1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
{
nixos-lib,
pkgsUnstable,
nixpkgs-unstable,
vhackPackages,
pkgs,
extraModules,
nixLib,
...
}:
nixos-lib.runTest {
hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
name = "sharkey-images";
node = {
specialArgs = {inherit pkgsUnstable extraModules vhackPackages nixpkgs-unstable nixLib;};
# Use the nixpkgs as constructed by the `nixpkgs.*` options
pkgs = null;
};
nodes = {
server = {config, ...}: {
imports =
extraModules
++ [
../../../../modules
];
vhack = {
persist.enable = true;
nginx.enable = true;
sharkey = {
enable = true;
fqdn = "sharkey.server";
};
};
systemd.services = {
# Avoid an error from this service.
"acme-sharkey.server".serviceConfig.ExecStart = pkgs.lib.mkForce "${pkgs.lib.getExe' pkgs.coreutils "true"}";
# Test, that sharkey's hardening still allows access to the CPUs.
sharkey.serviceConfig.ExecStart = let
nodejs = pkgs.lib.getExe pkgsUnstable.nodejs;
script = pkgs.writeTextFile {
name = "script.js";
text = ''
import * as os from 'node:os';
console.log(os.cpus()[0].model)
console.log(os.cpus().length)
'';
};
in
pkgs.lib.mkForce "${nodejs} ${script}";
};
};
};
testScript = {nodes, ...}:
/*
python
*/
''
from time import sleep
start_all()
server.wait_for_unit("sharkey.service")
# Give the service time to start.
sleep(3)
with subtest("All services running"):
import json
def all_services_running(host):
(status, output) = host.systemctl("list-units --state=failed --plain --no-pager --output=json")
host_failed = json.loads(output)
assert len(host_failed) == 0, f"Expected zero failing services, but found: {json.dumps(host_failed, indent=4)}"
all_services_running(server)
'';
}
|
