pyrox.dev / nixpkgs
lol
fork atom

nixos/pocket-id: fix local Postgres DB Unix socket connection (#434321)

importantblimp 56a109b9 1369df77

options
unified split
Changed files
+47 -7
nixos
modules
services
security
pocket-id.nix
tests
pocket-id.nix
+1
nixos/modules/services/security/pocket-id.nix 
···

       
196

       
196

       
 

       
          ReadWritePaths = [ cfg.dataDir ];


     

       
197

       
197

       
 

       
          RemoveIPC = true;


     

       
198

       
198

       
 

       
          RestrictAddressFamilies = [


     

       

       
199

       
+

       
            "AF_UNIX"


     

       
199

       
200

       
 

       
            "AF_INET"


     

       
200

       
201

       
 

       
            "AF_INET6"


     

       
201

       
202

       
 

       
          ];
+46 -7
nixos/tests/pocket-id.nix 
···

       
8

       
8

       
 

       
  ];


     

       
9

       
9

       
 

       



     

       
10

       
10

       
 

       
  nodes = {


     

       
11

       

       
-

       
    machine =


     

       

       
11

       
+

       
    machineSqlite =


     

       
12

       
12

       
 

       
      { ... }:


     

       
13

       
13

       
 

       
      {


     

       
14

       
14

       
 

       
        services.pocket-id = {


     
···

       
18

       
18

       
 

       
          };


     

       
19

       
19

       
 

       
        };


     

       
20

       
20

       
 

       
      };


     

       

       
21

       
+

       



     

       

       
22

       
+

       
    machinePostgres =


     

       

       
23

       
+

       
      { config, ... }:


     

       

       
24

       
+

       
      let


     

       

       
25

       
+

       
        username = config.services.pocket-id.user;


     

       

       
26

       
+

       
      in


     

       

       
27

       
+

       
      {


     

       

       
28

       
+

       
        services.pocket-id = {


     

       

       
29

       
+

       
          enable = true;


     

       

       
30

       
+

       
          settings = {


     

       

       
31

       
+

       
            PORT = 10001;


     

       

       
32

       
+

       
            DB_PROVIDER = "postgres";


     

       

       
33

       
+

       
            DB_CONNECTION_STRING = "host=/run/postgresql user=${username} database=${username}";


     

       

       
34

       
+

       
          };


     

       

       
35

       
+

       
        };


     

       

       
36

       
+

       



     

       

       
37

       
+

       
        services.postgresql = {


     

       

       
38

       
+

       
          enable = true;


     

       

       
39

       
+

       
          ensureUsers = [


     

       

       
40

       
+

       
            {


     

       

       
41

       
+

       
              name = "${username}";


     

       

       
42

       
+

       
              ensureDBOwnership = true;


     

       

       
43

       
+

       
            }


     

       

       
44

       
+

       
          ];


     

       

       
45

       
+

       
          ensureDatabases = [ "${username}" ];


     

       

       
46

       
+

       
        };


     

       

       
47

       
+

       
      };


     

       
21

       
48

       
 

       
  };


     

       
22

       
49

       
 

       



     

       
23

       
50

       
 

       
  testScript =


     

       
24

       
51

       
 

       
    { nodes, ... }:


     

       
25

       
52

       
 

       
    let


     

       
26

       

       
-

       
      inherit (nodes.machine.services.pocket-id) settings;


     

       

       
53

       
+

       
      settingsSqlite = nodes.machineSqlite.services.pocket-id.settings;


     

       

       
54

       
+

       
      settingsPostgres = nodes.machinePostgres.services.pocket-id.settings;


     

       
27

       
55

       
 

       
      inherit (builtins) toString;


     

       
28

       
56

       
 

       
    in


     

       
29

       
57

       
 

       
    ''


     

       
30

       

       
-

       
      machine.wait_for_unit("pocket-id.service")


     

       
31

       

       
-

       
      machine.wait_for_open_port(${toString settings.PORT})


     

       

       
58

       
+

       
      machineSqlite.wait_for_unit("pocket-id.service")


     

       

       
59

       
+

       
      machineSqlite.wait_for_open_port(${toString settingsSqlite.PORT})


     

       
32

       
60

       
 

       



     

       
33

       

       
-

       
      backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me")


     

       

       
61

       
+

       
      backend_status = machineSqlite.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}/api/users/me")


     

       
34

       
62

       
 

       
      assert backend_status == "401"


     

       
35

       

       
-

       
      machine.succeed("grep 'You are not signed in' /tmp/backend-output")


     

       

       
63

       
+

       
      machineSqlite.succeed("grep 'You are not signed in' /tmp/backend-output")


     

       
36

       
64

       
 

       



     

       
37

       

       
-

       
      frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")


     

       

       
65

       
+

       
      frontend_status = machineSqlite.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}")


     

       

       
66

       
+

       
      assert frontend_status == "200"


     

       

       
67

       
+

       



     

       

       
68

       
+

       



     

       

       
69

       
+

       
      machinePostgres.wait_for_unit("pocket-id.service")


     

       

       
70

       
+

       
      machinePostgres.wait_for_open_port(${toString settingsPostgres.PORT})


     

       

       
71

       
+

       



     

       

       
72

       
+

       
      backend_status = machinePostgres.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}/api/users/me")


     

       

       
73

       
+

       
      assert backend_status == "401"


     

       

       
74

       
+

       
      machinePostgres.succeed("grep 'You are not signed in' /tmp/backend-output")


     

       

       
75

       
+

       



     

       

       
76

       
+

       
      frontend_status = machinePostgres.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}")


     

       
38

       
77

       
 

       
      assert frontend_status == "200"


     

       
39

       
78

       
 

       
    '';


     

       
40

       
79

       
 

       
}