From 432bfec0264157e5485768897a70b5193c2015a7 Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Giraudeau <jb@giraudeau.info>
Date: Mon, 9 Sep 2024 15:20:59 +0200
Subject: [PATCH] nixos/gancio: use unix socket between nginx and gancio

---
 nixos/modules/services/web-apps/gancio.nix | 25 +++++++++++-----------
 nixos/tests/gancio.nix                     |  2 +-
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/nixos/modules/services/web-apps/gancio.nix b/nixos/modules/services/web-apps/gancio.nix
index 893f5702518a..5f14ff46cb19 100644
--- a/nixos/modules/services/web-apps/gancio.nix
+++ b/nixos/modules/services/web-apps/gancio.nix
@@ -59,19 +59,12 @@ in
             description = "The URL path under which the server is reachable.";
           };
           server = {
-            host = mkOption {
-              type = types.str;
-              default = "localhost";
-              example = "::";
+            socket = mkOption {
+              type = types.path;
+              readOnly = true;
+              default = "/run/gancio/socket";
               description = ''
-                The address (IPv4, IPv6 or DNS) for the gancio server to listen on.
-              '';
-            };
-            port = mkOption {
-              type = types.port;
-              default = 13120;
-              description = ''
-                Port number of the gancio server to listen on.
+                The unix socket for the gancio server to listen on.
               '';
             };
           };
@@ -231,6 +224,10 @@ in
 
         serviceConfig = {
           ExecStart = "${getExe cfg.package} start ${configFile}";
+          # set umask so that nginx can write to the server socket
+          # FIXME: upstream socket permission configuration in Nuxt
+          UMask = "0002";
+          RuntimeDirectory = "gancio";
           StateDirectory = "gancio";
           WorkingDirectory = "/var/lib/gancio";
           LogsDirectory = "gancio";
@@ -274,12 +271,14 @@ in
             };
             "@proxy" = {
               proxyWebsockets = true;
-              proxyPass = "http://${cfg.settings.server.host}:${toString cfg.settings.server.port}";
+              proxyPass = "http://unix:${cfg.settings.server.socket}";
               recommendedProxySettings = true;
             };
           };
         }
       ];
     };
+    # for nginx to access gancio socket
+    users.users."${config.services.nginx.user}".extraGroups = [ config.users.users.${cfg.user}.group ];
   };
 }
diff --git a/nixos/tests/gancio.nix b/nixos/tests/gancio.nix
index 1dc5fd8b5606..8f4696d6f6cc 100644
--- a/nixos/tests/gancio.nix
+++ b/nixos/tests/gancio.nix
@@ -71,7 +71,7 @@ import ./make-test-python.nix (
       server.wait_for_unit("postgresql")
       server.wait_for_unit("gancio")
       server.wait_for_unit("nginx")
-      server.wait_for_open_port(13120)
+      server.wait_for_file("/run/gancio/socket")
       server.wait_for_open_port(80)
 
       # Check can create user via cli