nixos/pocket-id: fix local Postgres DB Unix socket connection (#434321)

2025-08-17 08:55:21 +12:00 · 2025-08-17 08:55:21 +12:00 · 56a109b9a5
commit 56a109b9a5
parent 1369df773d
2 changed files with 47 additions and 7 deletions
--- a/nixos/modules/services/security/pocket-id.nix
+++ b/nixos/modules/services/security/pocket-id.nix
@ -196,6 +196,7 @@ in
          ReadWritePaths = [ cfg.dataDir ];
          RemoveIPC = true;
          RestrictAddressFamilies = [
+            "AF_UNIX"
            "AF_INET"
            "AF_INET6"
          ];
--- a/nixos/tests/pocket-id.nix
+++ b/nixos/tests/pocket-id.nix
@ -8,7 +8,7 @@
  ];

  nodes = {
-    machine =
+    machineSqlite =
      { ... }:
      {
        services.pocket-id = {
@ -18,23 +18,62 @@
          };
        };
      };
+
+    machinePostgres =
+      { config, ... }:
+      let
+        username = config.services.pocket-id.user;
+      in
+      {
+        services.pocket-id = {
+          enable = true;
+          settings = {
+            PORT = 10001;
+            DB_PROVIDER = "postgres";
+            DB_CONNECTION_STRING = "host=/run/postgresql user=${username} database=${username}";
+          };
+        };
+
+        services.postgresql = {
+          enable = true;
+          ensureUsers = [
+            {
+              name = "${username}";
+              ensureDBOwnership = true;
+            }
+          ];
+          ensureDatabases = [ "${username}" ];
+        };
+      };
  };

  testScript =
    { nodes, ... }:
    let
-      inherit (nodes.machine.services.pocket-id) settings;
+      settingsSqlite = nodes.machineSqlite.services.pocket-id.settings;
+      settingsPostgres = nodes.machinePostgres.services.pocket-id.settings;
      inherit (builtins) toString;
    in
    ''
-      machine.wait_for_unit("pocket-id.service")
-      machine.wait_for_open_port(${toString settings.PORT})
+      machineSqlite.wait_for_unit("pocket-id.service")
+      machineSqlite.wait_for_open_port(${toString settingsSqlite.PORT})

-      backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me")
+      backend_status = machineSqlite.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}/api/users/me")
      assert backend_status == "401"
-      machine.succeed("grep 'You are not signed in' /tmp/backend-output")
+      machineSqlite.succeed("grep 'You are not signed in' /tmp/backend-output")

-      frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")
+      frontend_status = machineSqlite.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}")
+      assert frontend_status == "200"
+
+
+      machinePostgres.wait_for_unit("pocket-id.service")
+      machinePostgres.wait_for_open_port(${toString settingsPostgres.PORT})
+
+      backend_status = machinePostgres.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}/api/users/me")
+      assert backend_status == "401"
+      machinePostgres.succeed("grep 'You are not signed in' /tmp/backend-output")
+
+      frontend_status = machinePostgres.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}")
      assert frontend_status == "200"
    '';
 }