From c8ba5bbabaabd2cc133ae79b8470a2bfcc763227 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Thu, 13 Mar 2025 18:53:57 +0100
Subject: [PATCH 1/2] Use systemd socket activation for Foreman

---
 src/roles/foreman/defaults/main.yaml          | 1 +
 src/roles/foreman/tasks/main.yaml             | 8 ++++++++
 src/roles/foreman/templates/foreman.socket.j2 | 8 ++++++++
 3 files changed, 17 insertions(+)
 create mode 100644 src/roles/foreman/templates/foreman.socket.j2

diff --git a/src/roles/foreman/defaults/main.yaml b/src/roles/foreman/defaults/main.yaml
index 2d4cc7364..02df0d1d4 100644
--- a/src/roles/foreman/defaults/main.yaml
+++ b/src/roles/foreman/defaults/main.yaml
@@ -12,6 +12,7 @@ foreman_database_ssl_ca: # noqa: no-empty-defaults
 foreman_database_ssl_ca_path: /etc/foreman/db-ca.crt
 
 foreman_name: "{{ ansible_facts['fqdn'] }}"
+foreman_listen_stream: localhost:3000
 foreman_url: "http://{{ ansible_facts['fqdn'] }}:3000"
 
 # Puma threads calculation:
diff --git a/src/roles/foreman/tasks/main.yaml b/src/roles/foreman/tasks/main.yaml
index 3ad72dd28..2a18309e4 100644
--- a/src/roles/foreman/tasks/main.yaml
+++ b/src/roles/foreman/tasks/main.yaml
@@ -100,6 +100,12 @@
     - Restart foreman
     - Restart dynflow-sidekiq@
 
+- name: Deploy Foreman socket
+  ansible.builtin.template:
+    src: foreman.socket.j2
+    dest: /etc/systemd/system/foreman.socket
+    mode: '0644'
+
 - name: Deploy Foreman Container
   containers.podman.podman_container:
     name: "foreman"
@@ -130,6 +136,8 @@
       FOREMAN_ENABLED_PLUGINS: "{{ foreman_plugins | join(' ') }}"
     quadlet_options:
       - |
+        [Unit]
+        Requires=foreman.socket
         [Install]
         WantedBy=default.target foreman.target
         [Unit]
diff --git a/src/roles/foreman/templates/foreman.socket.j2 b/src/roles/foreman/templates/foreman.socket.j2
new file mode 100644
index 000000000..b40cc96f4
--- /dev/null
+++ b/src/roles/foreman/templates/foreman.socket.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=Foreman socket
+
+[Socket]
+ListenStream={{ foreman_listen_stream }}
+
+[Install]
+WantedBy=sockets.target

From 3f3a177df091c6268b431bbe19d8d1796bd949c9 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Tue, 11 Mar 2025 20:50:58 +0100
Subject: [PATCH 2/2] Use unix socket for httpd -> Foreman communication

---
 src/roles/foreman/templates/foreman.socket.j2 | 6 ++++++
 src/roles/httpd/tasks/main.yml                | 7 +++++++
 src/vars/base.yaml                            | 3 +++
 tests/foreman_test.py                         | 9 ++++-----
 4 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/roles/foreman/templates/foreman.socket.j2 b/src/roles/foreman/templates/foreman.socket.j2
index b40cc96f4..a2b1d2ddc 100644
--- a/src/roles/foreman/templates/foreman.socket.j2
+++ b/src/roles/foreman/templates/foreman.socket.j2
@@ -3,6 +3,12 @@ Description=Foreman socket
 
 [Socket]
 ListenStream={{ foreman_listen_stream }}
+SocketUser=apache
+SocketMode=0600
+
+NoDelay=false
+ReusePort=true
+Backlog=1024
 
 [Install]
 WantedBy=sockets.target
diff --git a/src/roles/httpd/tasks/main.yml b/src/roles/httpd/tasks/main.yml
index bbc3d633d..220cd8dcc 100644
--- a/src/roles/httpd/tasks/main.yml
+++ b/src/roles/httpd/tasks/main.yml
@@ -13,6 +13,13 @@
     persistent: true
   when: ansible_facts['selinux']['status'] == "enabled"
 
+# TODO: probably not the right boolean
+- name: Set daemons_enable_cluster_mode so Apache can connect to unix sockets
+  ansible.posix.seboolean:
+    name: daemons_enable_cluster_mode
+    state: true
+    persistent: true
+
 - name: Disable welcome page
   ansible.builtin.file:
     path: /etc/httpd/conf.d/welcome.conf
diff --git a/src/vars/base.yaml b/src/vars/base.yaml
index d39164531..40935cb7f 100644
--- a/src/vars/base.yaml
+++ b/src/vars/base.yaml
@@ -25,6 +25,9 @@ foreman_plugins: "{{ enabled_features | features_to_foreman_plugins }}"
 foreman_name: "{{ ansible_facts['fqdn'] }}"
 foreman_url: "https://{{ foreman_name }}"
 
+foreman_listen_stream: /run/httpd.foreman.sock
+httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST}"
+
 httpd_server_ca_certificate: "{{ server_ca_certificate }}"
 httpd_client_ca_certificate: "{{ client_ca_certificate }}"
 httpd_server_certificate: "{{ server_certificate }}"
diff --git a/tests/foreman_test.py b/tests/foreman_test.py
index 174dd1f66..ba9e2799f 100644
--- a/tests/foreman_test.py
+++ b/tests/foreman_test.py
@@ -3,7 +3,7 @@
 import pytest
 
 FOREMAN_HOST = 'localhost'
-FOREMAN_PORT = 3000
+FOREMAN_SOCKET = '/run/httpd.foreman.sock'
 
 RECURRING_INSTANCES = [
     "hourly",
@@ -15,7 +15,7 @@
 
 @pytest.fixture(scope="module")
 def foreman_status_curl(server):
-    return server.run(f"curl --header 'X-FORWARDED-PROTO: https' --silent --write-out '%{{stderr}}%{{http_code}}' http://{FOREMAN_HOST}:{FOREMAN_PORT}/api/v2/ping")
+    return server.run(f"curl --header 'X-FORWARDED-PROTO: https' --silent --write-out '%{{stderr}}%{{http_code}}' --unix-socket {FOREMAN_SOCKET} http://{FOREMAN_HOST}/api/v2/ping")
 
 
 @pytest.fixture(scope="module")
@@ -28,9 +28,8 @@ def test_foreman_service(server):
     assert foreman.is_running
 
 
-def test_foreman_port(server):
-    foreman = server.addr(FOREMAN_HOST)
-    assert foreman.port(FOREMAN_PORT).is_reachable
+def test_foreman_socket(server):
+    assert server.socket(f"unix://{FOREMAN_SOCKET}").is_listening
 
 
 def test_foreman_status(foreman_status_curl):