Gancio service fixes (#340782)

nixos/modules/services/web-apps/gancio.nix

@@ -54,24 +54,20 @@ in
           };
           baseurl = mkOption {
             type = types.str;
-            default = "";
+            default = "http${
-            example = "/gancio";
+              lib.optionalString config.services.nginx.virtualHosts."${cfg.settings.hostname}".enableACME "s"
-            description = "The URL path under which the server is reachable.";
+            }://${cfg.settings.hostname}";
+            defaultText = lib.literalExpression ''"https://''${cfg.settings.hostname}"'';
+            example = "https://demo.gancio.org/gancio";
+            description = "The full URL under which the server is reachable.";
           };
           server = {
-            host = mkOption {
+            socket = mkOption {
-              type = types.str;
+              type = types.path;
-              default = "localhost";
+              readOnly = true;
-              example = "::";
+              default = "/run/gancio/socket";
               description = ''
-                The address (IPv4, IPv6 or DNS) for the gancio server to listen on.
+                The unix socket for the gancio server to listen on.
-              '';
-            };
-            port = mkOption {
-              type = types.port;
-              default = 13120;
-              description = ''
-                Port number of the gancio server to listen on.
               '';
             };
           };
@@ -157,11 +153,18 @@ in
     };
 
     nginx = mkOption {
-      type = types.submodule (import ../web-servers/nginx/vhost-options.nix { inherit config lib; });
+      type = types.submodule (
+        lib.recursiveUpdate (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) {
+          # enable encryption by default,
+          # as sensitive login credentials should not be transmitted in clear text.
+          options.forceSSL.default = true;
+          options.enableACME.default = true;
+        }
+      );
       default = { };
       example = {
-        enableACME = true;
+        enableACME = false;
-        forceSSL = true;
+        forceSSL = false;
       };
       description = "Extra configuration for the nginx virtual host of gancio.";
     };
@@ -224,6 +227,10 @@ in
 
         serviceConfig = {
           ExecStart = "${getExe cfg.package} start ${configFile}";
+          # set umask so that nginx can write to the server socket
+          # FIXME: upstream socket permission configuration in Nuxt
+          UMask = "0002";
+          RuntimeDirectory = "gancio";
           StateDirectory = "gancio";
           WorkingDirectory = "/var/lib/gancio";
           LogsDirectory = "gancio";
@@ -260,8 +267,6 @@ in
       virtualHosts."${cfg.settings.hostname}" = mkMerge [
         cfg.nginx
         {
-          enableACME = mkDefault true;
-          forceSSL = mkDefault true;
           locations = {
             "/" = {
               index = "index.html";
@@ -269,12 +274,14 @@ in
             };
             "@proxy" = {
               proxyWebsockets = true;
-              proxyPass = "http://${cfg.settings.server.host}:${toString cfg.settings.server.port}";
+              proxyPass = "http://unix:${cfg.settings.server.socket}";
               recommendedProxySettings = true;
             };
           };
         }
       ];
     };
+    # for nginx to access gancio socket
+    users.users."${config.services.nginx.user}".extraGroups = [ config.users.users.${cfg.user}.group ];
   };
 }

nixos/tests/gancio.nix

@@ -71,7 +71,7 @@ import ./make-test-python.nix (
       server.wait_for_unit("postgresql")
       server.wait_for_unit("gancio")
       server.wait_for_unit("nginx")
-      server.wait_for_open_port(13120)
+      server.wait_for_file("/run/gancio/socket")
       server.wait_for_open_port(80)
 
       # Check can create user via cli