about summary refs log tree commit diff stats
diff options
authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2025-03-09 00:09:08 +0100
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2025-03-09 13:44:45 +0100
commit741c8cc7d626e4ec5c6210fc1ddc52f5605ec9c0 (patch)
parentpkgs/back/assets/style.css: Format with prettier (diff)
{modules,tests}/back: Update to deal with newest back
Diffstat (limited to '')
2 files changed, 177 insertions, 122 deletions
diff --git a/modules/by-name/ba/back/module.nix b/modules/by-name/ba/back/module.nix
index 520acdb..d47ffce 100644
--- a/modules/by-name/ba/back/module.nix
+++ b/modules/by-name/ba/back/module.nix
@@ -6,116 +6,87 @@
 }: let
   cfg = config.vhack.back;
+in {
+  options.vhack.back = {
+    enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)";
-  mkConfigFile = repoPath: domain:
-    (pkgs.formats.json {}).generate "config.json"
-    {
-      inherit (cfg) source_code_repository_url;
-      repository_path = repoPath;
-      root_url = "https://${domain}";
-    };
-  mkUnit = repoPath: port: domain: {
-    description = "Back service for ${repoPath}";
-    wants = ["network-online.target"];
-    after = ["network-online.target"];
-    wantedBy = ["default.target"];
-    environment = {
-      ROCKET_PORT = builtins.toString port;
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The domain to host this `back` instance on.";
-    serviceConfig = {
-      ExecStart = "${lib.getExe vhackPackages.back} ${mkConfigFile repoPath domain}";
+    settings = {
+      scan_path = lib.mkOption {
+        type = lib.types.path;
+        description = "The path to the directory under which all the repositories reside";
+      };
+      project_list = lib.mkOption {
+        type = lib.types.path;
+        description = "The path to the `projects.list` file.";
+      };
-      # Ensure that the service can read the repository
-      # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
-      # repositories are readable for the git group. This should not be necessary. <2024-12-23>
-      User = "git";
-      Group = "git";
+      source_code_repository_url = lib.mkOption {
+        description = "The url to the source code of this instance of back";
+        default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back";
+        type = lib.types.str;
+      };
-      DynamicUser = true;
-      Restart = "always";
-      # Sandboxing
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      RemoveIPC = true;
-      PrivateMounts = true;
-      # System Call Filtering
-      SystemCallArchitectures = "native";
-      SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
+      root_url = lib.mkOption {
+        type = lib.types.str;
+        description = "The url to this instance of back.";
+        default = "https://${cfg.domain}";
+      };
-  mkVirtalHost = port: {
-    locations."/".proxyPass = "${builtins.toString port}";
+  config = lib.mkIf cfg.enable {
+    systemd.services."back" = {
+      description = "Back issue tracking system.";
+      requires = ["network-online.target"];
+      after = ["network-online.target"];
+      wantedBy = ["default.target"];
-    enableACME = true;
-    forceSSL = true;
-  };
+      serviceConfig = {
+        ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
-  services =
-    lib.mapAttrs' (gitPath: config: {
-      name = builtins.replaceStrings ["/"] ["_"] "back-${config.domain}";
-      value = mkUnit gitPath config.port config.domain;
-    })
-    cfg.repositories;
+        # Ensure that the service can read the repository
+        # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
+        # repositories are readable for the git group. This should not be necessary. <2024-12-23>
+        User = "git";
+        Group = "git";
-  virtualHosts =
-    lib.mapAttrs' (gitPath: config: {
-      name = config.domain;
-      value = mkVirtalHost config.port;
-    })
-    cfg.repositories;
-in {
-  options.vhack.back = {
-    enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)";
+        DynamicUser = true;
+        Restart = "always";
-    source_code_repository_url = lib.mkOption {
-      description = "The url to the source code of this instance of back";
-      default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back";
-      type = lib.types.str;
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
+      };
+    services.nginx.virtualHosts."${cfg.domain}" = {
+      locations."/".proxyPass = "";
-    repositories = lib.mkOption {
-      description = "An attibute set of repos to launch `back` services for.";
-      type = lib.types.attrsOf (lib.types.submodule {
-        options = {
-          enable = (lib.mkEnableOption "`back` for this repository.") // {default = true;};
-          domain = lib.mkOption {
-            type = lib.types.str;
-            description = "The domain to host this `back` instance on.";
-          };
-          port = lib.mkOption {
-            type = lib.types.port;
-            # TODO: This _should_ be an implementation detail, but I've no real approach to
-            # automatically generate them without encountering weird bugs. <2024-12-23>
-            description = "The port to use for this back instance. This must be unique.";
-          };
-        };
-      });
-      default = {};
+      enableACME = true;
+      forceSSL = true;
-  config = lib.mkIf cfg.enable {
-    systemd = {inherit services;};
-    services.nginx = {inherit virtualHosts;};
-  };
diff --git a/tests/by-name/ba/back/test.nix b/tests/by-name/ba/back/test.nix
index 63f2837..85cb611 100644
--- a/tests/by-name/ba/back/test.nix
+++ b/tests/by-name/ba/back/test.nix
@@ -8,9 +8,19 @@
 }: let
-  gitRepoPath = "/srv/test/repo";
   domain = "server";
+  sshKeys =
+    import ../../gi/git-server/ssh_keys.nix {inherit pkgs;};
+  gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" ''
+    repo CREATOR/[a-zA-Z0-9].*
+      C     = @all
+      RW+   = CREATOR
+      RW    = WRITERS
+      R     = READERS
+      option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage
+  '';
   nixos-lib.runTest {
     hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
@@ -26,7 +36,7 @@ in
     nodes = {
       server = {config, ...}: {
-        environment.systemPackages = [pkgs.git pkgs.git-bug pkgs.gawk];
+        environment.systemPackages = [pkgs.git];
         imports =
@@ -35,28 +45,46 @@ in
         vhack = {
+          persist.enable = true;
+          openssh.enable = true;
           nginx = {
             enable = true;
             selfsign = true;
           git-server = {
             enable = true;
+            domain = "git.${domain}";
+            gitolite.adminPubkey = sshKeys.admin.pub;
           back = {
             enable = true;
-            repositories = {
-              "${gitRepoPath}" = {
-                enable = true;
-                domain = "${domain}";
-                port = 9220;
-              };
+            domain = "issues.${domain}";
+            settings = {
+              scan_path = "${config.services.gitolite.dataDir}/repositories";
+              project_list = "${config.services.gitolite.dataDir}/projects.list";
-      client = {...}: {
-        environment.systemPackages = [pkgs.curl];
+      client = {nodes, ...}: {
+        environment.systemPackages = [pkgs.git pkgs.curl pkgs.git-bug pkgs.gawk];
+        programs.ssh.extraConfig = ''
+          Host *
+            UserKnownHostsFile /dev/null
+            StrictHostKeyChecking no
+            # there's nobody around that can input password
+            PreferredAuthentications publickey
+        '';
+        users.users.alice = {isNormalUser = true;};
+        networking.hosts = {
+          "${nodes.server.networking.primaryIPAddress}" = [
+            "git.${domain}"
+            "issues.${domain}"
+            "${domain}"
+          ];
+        };
@@ -67,16 +95,64 @@ in
-      with subtest("can setup git-bug issues on server"):
-        server.succeed("${pkgs.writeShellScript "setup-git-repo" ''
-        set -ex
+      with subtest("can setup ssh keys on client"):
+        client.succeed(
+            "mkdir -p ~root/.ssh",
+            "cp ${sshKeys.admin.priv} ~root/.ssh/id_ed25519",
+            "chmod 600 ~root/.ssh/id_ed25519",
+        )
+        client.succeed(
+            "sudo -u alice mkdir -p ~alice/.ssh",
+            "sudo -u alice cp ${sshKeys.alice.priv} ~alice/.ssh/id_ed25519",
+            "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519",
+        )
+      with subtest("gitolite server starts"):
+        server.wait_for_unit("gitolite-init.service")
+        server.wait_for_unit("sshd.service")
+        client.succeed("ssh -n git@git.${domain} info")
+      with subtest("admin can clone and configure gitolite-admin.git"):
+        client.succeed("${pkgs.writeShellScript "setup-gitolite-admin.git" ''
+        set -xe
+        git clone git@git.${domain}:gitolite-admin.git
+        git config --global user.name 'System Administrator'
+        git config --global user.email root\@domain.example
+        cp ${sshKeys.alice.pub} gitolite-admin/keydir/alice.pub
-        mkdir --parents "${gitRepoPath}"
-        cd "${gitRepoPath}"
+        (cd gitolite-admin && git switch -c master && git branch -D main)
-        git init
+        (cd gitolite-admin && git add . && git commit -m 'Add keys for alice' && git push -u origin master)
+        cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf
+        (cd gitolite-admin && git add . && git commit -m 'Add support for wild repos' && git push)
+        (cd gitolite-admin && git push -d origin main)
+      ''}")
+      with subtest("alice can create a repo"):
+        client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-create-repo" ''
+        set -xe
-        git bug user create --avatar "" --email "test@email.org" --name "test user" --non-interactive
+        mkdir --parents ./alice/repo1 && cd alice/repo1;
+        git init --initial-branch main
+        echo "# Alice's Repo" > README.md
+        git add README.md
+        git -c user.name=Alice -c user.email=alice@domain.example commit -m 'Add readme'
+        git remote add origin git@git.${domain}:alice/repo1.git
+        git push --set-upstream origin main
+      ''}")
+      with subtest("can setup git-bug issues in alice/repo1"):
+        client.succeed("sudo -u alice ${pkgs.writeShellScript "setup-git-repo" ''
+        set -ex
+        cd alice/repo1
+        git bug user create --avatar "" --email "alice@server.org" --name "alice" --non-interactive
         git bug add \
         --title "Some bug title" \
@@ -98,24 +174,32 @@ in
         git bug comment add --message "Some comment message" --non-interactive
         git bug comment add --message "Second comment message" --non-interactive
-        # NOTE(@bpeetz): Currently, the `back` module assumes that the git user can write
-        # to the repository, as such we need to provide write access here <2024-12-24>
-        chown --recursive git:git "${gitRepoPath}"
+        # TODO: This should use `git bug push`, but their ssh implementation is just
+        # too special to work in a VM test <2025-03-08>
+        git push origin +refs/bugs/*
+        git push origin +refs/identities/*
+        ssh git@${domain} -- config alice/repo1 --add cgit.owner Alice
+        ssh git@${domain} -- perms alice/repo1 + READERS @all
       with subtest("back server starts"):
-        server.wait_for_unit("${builtins.replaceStrings ["/"] ["_"] "back-${domain}.service"}")
+        server.wait_for_unit("back.service")
       with subtest("client can access the server"):
         client.succeed("${pkgs.writeShellScript "curl-back" ''
         set -xe
-        curl --insecure --silent --fail --show-error "https://${domain}/issues/open" --output /root/issues.html
-        grep -- '- 2 comments' /root/issues.html
+        curl --insecure --fail --show-error "https://issues.${domain}/alice/repo1.git/issues/open" --output /root/issues.html
         grep -- 'Second bug title' /root/issues.html
-      ''}")
+        curl --insecure --fail --show-error "https://issues.${domain}/" --output /root/repos.html
+        grep -- 'repo' /root/repos.html
+        grep -- "&#60;No description&#62;" /root/repos.html
+        grep -- '<span class="user-name">Alice</span>' /root/repos.html
+      ''} >&2")
       client.copy_from_vm("/root/issues.html", "");
+      client.copy_from_vm("/root/repos.html", "");