talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/pocket-id: fix local Postgres DB Unix socket connection (#434321)

Browse Source
This commit is contained in:
importantblimp 2025-08-17 08:55:21 +12:00
parent 1369df773d
commit 56a109b9a5
2 changed files with 47 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/modules/services/security/pocket-id.nix
View File

@ -196,6 +196,7 @@ in
ReadWritePaths = [ cfg.dataDir ]; ReadWritePaths = [ cfg.dataDir ];
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
]; ];

53
nixos/tests/pocket-id.nix
View File

@ -8,7 +8,7 @@
]; ];
nodes = { nodes = {
machine = machineSqlite =
{ ... }: { ... }:
{ {
services.pocket-id = { services.pocket-id = {
@ -18,23 +18,62 @@
}; };
}; };
}; };
machinePostgres =
{ config, ... }:
let
username = config.services.pocket-id.user;
in
{
services.pocket-id = {
enable = true;
settings = {
PORT = 10001;
DB_PROVIDER = "postgres";
DB_CONNECTION_STRING = "host=/run/postgresql user=${username} database=${username}";
};
};
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "${username}";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "${username}" ];
};
};
}; };
testScript = testScript =
{ nodes, ... }: { nodes, ... }:
let let
inherit (nodes.machine.services.pocket-id) settings; settingsSqlite = nodes.machineSqlite.services.pocket-id.settings;
settingsPostgres = nodes.machinePostgres.services.pocket-id.settings;
inherit (builtins) toString; inherit (builtins) toString;
in in
'' ''
machine.wait_for_unit("pocket-id.service") machineSqlite.wait_for_unit("pocket-id.service")
machine.wait_for_open_port(${toString settings.PORT}) machineSqlite.wait_for_open_port(${toString settingsSqlite.PORT})
backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me") backend_status = machineSqlite.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}/api/users/me")
assert backend_status == "401" assert backend_status == "401"
machine.succeed("grep 'You are not signed in' /tmp/backend-output") machineSqlite.succeed("grep 'You are not signed in' /tmp/backend-output")
frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}") frontend_status = machineSqlite.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}")
assert frontend_status == "200"
machinePostgres.wait_for_unit("pocket-id.service")
machinePostgres.wait_for_open_port(${toString settingsPostgres.PORT})
backend_status = machinePostgres.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}/api/users/me")
assert backend_status == "401"
machinePostgres.succeed("grep 'You are not signed in' /tmp/backend-output")
frontend_status = machinePostgres.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}")
assert frontend_status == "200" assert frontend_status == "200"
''; '';
} }