From ace8ac1495b6b705a950bf422dc73063262a78ab Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Wed, 14 Sep 2022 13:48:19 +0000
Subject: [PATCH] Make systemd provide a socket to the tahoe web service

refs #122
---
 nixos/modules/private-storage.nix |  2 +-
 nixos/modules/tahoe.nix           | 25 ++++++++++++++-----------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index c620e2fb..7b7892cd 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -121,7 +121,7 @@ in
           # access to any data.  It does grant access to storage capabilities
           # but with our plugin configuration you still need ZKAPs to use
           # those...
-          "web.port" = "tcp:3456:interface=127.0.0.1";
+          "web.port" = "systemd:domain=INET:index=0";
           # We have to tell Tahoe-LAFS where to listen for Foolscap
           # connections for the storage protocol.  We have to tell it twice.
           # First, in the syntax which it uses to listen.
diff --git a/nixos/modules/tahoe.nix b/nixos/modules/tahoe.nix
index 17641c47..e1153ec8 100644
--- a/nixos/modules/tahoe.nix
+++ b/nixos/modules/tahoe.nix
@@ -116,15 +116,6 @@ in
         # networking.firewall.allowedTCPPorts = flip mapAttrsToList cfg.introducers
         #   (node: settings: settings.tub.port);
 
-        # Make systemd open a port for us:
-        systemd.sockets.tahoe-web = {
-          description = "Tahoe Web Server Socket";
-          wantedBy = [ "sockets.target" ];
-          before = [ "multi-user.target" ];
-          socketConfig.Accept = true;
-          socketConfig.ListenStream = settings.tub.port;
-        };
-
         systemd.services = flip mapAttrs' cfg.introducers (node: settings:
           let
             pidfile = "/run/tahoe.introducer-${node}.pid";
@@ -140,8 +131,6 @@ in
             serviceConfig = {
               Type = "simple";
               PIDFile = pidfile;
-              Twisted wants non-blocking sockets:
-              NonBlocking = true;
               # Believe it or not, Tahoe is very brittle about the order of
               # arguments to $(tahoe run). The node directory must come first,
               # and arguments which alter Twisted's behavior come afterwards.
@@ -194,6 +183,18 @@ in
         # Open up the firewall.
         # networking.firewall.allowedTCPPorts = flip mapAttrsToList cfg.nodes
         #   (node: settings: settings.tub.port);
+
+        # Make systemd open a port for us:
+        # Systemd uses the socket name to link to the corresponding Service Unit.
+        systemd.sockets."tahoe.storage" = {
+          description = "Tahoe Web Server Socket";
+          wantedBy = [ "sockets.target" ];
+          before = [ "multi-user.target" ];
+          socketConfig = {
+            ListenStream = "127.0.0.1:3456";
+          };
+        };
+
         systemd.services = flip mapAttrs' cfg.nodes (node: settings:
           let
             pidfile = "/run/tahoe.${lib.escapeShellArg node}.pid";
@@ -216,6 +217,8 @@ in
               ExecStart = ''
                 ${settings.package}/bin/tahoe --eliot-destination ${eliotLog} run ${nodedir} -n -l- --pidfile=${pidfile}
               '';
+              # Twisted wants non-blocking sockets:
+              NonBlocking = true;
               # The rlimit on number of open files controls how many
               # connections a particular storage server can accept (factoring
               # in the number of non-connection files the server needs open -
-- 
GitLab