titaniumtown/server-config
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:39a178d59b40c14c31223faa03c439289bf1c472
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify
..
compare: titaniumtown:f2ca84ab536e73d51f791b451f3ec21c2fa80646
Branches Tags
titaniumtown:main
titaniumtown:final-before-unify

2 Commits
39a178d59b ... f2ca84ab53

Author SHA1 Message Date
Simon Gardling
f2ca84ab53 traccar: fix jdbc url escaping for envsubst and xml
Some checks failed
Build and Deploy / deploy (push) Failing after 1m6s
 2026-04-12 20:47:20 -04:00
Simon Gardling
c497986ed0 AGENTS.md: document postgresql-first policy 2026-04-12 20:47:20 -04:00
2 changed files with 13 additions and 1 deletions
Expand all files Collapse all files

1
AGENTS.md
View File

@@ -112,6 +112,7 @@ Each service file in `services/` follows this structure:
- **Hugepages**: Services needing large pages declare their budget in `service-configs.nix` under `hugepages_2m.services`. The kernel sysctl is set automatically from the total. - **Hugepages**: Services needing large pages declare their budget in `service-configs.nix` under `hugepages_2m.services`. The kernel sysctl is set automatically from the total.
- **Domain**: Primary domain is `sigkill.computer`. Old domain `gardling.com` redirects automatically. - **Domain**: Primary domain is `sigkill.computer`. Old domain `gardling.com` redirects automatically.
- **Hardened kernel**: Uses `_hardened` kernel. Security-sensitive defaults apply. - **Hardened kernel**: Uses `_hardened` kernel. Security-sensitive defaults apply.
- **PostgreSQL as central database**: All services that support PostgreSQL MUST use it instead of embedded databases (H2, SQLite, etc.). Connect via Unix socket with peer auth when possible (JDBC services can use junixsocket). The PostgreSQL instance is declared in `services/postgresql.nix` with ZFS-backed storage. Use `ensureDatabases`/`ensureUsers` to auto-create databases and roles.
### Test Pattern ### Test Pattern
Tests use `pkgs.testers.runNixOSTest` (NixOS VM tests): Tests use `pkgs.testers.runNixOSTest` (NixOS VM tests):

13
services/traccar.nix
View File

@@ -1,4 +1,5 @@
{ {
pkgs,
service_configs, service_configs,
lib, lib,
... ...
@@ -38,13 +39,23 @@
services.traccar = { services.traccar = {
enable = true; enable = true;
# The JDBC URL contains '$' (Java inner class) and '&' (query param
# separator) which break the NixOS module's XML generator + envsubst.
# Route it through environmentFile so envsubst replaces $TRACCAR_DB_URL
# with the literal value, and use & for valid XML (the XML parser
# decodes it back to & for JDBC).
environmentFile = pkgs.writeText "traccar-db-env" ''
TRACCAR_DB_URL=jdbc:postgresql:///traccar?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=${service_configs.postgres.socket}/.s.PGSQL.5432
'';
settings = { settings = {
web.port = toString service_configs.ports.private.traccar_web.port; web.port = toString service_configs.ports.private.traccar_web.port;
# PostgreSQL via Unix socket (peer auth, junixsocket is bundled) # PostgreSQL via Unix socket (peer auth, junixsocket is bundled)
database = { database = {
driver = "org.postgresql.Driver"; driver = "org.postgresql.Driver";
url = "jdbc:postgresql:///traccar?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=${service_configs.postgres.socket}/.s.PGSQL.5432"; url = "$TRACCAR_DB_URL";
user = "traccar"; user = "traccar";
password = ""; password = "";
}; };