diff --git a/nixos/modules/services/web-apps/gancio.nix b/nixos/modules/services/web-apps/gancio.nix index 0a2db3bce5f8..fa55db762c46 100644 --- a/nixos/modules/services/web-apps/gancio.nix +++ b/nixos/modules/services/web-apps/gancio.nix @@ -54,24 +54,20 @@ in }; baseurl = mkOption { type = types.str; - default = ""; - example = "/gancio"; - description = "The URL path under which the server is reachable."; + default = "http${ + lib.optionalString config.services.nginx.virtualHosts."${cfg.settings.hostname}".enableACME "s" + }://${cfg.settings.hostname}"; + defaultText = lib.literalExpression ''"https://''${cfg.settings.hostname}"''; + example = "https://demo.gancio.org/gancio"; + description = "The full URL under which the server is reachable."; }; server = { - host = mkOption { - type = types.str; - default = "localhost"; - example = "::"; + socket = mkOption { + type = types.path; + readOnly = true; + default = "/run/gancio/socket"; description = '' - The address (IPv4, IPv6 or DNS) for the gancio server to listen on. - ''; - }; - port = mkOption { - type = types.port; - default = 13120; - description = '' - Port number of the gancio server to listen on. + The unix socket for the gancio server to listen on. ''; }; }; @@ -157,11 +153,18 @@ in }; nginx = mkOption { - type = types.submodule (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }); + type = types.submodule ( + lib.recursiveUpdate (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) { + # enable encryption by default, + # as sensitive login credentials should not be transmitted in clear text. + options.forceSSL.default = true; + options.enableACME.default = true; + } + ); default = { }; example = { - enableACME = true; - forceSSL = true; + enableACME = false; + forceSSL = false; }; description = "Extra configuration for the nginx virtual host of gancio."; }; @@ -224,6 +227,10 @@ in serviceConfig = { ExecStart = "${getExe cfg.package} start ${configFile}"; + # set umask so that nginx can write to the server socket + # FIXME: upstream socket permission configuration in Nuxt + UMask = "0002"; + RuntimeDirectory = "gancio"; StateDirectory = "gancio"; WorkingDirectory = "/var/lib/gancio"; LogsDirectory = "gancio"; @@ -260,8 +267,6 @@ in virtualHosts."${cfg.settings.hostname}" = mkMerge [ cfg.nginx { - enableACME = mkDefault true; - forceSSL = mkDefault true; locations = { "/" = { index = "index.html"; @@ -269,12 +274,14 @@ in }; "@proxy" = { proxyWebsockets = true; - proxyPass = "http://${cfg.settings.server.host}:${toString cfg.settings.server.port}"; + proxyPass = "http://unix:${cfg.settings.server.socket}"; recommendedProxySettings = true; }; }; } ]; }; + # for nginx to access gancio socket + users.users."${config.services.nginx.user}".extraGroups = [ config.users.users.${cfg.user}.group ]; }; } diff --git a/nixos/tests/gancio.nix b/nixos/tests/gancio.nix index 1dc5fd8b5606..8f4696d6f6cc 100644 --- a/nixos/tests/gancio.nix +++ b/nixos/tests/gancio.nix @@ -71,7 +71,7 @@ import ./make-test-python.nix ( server.wait_for_unit("postgresql") server.wait_for_unit("gancio") server.wait_for_unit("nginx") - server.wait_for_open_port(13120) + server.wait_for_file("/run/gancio/socket") server.wait_for_open_port(80) # Check can create user via cli