2 files changed, 84 insertions, 1 deletions
diff --git a/modules/by-name/sh/sharkey/module.nix b/modules/by-name/sh/sharkey/module.nix
index a2f5445..29bae51 100644
--- a/modules/by-name/sh/sharkey/module.nix
+++ b/modules/by-name/sh/sharkey/module.nix
@@ -242,7 +242,8 @@ in {
         MemoryDenyWriteExecute = false;
         PrivateDevices = true;
         PrivateUsers = true;
-        ProcSubset = "pid";
+        # Sharkey needs access to the hosts CPUs
+        ProcSubset = "all";
         PrivateTmp = true;
         ProtectClock = true;
         ProtectControlGroups = true;
diff --git a/tests/by-name/sh/sharkey-images/test.nix b/tests/by-name/sh/sharkey-images/test.nix
new file mode 100644
index 0000000..d4f9332
--- /dev/null
+++ b/tests/by-name/sh/sharkey-images/test.nix
@@ -0,0 +1,82 @@
+{
+  nixos-lib,
+  pkgsUnstable,
+  nixpkgs-unstable,
+  vhackPackages,
+  pkgs,
+  extraModules,
+  nixLib,
+  ...
+}:
+nixos-lib.runTest {
+  hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
+
+  name = "sharkey-images";
+
+  node = {
+    specialArgs = {inherit pkgsUnstable extraModules vhackPackages nixpkgs-unstable nixLib;};
+
+    # Use the nixpkgs as constructed by the `nixpkgs.*` options
+    pkgs = null;
+  };
+
+  nodes = {
+    server = {config, ...}: {
+      imports =
+        extraModules
+        ++ [
+          ../../../../modules
+        ];
+
+      vhack = {
+        persist.enable = true;
+        nginx.enable = true;
+        sharkey = {
+          enable = true;
+          fqdn = "sharkey.server";
+        };
+      };
+      systemd.services = {
+        # Avoid an error from this service.
+        "acme-sharkey.server".serviceConfig.ExecStart = pkgs.lib.mkForce "${pkgs.lib.getExe' pkgs.coreutils "true"}";
+
+        # Test, that sharkey's hardening still allows access to the CPUs.
+        sharkey.serviceConfig.ExecStart = let
+          nodejs = pkgs.lib.getExe pkgsUnstable.nodejs;
+          script = pkgs.writeTextFile {
+            name = "script.js";
+            text = ''
+              import * as os from 'node:os';
+
+              console.log(os.cpus()[0].model)
+              console.log(os.cpus().length)
+            '';
+          };
+        in
+          pkgs.lib.mkForce "${nodejs} ${script}";
+      };
+    };
+  };
+
+  testScript = {nodes, ...}:
+  /*
+  python
+  */
+  ''
+    from time import sleep
+
+    start_all()
+    server.wait_for_unit("sharkey.service")
+
+    # Give the service time to start.
+    sleep(3)
+
+    with subtest("All services running"):
+      import json
+      def all_services_running(host):
+        (status, output) = host.systemctl("list-units --state=failed --plain --no-pager --output=json")
+        host_failed = json.loads(output)
+        assert len(host_failed) == 0, f"Expected zero failing services, but found: {json.dumps(host_failed, indent=4)}"
+      all_services_running(server)
+  '';
+}