diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index c620e2fb00fe3b24fc1f6b3c5defc12cddc30aa1..7b7892cdfdbfafd97af9f9b01cced93a50970a20 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -121,7 +121,7 @@ in
# access to any data. It does grant access to storage capabilities
# but with our plugin configuration you still need ZKAPs to use
# those...
- "web.port" = "tcp:3456:interface=127.0.0.1";
+ "web.port" = "systemd:domain=INET:index=0";
# We have to tell Tahoe-LAFS where to listen for Foolscap
# connections for the storage protocol. We have to tell it twice.
# First, in the syntax which it uses to listen.
diff --git a/nixos/modules/tahoe.nix b/nixos/modules/tahoe.nix
index e4a83006e129e80a59ca9f8262acf74760b4fc98..3c0691f72d319fbf173bc68207d2203b47497f23 100644
--- a/nixos/modules/tahoe.nix
+++ b/nixos/modules/tahoe.nix
@@ -182,6 +182,18 @@ in
# Open up the firewall.
# networking.firewall.allowedTCPPorts = flip mapAttrsToList cfg.nodes
# (node: settings: settings.tub.port);
+
+ # Make systemd open a port for us:
+ # Systemd uses the socket name to link to the corresponding Service Unit.
+ systemd.sockets."tahoe.storage" = {
+ description = "Tahoe Web Server Socket";
+ wantedBy = [ "sockets.target" ];
+ before = [ "multi-user.target" ];
+ socketConfig = {
+ ListenStream = "127.0.0.1:3456";
+ };
+ };
+
systemd.services = flip mapAttrs' cfg.nodes (node: settings:
let
pidfile = "/run/tahoe.${lib.escapeShellArg node}.pid";
@@ -204,6 +216,8 @@ in
ExecStart = ''
${settings.package}/bin/tahoe --eliot-destination ${eliotLog} run ${nodedir} -n -l- --pidfile=${pidfile}
'';
+ # Twisted wants non-blocking sockets:
+ NonBlocking = true;
# The rlimit on number of open files controls how many
# connections a particular storage server can accept (factoring
# in the number of non-connection files the server needs open -