432bfec026
commit 432bfec026
parent 58ec286785
2 changed files with 13 additions and 14 deletions
--- a/nixos/modules/services/web-apps/gancio.nix
+++ b/nixos/modules/services/web-apps/gancio.nix
@ -59,19 +59,12 @@ in
            description = "The URL path under which the server is reachable.";
          };
          server = {
-            host = mkOption {
-              type = types.str;
-              default = "localhost";
-              example = "::";
+            socket = mkOption {
+              type = types.path;
+              readOnly = true;
+              default = "/run/gancio/socket";
              description = ''
-                The address (IPv4, IPv6 or DNS) for the gancio server to listen on.
-              '';
-            };
-            port = mkOption {
-              type = types.port;
-              default = 13120;
-              description = ''
-                Port number of the gancio server to listen on.
+                The unix socket for the gancio server to listen on.
              '';
            };
          };
@ -231,6 +224,10 @@ in

        serviceConfig = {
          ExecStart = "${getExe cfg.package} start ${configFile}";
+          # set umask so that nginx can write to the server socket
+          # FIXME: upstream socket permission configuration in Nuxt
+          UMask = "0002";
+          RuntimeDirectory = "gancio";
          StateDirectory = "gancio";
          WorkingDirectory = "/var/lib/gancio";
          LogsDirectory = "gancio";
@ -274,12 +271,14 @@ in
            };
            "@proxy" = {
              proxyWebsockets = true;
-              proxyPass = "http://${cfg.settings.server.host}:${toString cfg.settings.server.port}";
+              proxyPass = "http://unix:${cfg.settings.server.socket}";
              recommendedProxySettings = true;
            };
          };
        }
      ];
    };
+    # for nginx to access gancio socket
+    users.users."${config.services.nginx.user}".extraGroups = [ config.users.users.${cfg.user}.group ];
  };
 }
--- a/nixos/tests/gancio.nix
+++ b/nixos/tests/gancio.nix
@ -71,7 +71,7 @@ import ./make-test-python.nix (
      server.wait_for_unit("postgresql")
      server.wait_for_unit("gancio")
      server.wait_for_unit("nginx")
-      server.wait_for_open_port(13120)
+      server.wait_for_file("/run/gancio/socket")
      server.wait_for_open_port(80)

      # Check can create user via cli