mirror of
https://github.com/netfun2000/hipudding-teslamate.git
synced 2026-02-27 09:44:28 +08:00
fdf8185ce2
* ci: add treefmt as code formatting multiplexer * style: linter findings in entrypoint.sh script * style: linter findings for yaml and yml * style: linter findings for json files * style: linter findings for nix files * style: linter findings for js files * style: linter findings for dashboards.sh * style: linter findings for md and mdx files * chore: remove unused clang formatter in treefmt config * style: linter findings for mdx files * ci: exclude Grafana dashboard JSON files from prettier formatting * Revert "style: linter findings for json files" This reverts commit f40c2e175992f66f887a3f4fc5aa1a1a89393147. * ci: exclude Grafana dashboard JSON files from all formatting as we use the grafana export style * style: linter findings for json files * doc: update changelog * ci(refactor): use composite action to avoid duplication in elixir workflow * doc: update changelog * ci: prevent workflow runs for certain conditions and allow scheduled runs * ci(refactor): use reusable workflow to check paths * ci(fix): correct output syntax for check_paths workflow and setting base branch * ci(refactor): use reusable workflows for streamlined DevOps pipeline * ci(fix): add write permission for packages in DevOps workflow * ci(test): test DevOps workflow * ci(test): test DevOps workflow * ci(fix): Update condition for spell_check, ensure_linting, elixir, and ghcr_build workflows to reflect empty result instead of false * ci: revert test DevOps * ci(refactor): allow ghcr_build parallel to elixir test * ci(refactor): Remove redundant check_paths job from elixir.yml, elixir_test.yml, and spell_check.yml workflows, check is done in devops.yml * feat: add treefmt-nix to nix flake (#4219 - @JakobLichterfeld) * ci: ensure proper linting via treefmt * ci(test): test ensure_linting workflow * ci(fix): checkout code for spell_checker to access file to check * ci(fix): allow impure in ensure_linting workflow * Revert "ci(test): test ensure_linting workflow" This reverts commit a67b17ec098a628a8b093ec20b34b0e2696811cc. * ci(fix): correct use of flake-utils for formatter and checks Co-authored-by: scottbot95 <scottbot95@gmail.com> * ci(fix): correct use of flake-utils for treefmt Co-authored-by: scottbot95 <scottbot95@gmail.com> * refactor: Remove unnecessary imports in flake * ci(fix): correct syntax in flake * ci(refactor): Remove unused code in flake.nix * style: standardised style for input url in flake * ci(fix): treefmt-nix config with existing options * ci(feat): Add Nix binary cache and update treefmt command in CI workflow * ci(refactor): Remove unused code in flake.nix * fix: include devShell packages only on supported platforms * fix: update hash for mix-deps package in flake.nix * ci(fix): Update treefmt command in CI workflow * ci(test): test ensure_linting workflow * feat: ensure mix deps are present in devShell * ci(feat): use flake-parts to enable treefmt-nix * feat: use flake-parts * fix: correct use of flake-parts for package build * doc: update CI badge URL for devops workflow * ci(fix): handle empty path filter output * ci: remove --impure flag from treefmt command in CI workflow * fix: correct treefmt.config settings in formatter.nix * fix: correct flake-parts inputs, avoid with in imports * fix: correct program name for mix-format in formatter.nix * feat: devenv via flake-parts * fix: correct use of legacy nix code with flake-parts * ci(fix): correct nix develop command in ensure_linting.yml * refactor: list imports explicitly in flake, rename folder to flake-modules to be precise * style: use tabs for indent size to format sh * style: use nixfmt-rfc-style * Revert "style: use nixfmt-rfc-style" This reverts commit 082056159e611c2c0639f8b4dc509446f5308a92. * style: use nixfmt style * fix: remove glibcLocales from optional dependencies to avoid "A definition for option `packages."[definition 4-entry 16]"' is not of type `package'." * fix: remove inotify-tools from optional dependencies to avoid "A definition for option `packages."[definition 4-entry 16]"' is not of type `package'." * fix: Remove inotify-tools and glibcLocales from optional dependencie * fix: correct file paths in flake.nix to version * fix: add ELIXIR_ERL_OPTIONS to shell environment to force utf8 locale * fix: add LOCALE_ARCHIVE to shell environment in flake.nix * Revert "fix: add LOCALE_ARCHIVE to shell environment in flake.nix" This reverts commit d45f6e32eea1fcaf55cd03733e648cda4dbb764b. * ci(refactor): rename workflow to elixir_dep_verification_and_static_analysis.yml to better reflect the intention,, remove duplicate checks * ci(debug): debug locale settings * Revert "ci(debug): debug locale settings" This reverts commit 9b402f3c5f9b41ff4716dc4fc99f711fc9ef8135. * Revert "fix: add ELIXIR_ERL_OPTIONS to shell environment to force utf8 locale" This reverts commit d02419cba44055d55978ad36d23493d8790ce21b. * fix: add LOCALE_ARCHIVE to shell environment in flake.nix * Revert "fix: add LOCALE_ARCHIVE to shell environment in flake.nix" This reverts commit 761b437e699d8381a0726dd969052b1e85c3f08f. * fix: add LANG=C.UTF-8 to shell environment in flake.nix * fix: add mix local.rebar and mix local.hex commands to flake.nix * fix: pin devenv to version without unix socket bug * chore: update nixpkgs to nixos-24.05 and update dependencies * doc: add treefmt config comments * ci: do not expose treefmt formatter programs in devshell * fix: correct use of module option to enable PostgreSQL server in flake.nix * Revert "chore: update nixpkgs to nixos-24.05 and update dependencies" This reverts commit a6ea3f25aa393c32d9c2494b21e6330de2482496. * feat: consistent use of erlang 26 and elixir 1_16 in flake * ci: switch to macOS runner for linting workflow * Revert "ci: do not expose treefmt formatter programs in devshell" This reverts commit 1ecfa451dcf4199554a5d96d241ee846601862d9. * Revert "ci: switch to macOS runner for linting workflow" This reverts commit 7b430667d8737e5adf91f5ba59bbf83eb15bcb7a. * ci: Remove nixpkgs channel specification in ensure_linting workflow * ci(debug): Add debug output for PATH and NIX_PATH in flake.nix * Revert "ci(debug): Add debug output for PATH and NIX_PATH in flake.nix" This reverts commit 07faec5ddf88195969f89f3e74791d030c980b03. * fix: avoid the need for impure for devenv see #4245 * fix: remove invalid custom build.check for formatter and use default * style: linter findings * fix: Add emptyTest to avoid nix flake check test execution on non-Linux systems * chore: Remove LANG=C.UTF-8 from enterShell in flake.nix * ci(fix): Remove --impure flag from treefmt command in CI mode * ci(fix): avoid impure mode in ensure_linting workflow * style: linter findings * ci(debug): debug elixir version and locale * chore: Update flake.lock dependencies * feat: use newer devenv as unix socket bug is fixed in upstream https://github.com/cachix/devenv/issues/1497 * fix: set rebar3 path in devenv * Revert "ci(debug): debug elixir version and locale" This reverts commit 7ecdc77c163cd6ef9c913689c1f75e86ce8587cb. * ci: re-enable path check in DevOps workflow * doc: update Development and Contributing guide with nix and treefmt * ci: use PostgreSQL 17 * style: linter findings * ci(fix): ensure cache name in build action does not contain invalid characters to avoid invalid reference format * doc: update changelog * Revert "ci(fix): ensure cache name in build action does not contain invalid characters to avoid invalid reference format" This reverts commit 02abb0359db4f22e5a28283476b3ced0d99729ff. * ci: remove branch restriction for check_paths workflow to increase sec * ci(fix): run ghcr build workflow only for specific conditions - Ensure workflow only run if there are no changes to the .github folder - Allow workflow to run on workflow call or PRs from forks - Prevent duplicate runs for PRs from non-forks - Avoid invalid reference format for cache name in PRs from our repository * doc: update changelog * fix: update hash for mix-deps package in flake.nix * fix: disable flakeCheck for formatter, as mix format need the dep to be fetched beforehand * ci(fix): run ghcr build workflow only for specific conditions * fix: move nixosModules.default to top-level attribute set * refactor: remove unnecessary config nesting in formatter.nix * ci(fix): ensure version for buildx is set to correct name --------- Co-authored-by: scottbot95 <scottbot95@gmail.com>
2.9 KiB
2.9 KiB
title
| title |
|---|
| Using Unix Domain Sockets with a reverse-proxy |
It is possible to configure Teslamate to communicate over unix-domain sockets (UDS) instea of a typical network socket. This can be useful to improve security by restricting which applications can communicate to the application. A typical configuration would be to use a UDS between a reverse-proxy (like Nginx) and Teslamate. When paired with something like rootless-podman and socket-activation, Nginx can be configured with --network=none providing external access to Teslmate without the Nginx container having any networking at all. While setting up socket-activation and Podman is beyond the scope of this document, it will explain how to configure UDS between Teslamate and an Nginx reverse-proxy.
Requirements
- Linux system configured with Teslamate installed and working
- These instructions will document the procedure for using a UDS with docker-compose, but it is not difficult to adapt them to a system running Teslamate natively via systemd.
- Nginx configured as a reverse proxy
Instructions
Nginx requires that the UDS exist when it is started, but Teslamate will (re)create the UDS on startup. This means that Teslamate must be configured to start before Nginx, or Nginx must be configured to detect a socket change and reload (for example the socket-gen utility designed for this purpose). Additionally, because docker-compose does not provide a method to run host-commands prior to starting a container, the directory containing the UDS must be manually created before Teslamate starts. It is easiest to manually create this directory on a persistent volume.
- Create a directory for the UDS:
mkdir -p /opt/nginx_uds/teslamate - Allow Nginx to access the directory:
chown <nginx user> /opt/nginx_uds/teslamate - Allow Teslamate to create the UDS:
chgrp 10001 /opt/nginx_uds/teslamatechmod 770 /opt/nginx_uds/teslamateAn alternative to using owner/group access would be to use ACLs to control access to the UDS directory.
Next configure Teslamate to use the UDS. Modify the teslamate service in docker-compose.yml to include:
volumes:
...
- /opt/nginx_uds/teslamate:/uds
environment:
...
- HTTP_BINDING_ADDRESS=/uds/teslamate.sock
- SOCKET_PERM=666
# ports:
# - 4000:4000
Lastly, configure the Nginx reverse-proxy to forward connections to the UDS. The relevant configuration would look something like:
upstream teslamate.uds {
server unix:/opt/nginx_uds/teslamate/teslamate.sock;
}
server {
server_name teslamate;
http2 on;
listen 80 ;
location / {
proxy_pass http://teslamate.uds;
set $upstream_keepalive false;
}
}