nixos/pocket-id: fix local Postgres DB Unix socket connection (#434321) (2c019e7f) · Commits · nix / nixpkgs

nixos/modules/services/security/pocket-id.nix

+1 −0

Original line number	Diff line number	Diff line
		@@ -196,6 +196,7 @@ in
		ReadWritePaths = [ cfg.dataDir ];
		RemoveIPC = true;
		RestrictAddressFamilies = [
		"AF_UNIX"
		"AF_INET"
		"AF_INET6"
		];

nixos/tests/pocket-id.nix

+46 −7

Original line number	Diff line number	Diff line
		@@ -8,7 +8,7 @@
		];

		nodes = {
		machine =
		machineSqlite =
		{ ... }:
		{
		services.pocket-id = {
		@@ -18,23 +18,62 @@
		};
		};
		};

		machinePostgres =
		{ config, ... }:
		let
		username = config.services.pocket-id.user;
		in
		{
		services.pocket-id = {
		enable = true;
		settings = {
		PORT = 10001;
		DB_PROVIDER = "postgres";
		DB_CONNECTION_STRING = "host=/run/postgresql user=${username} database=${username}";
		};
		};

		services.postgresql = {
		enable = true;
		ensureUsers = [
		{
		name = "${username}";
		ensureDBOwnership = true;
		}
		];
		ensureDatabases = [ "${username}" ];
		};
		};
		};

		testScript =
		{ nodes, ... }:
		let
		inherit (nodes.machine.services.pocket-id) settings;
		settingsSqlite = nodes.machineSqlite.services.pocket-id.settings;
		settingsPostgres = nodes.machinePostgres.services.pocket-id.settings;
		inherit (builtins) toString;
		in
		''
		machine.wait_for_unit("pocket-id.service")
		machine.wait_for_open_port(${toString settings.PORT})
		machineSqlite.wait_for_unit("pocket-id.service")
		machineSqlite.wait_for_open_port(${toString settingsSqlite.PORT})

		backend_status = machineSqlite.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}/api/users/me")
		assert backend_status == "401"
		machineSqlite.succeed("grep 'You are not signed in' /tmp/backend-output")

		frontend_status = machineSqlite.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsSqlite.PORT}")
		assert frontend_status == "200"


		machinePostgres.wait_for_unit("pocket-id.service")
		machinePostgres.wait_for_open_port(${toString settingsPostgres.PORT})

		backend_status = machine.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settings.PORT}/api/users/me")
		backend_status = machinePostgres.succeed("curl -L -o /tmp/backend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}/api/users/me")
		assert backend_status == "401"
		machine.succeed("grep 'You are not signed in' /tmp/backend-output")
		machinePostgres.succeed("grep 'You are not signed in' /tmp/backend-output")

		frontend_status = machine.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settings.PORT}")
		frontend_status = machinePostgres.succeed("curl -L -o /tmp/frontend-output -w '%{http_code}' http://localhost:${toString settingsPostgres.PORT}")
		assert frontend_status == "200"
		'';
		}

Admin message