pkgs/taskchampion-sync: Put the sync server behind a ngnix proxy

I realized, that the new taskchampion-sync-server uses a http api (instead of the custom protocol of taskserver). As such, we obviously want to put it behind a ngnix reverse proxy.
author: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-04-28 15:59:32 +0200
committer: Benedikt Peetz <benedikt.peetz@b-peetz.de> 2025-04-28 15:59:32 +0200
commit: a7024544dc072e4fa568e9230100e2ba38862c70 (patch)
tree: d26652098d1d8d331b9b49512b48193cde6ae8ca
parent: pkgs/sharkey: 2025.2.2 -> 2025.2.3 (diff)
download: nixos-server-a7024544dc072e4fa568e9230100e2ba38862c70.zip
3 files changed, 114 insertions, 22 deletions
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix
index 24513f4..f7a5d2d 100644
--- a/hosts/by-name/server2/configuration.nix
+++ b/hosts/by-name/server2/configuration.nix
@@ -103,7 +103,10 @@
         CheckActivityPubGetSigned = false;
       };
     };
-    taskchampion-sync.enable = true;
+    taskchampion-sync = {
+      enable = true;
+      fqdn = "taskchampion.vhack.eu";
+    };
     users.enable = true;
   };
 
diff --git a/modules/by-name/ta/taskchampion-sync/module.nix b/modules/by-name/ta/taskchampion-sync/module.nix
index 1870186..a722883 100644
--- a/modules/by-name/ta/taskchampion-sync/module.nix
+++ b/modules/by-name/ta/taskchampion-sync/module.nix
@@ -8,6 +8,12 @@
 in {
   options.vhack.taskchampion-sync = {
     enable = lib.mkEnableOption "taskchampion-sync";
+
+    fqdn = lib.mkOption {
+      description = "The fully qualified domain name of this instance.";
+      type = lib.types.str;
+      example = "task-sync.tw.online";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -16,19 +22,32 @@ in {
       groups.taskchampion.gid = config.vhack.constants.ids.uids.taskchampion;
     };
 
-    vhack.persist.directories = [
-      {
-        directory = dataDirectory;
-        user = "taskchampion";
-        group = "taskchampion";
-        mode = "0700";
-      }
-    ];
+    vhack = {
+      persist.directories = [
+        {
+          directory = dataDirectory;
+          user = "taskchampion";
+          group = "taskchampion";
+          mode = "0700";
+        }
+      ];
+      nginx.enable = true;
+    };
+
+    services = {
+      taskchampion-sync-server = {
+        enable = true;
+        dataDir = dataDirectory;
+      };
 
-    services.taskchampion-sync-server = {
-      enable = true;
-      openFirewall = true;
-      dataDir = dataDirectory;
+      nginx.virtualHosts."${cfg.fqdn}" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.taskchampion-sync-server.port}";
+          recommendedProxySettings = true;
+        };
+        enableACME = true;
+        forceSSL = true;
+      };
     };
   };
 }
diff --git a/tests/by-name/ta/taskchampion-sync/test.nix b/tests/by-name/ta/taskchampion-sync/test.nix
index 4dd273b..99134bc 100644
--- a/tests/by-name/ta/taskchampion-sync/test.nix
+++ b/tests/by-name/ta/taskchampion-sync/test.nix
@@ -19,35 +19,87 @@ nixos-lib.runTest {
     pkgs = null;
   };
 
-  nodes = {
+  nodes = let
+    # The feature flag is only in version 3.2 and upwards. Stable is still on 3.1
+    taskwarriorPackage = pkgsUnstable.taskwarrior3.overrideAttrs (final: prev: {
+      cmakeFlags = (prev.cmakeFlags or []) ++ ["-DENABLE_TLS_NATIVE_ROOTS=true"];
+    });
+  in {
+    acme = {
+      imports = [
+        ../../../common/acme/server.nix
+        ../../../common/dns/client.nix
+      ];
+    };
+    name_server = {nodes, ...}: {
+      imports =
+        extraModules
+        ++ [
+          ../../../common/acme/client.nix
+          ../../../common/dns/server.nix
+        ];
+
+      vhack.dns.zones = {
+        "taskchampion.server" = {
+          SOA = {
+            nameServer = "ns";
+            adminEmail = "admin@server.com";
+            serial = 2025012301;
+          };
+          useOrigin = false;
+
+          A = [
+            nodes.server.networking.primaryIPAddress
+          ];
+          AAAA = [
+            nodes.server.networking.primaryIPv6Address
+          ];
+        };
+      };
+    };
+
     server = {config, ...}: {
       imports =
         extraModules
         ++ [
           ../../../../modules
+          ../../../common/acme/client.nix
+          ../../../common/dns/client.nix
         ];
 
       vhack = {
-        taskchampion-sync.enable = true;
+        persist.enable = true;
+        nginx.enable = true;
+        taskchampion-sync = {
+          enable = true;
+          fqdn = "taskchampion.server";
+        };
       };
     };
 
     task_client1 = {config, ...}: {
+      imports = [
+        ../../../common/acme/client.nix
+        ../../../common/dns/client.nix
+      ];
+
       environment.systemPackages = [
-        pkgs.taskwarrior3
+        taskwarriorPackage
       ];
     };
     task_client2 = {config, ...}: {
+      imports = [
+        ../../../common/acme/client.nix
+        ../../../common/dns/client.nix
+      ];
+
       environment.systemPackages = [
-        pkgs.taskwarrior3
+        taskwarriorPackage
       ];
     };
   };
 
   testScript = {nodes, ...}: let
-    cfg = nodes.server.services.taskchampion-sync-server;
-    port = builtins.toString cfg.port;
-
     # Generated with uuidgen
     uuid = "bf01376e-04a4-435a-9263-608567531af3";
     password = "nixos-test";
@@ -57,19 +109,33 @@ nixos-lib.runTest {
         set -xe
 
         mkdir --parents "$(dirname "${path}")"
-        echo 'sync.server.origin=http://server:${port}' >> "${path}"
+        echo 'sync.server.url=https://taskchampion.server' >> "${path}"
         echo 'sync.server.client_id=${uuid}' >> "${path}"
         echo 'sync.encryption_secret=${password}' >> "${path}"
       '';
+
+    acme_scripts = import ../../../common/acme/scripts.nix {inherit pkgs;};
   in
     /*
     python
     */
     ''
+      # Start dependencies for the other services
+      acme.start()
+      acme.wait_for_unit("pebble.service")
+      name_server.start()
+      name_server.wait_for_unit("nsd.service")
+
+      # Start actual test
       start_all()
 
+      with subtest("Add pebble ca key to all services"):
+        for node in [name_server, server, task_client1, task_client2]:
+          node.wait_for_unit("network-online.target")
+          node.succeed("${acme_scripts.add_pebble_acme_ca}")
+
       server.wait_for_unit("taskchampion-sync-server.service")
-      server.wait_for_open_port(${port})
+      server.wait_for_open_port(443)
 
       with subtest("Setup task syncing"):
           for task in [task_client1, task_client2]:
@@ -81,11 +147,15 @@ nixos-lib.runTest {
           task_client1.succeed("task add 'First task -- task_client1'")
           task_client2.succeed("task add 'First task -- task_client2'")
 
+      # Wait for the server to acquire the acme certificate
+      task_client1.wait_until_succeed("curl https://taskchampion.server")
+
       with subtest("Can sync tasks"):
           for task in [task_client1, task_client2]:
             task.succeed("task sync")
           task_client1.succeed("task sync")
 
+
       with subtest("Have correct tasks"):
           count1 = task_client1.succeed("task count")
           count2 = task_client2.succeed("task count")
author	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-04-28 15:59:32 +0200
committer	Benedikt Peetz <benedikt.peetz@b-peetz.de>	2025-04-28 15:59:32 +0200
commit	a7024544dc072e4fa568e9230100e2ba38862c70 (patch)
tree	d26652098d1d8d331b9b49512b48193cde6ae8ca
parent	pkgs/sharkey: 2025.2.2 -> 2025.2.3 (diff)
download	nixos-server-a7024544dc072e4fa568e9230100e2ba38862c70.zip