diff options
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/all-tests.nix | 2 | ||||
-rw-r--r-- | nixos/tests/archi.nix | 31 | ||||
-rw-r--r-- | nixos/tests/dnscrypt-wrapper/default.nix | 144 | ||||
-rw-r--r-- | nixos/tests/plantuml-server.nix | 20 | ||||
-rw-r--r-- | nixos/tests/plausible.nix | 7 | ||||
-rw-r--r-- | nixos/tests/pleroma.nix | 9 | ||||
-rw-r--r-- | nixos/tests/prometheus-exporters.nix | 15 | ||||
-rw-r--r-- | nixos/tests/web-apps/mastodon/remote-postgresql.nix | 22 | ||||
-rw-r--r-- | nixos/tests/web-apps/mastodon/script.nix | 3 | ||||
-rw-r--r-- | nixos/tests/web-apps/mastodon/standard.nix | 4 | ||||
-rw-r--r-- | nixos/tests/wordpress.nix | 2 | ||||
-rw-r--r-- | nixos/tests/xmpp/ejabberd.nix | 2 |
12 files changed, 206 insertions, 55 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index f44fcfcf54ab..6c127efa4cea 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -124,6 +124,7 @@ in { apfs = runTest ./apfs.nix; appliance-repart-image = runTest ./appliance-repart-image.nix; apparmor = handleTest ./apparmor.nix {}; + archi = handleTest ./archi.nix {}; atd = handleTest ./atd.nix {}; atop = handleTest ./atop.nix {}; atuin = handleTest ./atuin.nix {}; @@ -656,6 +657,7 @@ in { phylactery = handleTest ./web-apps/phylactery.nix {}; pict-rs = handleTest ./pict-rs.nix {}; pinnwand = handleTest ./pinnwand.nix {}; + plantuml-server = handleTest ./plantuml-server.nix {}; plasma-bigscreen = handleTest ./plasma-bigscreen.nix {}; plasma5 = handleTest ./plasma5.nix {}; plasma5-systemd-start = handleTest ./plasma5-systemd-start.nix {}; diff --git a/nixos/tests/archi.nix b/nixos/tests/archi.nix new file mode 100644 index 000000000000..59f2e940c005 --- /dev/null +++ b/nixos/tests/archi.nix @@ -0,0 +1,31 @@ +import ./make-test-python.nix ({ lib, ... }: { + name = "archi"; + meta.maintainers = with lib.maintainers; [ paumr ]; + + nodes.machine = { pkgs, ... }: { + imports = [ + ./common/x11.nix + ]; + + environment.systemPackages = with pkgs; [ archi ]; + }; + + enableOCR = true; + + testScript = '' + machine.wait_for_x() + + with subtest("createEmptyModel via CLI"): + machine.succeed("Archi -application com.archimatetool.commandline.app -consoleLog -nosplash --createEmptyModel --saveModel smoke.archimate") + machine.copy_from_vm("smoke.archimate", "") + + with subtest("UI smoketest"): + machine.succeed("DISPLAY=:0 Archi --createEmptyModel >&2 &") + machine.wait_for_window("Archi") + + # wait till main UI is open + machine.wait_for_text("Welcome to Archi") + + machine.screenshot("welcome-screen") + ''; +}) diff --git a/nixos/tests/dnscrypt-wrapper/default.nix b/nixos/tests/dnscrypt-wrapper/default.nix index 1c05376e097b..1a794931dc50 100644 --- a/nixos/tests/dnscrypt-wrapper/default.nix +++ b/nixos/tests/dnscrypt-wrapper/default.nix @@ -1,5 +1,15 @@ + { lib, pkgs, ... }: +let + snakeoil = import ../common/acme/server/snakeoil-certs.nix; + + hosts = lib.mkForce + { "fd::a" = [ "server" snakeoil.domain ]; + "fd::b" = [ "client" ]; + }; +in + { name = "dnscrypt-wrapper"; meta = with pkgs.lib.maintainers; { @@ -7,59 +17,122 @@ }; nodes = { - server = { lib, ... }: - { services.dnscrypt-wrapper = with builtins; + server = { + networking.hosts = hosts; + networking.interfaces.eth1.ipv6.addresses = lib.singleton + { address = "fd::a"; prefixLength = 64; }; + + services.dnscrypt-wrapper = { enable = true; - address = "192.168.1.1"; + address = "[::]"; + port = 5353; keys.expiration = 5; # days keys.checkInterval = 2; # min # The keypair was generated by the command: # dnscrypt-wrapper --gen-provider-keypair \ # --provider-name=2.dnscrypt-cert.server \ - # --ext-address=192.168.1.1:5353 - providerKey.public = toFile "public.key" (readFile ./public.key); - providerKey.secret = toFile "secret.key" (readFile ./secret.key); + providerKey.public = "${./public.key}"; + providerKey.secret = "${./secret.key}"; + }; + + # nameserver + services.bind.enable = true; + services.bind.zones = lib.singleton + { name = "."; + master = true; + file = pkgs.writeText "root.zone" '' + $TTL 3600 + . IN SOA example.org. admin.example.org. ( 1 3h 1h 1w 1d ) + . IN NS example.org. + example.org. IN AAAA 2001:db8::1 + ''; + }; + + # webserver + services.nginx.enable = true; + services.nginx.virtualHosts.${snakeoil.domain} = + { onlySSL = true; + listenAddresses = [ "localhost" ]; + sslCertificate = snakeoil.${snakeoil.domain}.cert; + sslCertificateKey = snakeoil.${snakeoil.domain}.key; + locations."/ip".extraConfig = '' + default_type text/plain; + return 200 "Ciao $remote_addr!\n"; + ''; }; - services.tinydns.enable = true; - services.tinydns.data = '' - ..:192.168.1.1:a - +it.works:1.2.3.4 - ''; - networking.firewall.allowedUDPPorts = [ 5353 ]; - networking.firewall.allowedTCPPorts = [ 5353 ]; - networking.interfaces.eth1.ipv4.addresses = lib.mkForce - [ { address = "192.168.1.1"; prefixLength = 24; } ]; + + # demultiplex HTTP and DNS from port 443 + services.sslh = + { enable = true; + method = "ev"; + settings.transparent = true; + settings.listen = lib.mkForce + [ { host = "server"; port = "443"; is_udp = false; } + { host = "server"; port = "443"; is_udp = true; } + ]; + settings.protocols = + [ # Send TLS to webserver (TCP) + { name = "tls"; host= "localhost"; port= "443"; } + # Send DNSCrypt to dnscrypt-wrapper (TCP or UDP) + { name = "anyprot"; host = "localhost"; port = "5353"; } + { name = "anyprot"; host = "localhost"; port = "5353"; is_udp = true;} + ]; + }; + + networking.firewall.allowedTCPPorts = [ 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; }; - client = { lib, ... }: - { services.dnscrypt-proxy2.enable = true; - services.dnscrypt-proxy2.upstreamDefaults = false; - services.dnscrypt-proxy2.settings = { - server_names = [ "server" ]; - static.server.stamp = "sdns://AQAAAAAAAAAAEDE5Mi4xNjguMS4xOjUzNTMgFEHYOv0SCKSuqR5CDYa7-58cCBuXO2_5uTSVU9wNQF0WMi5kbnNjcnlwdC1jZXJ0LnNlcnZlcg"; + client = { + networking.hosts = hosts; + networking.interfaces.eth1.ipv6.addresses = lib.singleton + { address = "fd::b"; prefixLength = 64; }; + + services.dnscrypt-proxy2.enable = true; + services.dnscrypt-proxy2.upstreamDefaults = false; + services.dnscrypt-proxy2.settings = + { server_names = [ "server" ]; + listen_addresses = [ "[::1]:53" ]; + cache = false; + # Computed using https://dnscrypt.info/stamps/ + static.server.stamp = + "sdns://AQAAAAAAAAAADzE5Mi4xNjguMS4yOjQ0MyAUQdg6" + +"_RIIpK6pHkINhrv7nxwIG5c7b_m5NJVT3A1AXRYyLmRuc2NyeXB0LWNlcnQuc2VydmVy"; }; - networking.nameservers = [ "127.0.0.1" ]; - networking.interfaces.eth1.ipv4.addresses = lib.mkForce - [ { address = "192.168.1.2"; prefixLength = 24; } ]; - }; + networking.nameservers = [ "::1" ]; + security.pki.certificateFiles = [ snakeoil.ca.cert ]; + }; }; testScript = '' - start_all() - with subtest("The server can generate the ephemeral keypair"): server.wait_for_unit("dnscrypt-wrapper") server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key") server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt") almost_expiration = server.succeed("date --date '4days 23 hours 56min'").strip() - with subtest("The client can connect to the server"): - server.wait_for_unit("tinydns") - client.wait_for_unit("dnscrypt-proxy2") - assert "1.2.3.4" in client.wait_until_succeeds( - "host it.works" - ), "The IP address of 'it.works' does not match 1.2.3.4" + with subtest("The DNSCrypt client can connect to the server"): + server.wait_for_unit("sslh") + client.wait_until_succeeds("journalctl -u dnscrypt-proxy2 --grep '\[server\] OK'") + + with subtest("HTTP client can connect to the server"): + server.wait_for_unit("nginx") + client.succeed("curl -s --fail https://${snakeoil.domain}/ip | grep -q fd::b") + + with subtest("DNS queries over UDP are working"): + server.wait_for_unit("bind") + client.wait_for_open_port(53) + assert "2001:db8::1" in client.wait_until_succeeds( + "host -U example.org" + ), "The IP address of 'example.org' does not match 2001:db8::1" + + with subtest("DNS queries over TCP are working"): + server.wait_for_unit("bind") + client.wait_for_open_port(53) + assert "2001:db8::1" in client.wait_until_succeeds( + "host -T example.org" + ), "The IP address of 'example.org' does not match 2001:db8::1" with subtest("The server rotates the ephemeral keys"): # advance time by a little less than 5 days @@ -68,7 +141,8 @@ server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys") with subtest("The client can still connect to the server"): - server.wait_for_unit("dnscrypt-wrapper") - client.succeed("host it.works") + client.systemctl("restart dnscrypt-proxy2") + client.wait_until_succeeds("host -T example.org") + client.wait_until_succeeds("host -U example.org") ''; } diff --git a/nixos/tests/plantuml-server.nix b/nixos/tests/plantuml-server.nix new file mode 100644 index 000000000000..460c30919aec --- /dev/null +++ b/nixos/tests/plantuml-server.nix @@ -0,0 +1,20 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "plantuml-server"; + meta.maintainers = with lib.maintainers; [ anthonyroussel ]; + + nodes.machine = { pkgs, ... }: { + environment.systemPackages = [ pkgs.curl ]; + services.plantuml-server.enable = true; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("plantuml-server.service") + machine.wait_for_open_port(8080) + + with subtest("Generate chart"): + chart_id = machine.succeed("curl -sSf http://localhost:8080/plantuml/coder -d 'Alice -> Bob'") + machine.succeed("curl -sSf http://localhost:8080/plantuml/txt/{}".format(chart_id)) + ''; +}) diff --git a/nixos/tests/plausible.nix b/nixos/tests/plausible.nix index 9afd3db75de8..9c26c509a5ab 100644 --- a/nixos/tests/plausible.nix +++ b/nixos/tests/plausible.nix @@ -8,9 +8,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { virtualisation.memorySize = 4096; services.plausible = { enable = true; - releaseCookiePath = "${pkgs.runCommand "cookie" { } '' - ${pkgs.openssl}/bin/openssl rand -base64 64 >"$out" - ''}"; adminUser = { email = "admin@example.org"; passwordFile = "${pkgs.writeText "pwd" "foobar"}"; @@ -28,6 +25,10 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: { machine.wait_for_unit("plausible.service") machine.wait_for_open_port(8000) + # Ensure that the software does not make not make the machine + # listen on any public interfaces by default. + machine.fail("ss -tlpn 'src = 0.0.0.0 or src = [::]' | grep LISTEN") + machine.succeed("curl -f localhost:8000 >&2") machine.succeed("curl -f localhost:8000/js/script.js >&2") diff --git a/nixos/tests/pleroma.nix b/nixos/tests/pleroma.nix index 4f1aef854146..08a01585f877 100644 --- a/nixos/tests/pleroma.nix +++ b/nixos/tests/pleroma.nix @@ -164,9 +164,12 @@ import ./make-test-python.nix ({ pkgs, ... }: ''; tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' - openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=pleroma.nixos.test' -days 36500 mkdir -p $out - cp key.pem cert.pem $out + openssl req -x509 \ + -subj '/CN=pleroma.nixos.test/' -days 49710 \ + -addext 'subjectAltName = DNS:pleroma.nixos.test' \ + -keyout "$out/key.pem" -newkey ed25519 \ + -out "$out/cert.pem" -noenc ''; hosts = nodes: '' @@ -180,7 +183,7 @@ import ./make-test-python.nix ({ pkgs, ... }: security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; networking.extraHosts = hosts nodes; environment.systemPackages = with pkgs; [ - toot + pkgs.toot send-toot ]; }; diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index bccfe998f61a..7840130d4a36 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -257,6 +257,21 @@ let ''; }; + exportarr-sonarr = { + nodeName = "exportarr_sonarr"; + exporterConfig = { + enable = true; + url = "http://127.0.0.1:8989"; + # testing for real data is tricky, because the api key can not be preconfigured + apiKeyFile = pkgs.writeText "dummy-api-key" "eccff6a992bc2e4b88e46d064b26bb4e"; + }; + exporterTest = '' + wait_for_unit("prometheus-exportarr-sonarr-exporter.service") + wait_for_open_port(9707) + succeed("curl -sSf 'http://localhost:9707/metrics") + ''; + }; + fastly = { exporterConfig = { enable = true; diff --git a/nixos/tests/web-apps/mastodon/remote-postgresql.nix b/nixos/tests/web-apps/mastodon/remote-postgresql.nix index 715477191bfb..6548883db452 100644 --- a/nixos/tests/web-apps/mastodon/remote-postgresql.nix +++ b/nixos/tests/web-apps/mastodon/remote-postgresql.nix @@ -16,7 +16,7 @@ in meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ]; nodes = { - database = { + database = { config, ... }: { networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -24,11 +24,13 @@ in ]; }; extraHosts = hosts; - firewall.allowedTCPPorts = [ 5432 ]; + firewall.allowedTCPPorts = [ config.services.postgresql.port ]; }; services.postgresql = { enable = true; + # TODO remove once https://github.com/NixOS/nixpkgs/pull/266270 is resolved. + package = pkgs.postgresql_14; enableTCPIP = true; authentication = '' hostnossl mastodon_local mastodon_test 192.168.2.201/32 md5 @@ -41,7 +43,7 @@ in }; }; - nginx = { + nginx = { nodes, ... }: { networking = { interfaces.eth1 = { ipv4.addresses = [ @@ -69,18 +71,14 @@ in tryFiles = "$uri @proxy"; }; locations."@proxy" = { - proxyPass = "http://192.168.2.201:55001"; - proxyWebsockets = true; - }; - locations."/api/v1/streaming/" = { - proxyPass = "http://192.168.2.201:55002"; + proxyPass = "http://192.168.2.201:${toString nodes.server.services.mastodon.webPort}"; proxyWebsockets = true; }; }; }; }; - server = { pkgs, ... }: { + server = { config, pkgs, ... }: { virtualisation.memorySize = 2048; environment = { @@ -98,7 +96,10 @@ in ]; }; extraHosts = hosts; - firewall.allowedTCPPorts = [ 55001 55002 ]; + firewall.allowedTCPPorts = [ + config.services.mastodon.webPort + config.services.mastodon.sidekiqPort + ]; }; services.mastodon = { @@ -106,6 +107,7 @@ in configureNginx = false; localDomain = "mastodon.local"; enableUnixSocket = false; + streamingProcesses = 2; database = { createLocally = false; host = "192.168.2.102"; diff --git a/nixos/tests/web-apps/mastodon/script.nix b/nixos/tests/web-apps/mastodon/script.nix index a89b4b7480e9..afb7c0e0a0eb 100644 --- a/nixos/tests/web-apps/mastodon/script.nix +++ b/nixos/tests/web-apps/mastodon/script.nix @@ -10,9 +10,8 @@ server.wait_for_unit("redis-mastodon.service") server.wait_for_unit("mastodon-sidekiq-all.service") - server.wait_for_unit("mastodon-streaming.service") + server.wait_for_unit("mastodon-streaming.target") server.wait_for_unit("mastodon-web.service") - server.wait_for_open_port(55000) server.wait_for_open_port(55001) # Check that mastodon-media-auto-remove is scheduled diff --git a/nixos/tests/web-apps/mastodon/standard.nix b/nixos/tests/web-apps/mastodon/standard.nix index 14311afea3f7..e5eb30fef597 100644 --- a/nixos/tests/web-apps/mastodon/standard.nix +++ b/nixos/tests/web-apps/mastodon/standard.nix @@ -40,11 +40,15 @@ in port = 31637; }; + # TODO remove once https://github.com/NixOS/nixpkgs/pull/266270 is resolved. + services.postgresql.package = pkgs.postgresql_14; + services.mastodon = { enable = true; configureNginx = true; localDomain = "mastodon.local"; enableUnixSocket = false; + streamingProcesses = 2; smtp = { createLocally = false; fromAddress = "mastodon@mastodon.local"; diff --git a/nixos/tests/wordpress.nix b/nixos/tests/wordpress.nix index 937b505af2ac..592af9a094f1 100644 --- a/nixos/tests/wordpress.nix +++ b/nixos/tests/wordpress.nix @@ -67,7 +67,7 @@ rec { networking.hosts."127.0.0.1" = [ "site1.local" "site2.local" ]; }; }) {} [ - "6_3" + "6_3" "6_4" ]; testScript = '' diff --git a/nixos/tests/xmpp/ejabberd.nix b/nixos/tests/xmpp/ejabberd.nix index 7926fe80de2f..1a807b27b6f6 100644 --- a/nixos/tests/xmpp/ejabberd.nix +++ b/nixos/tests/xmpp/ejabberd.nix @@ -1,7 +1,7 @@ import ../make-test-python.nix ({ pkgs, ... }: { name = "ejabberd"; meta = with pkgs.lib.maintainers; { - maintainers = [ ajs124 ]; + maintainers = [ ]; }; nodes = { client = { nodes, pkgs, ... }: { |