diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix index 9b3068796d8e..5061666f57ce 100644 --- a/nixos/modules/services/monitoring/grafana.nix +++ b/nixos/modules/services/monitoring/grafana.nix @@ -1291,7 +1291,10 @@ in { SystemCallArchitectures = "native"; # Upstream grafana is not setting SystemCallFilter for compatibility # reasons, see https://github.com/grafana/grafana/pull/40176 - SystemCallFilter = [ "@system-service" "~@privileged" ]; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ]; UMask = "0027"; }; preStart = '' diff --git a/nixos/tests/grafana/basic.nix b/nixos/tests/grafana/basic.nix index f6566d449709..8bf4caad7fbf 100644 --- a/nixos/tests/grafana/basic.nix +++ b/nixos/tests/grafana/basic.nix @@ -25,6 +25,22 @@ let extraNodeConfs = { sqlite = {}; + socket = { config, ... }: { + services.grafana.settings.server = { + protocol = "socket"; + socket = "/run/grafana/sock"; + socket_gid = config.users.groups.nginx.gid; + }; + + users.users.grafana.extraGroups = [ "nginx" ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."_".locations."/".proxyPass = "http://unix:/run/grafana/sock"; + }; + }; + declarativePlugins = { services.grafana.declarativePlugins = [ pkgs.grafanaPlugins.grafana-clock-panel ]; }; @@ -92,6 +108,17 @@ in { ) sqlite.shutdown() + with subtest("Successful API query as admin user with sqlite db listening on socket"): + socket.wait_for_unit("grafana.service") + socket.wait_for_open_port(80) + print(socket.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1/api/org/users -i" + )) + socket.succeed( + "curl -sSfN -u testadmin:snakeoilpwd http://127.0.0.1/api/org/users | grep admin\@localhost" + ) + socket.shutdown() + with subtest("Successful API query as admin user with postgresql db"): postgresql.wait_for_unit("grafana.service") postgresql.wait_for_unit("postgresql.service")