From 56a109b9a598e3e4955b4e969d3967affd25710b Mon Sep 17 00:00:00 2001 From: importantblimp <20533356+importantblimp@users.noreply.github.com> Date: Sun, 17 Aug 2025 08:55:21 +1200 Subject: [PATCH] nixos/pocket-id: fix local Postgres DB Unix socket connection (#434321) --- nixos/modules/services/security/pocket-id.nix | 1 + nixos/tests/pocket-id.nix | 53 ++++++++++++++++--- 2 files changed, 47 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/security/pocket-id.nix b/nixos/modules/services/security/pocket-id.nix index c74707629b9e..728756c0d77e 100644 --- a/nixos/modules/services/security/pocket-id.nix +++ b/nixos/modules/services/security/pocket-id.nix @@ -196,6 +196,7 @@ in ReadWritePaths = [ cfg.dataDir ]; RemoveIPC = true; RestrictAddressFamilies = [ + "AF_UNIX" "AF_INET" "AF_INET6" ]; diff --git a/nixos/tests/pocket-id.nix b/nixos/tests/pocket-id.nix index c00ed1f497a6..7f2a4a8255f8 100644 --- a/nixos/tests/pocket-id.nix +++ b/nixos/tests/pocket-id.nix @@ -8,7 +8,7 @@ ]; nodes = { - machine = + machineSqlite = { ... }: { services.pocket-id = { @@ -18,23 +18,62 @@ }; }; }; + + machinePostgres = + { config, ... }: + let + username = config.services.pocket-id.user; + in + { + services.pocket-id = { + enable = true; + settings = { + PORT = 10001; + DB_PROVIDER = "postgres"; + DB_CONNECTION_STRING = "host=/run/postgresql user=${username} database=${username}"; + }; + }; + + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "${username}"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ "${username}" ]; + }; + }; }; testScript = { nodes, ... }: let - inherit (nodes.machine.services.pocket-id) settings; + settingsSqlite = nodes.machineSqlite.services.pocket-id.settings; + settingsPostgres = nodes.machinePostgres.services.pocket-id.settings; inherit (builtins) toString; in '' - machine.wait_for_unit("pocket-id.service") - machine.wait_for_open_port(${toString settings.PORT}) + machineSqlite.wait_for_unit("pocket-id.service") + machineSqlite.wait_for_open_port(${toString settingsSqlite.PORT}) - backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me") + backend_status = machineSqlite.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}/api/users/me") assert backend_status == "401" - machine.succeed("grep 'You are not signed in' /tmp/backend-output") + machineSqlite.succeed("grep 'You are not signed in' /tmp/backend-output") - frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}") + frontend_status = machineSqlite.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}") + assert frontend_status == "200" + + + machinePostgres.wait_for_unit("pocket-id.service") + machinePostgres.wait_for_open_port(${toString settingsPostgres.PORT}) + + backend_status = machinePostgres.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}/api/users/me") + assert backend_status == "401" + machinePostgres.succeed("grep 'You are not signed in' /tmp/backend-output") + + frontend_status = machinePostgres.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}") assert frontend_status == "200" ''; }