1 files changed, 56 insertions, 22 deletions
diff --git a/nixpkgs/nixos/tests/miniflux.nix b/nixpkgs/nixos/tests/miniflux.nix
index a3af53db0e7a..6d38224448ed 100644
--- a/nixpkgs/nixos/tests/miniflux.nix
+++ b/nixpkgs/nixos/tests/miniflux.nix
@@ -15,6 +15,10 @@ let
             ADMIN_USERNAME=${username}
             ADMIN_PASSWORD=${password}
           '';
+  postgresPassword = "correcthorsebatterystaple";
+  postgresPasswordFile = pkgs.writeText "pgpass" ''
+    *:*:*:*:${postgresPassword}
+  '';
 
 in
 {
@@ -56,32 +60,62 @@ in
           adminCredentialsFile = customAdminCredentialsFile;
         };
       };
+
+    postgresTcp = { config, pkgs, lib, ... }: {
+      services.postgresql = {
+        enable = true;
+        initialScript = pkgs.writeText "init-postgres" ''
+          CREATE USER miniflux WITH PASSWORD '${postgresPassword}';
+          CREATE DATABASE miniflux WITH OWNER miniflux;
+        '';
+        enableTCPIP = true;
+        authentication = ''
+          host sameuser miniflux samenet scram-sha-256
+        '';
+      };
+      systemd.services.postgresql.postStart = lib.mkAfter ''
+        $PSQL -tAd miniflux -c 'CREATE EXTENSION hstore;'
+      '';
+      networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
+    };
+    externalDb = { ... }: {
+      security.apparmor.enable = true;
+      services.miniflux = {
+        enable = true;
+        createDatabaseLocally = false;
+        inherit adminCredentialsFile;
+        config = {
+          DATABASE_URL = "user=miniflux host=postgresTcp dbname=miniflux sslmode=disable";
+          PGPASSFILE = "/run/miniflux/pgpass";
+        };
+      };
+      systemd.services.miniflux.preStart = ''
+        cp ${postgresPasswordFile} /run/miniflux/pgpass
+        chmod 600 /run/miniflux/pgpass
+      '';
+    };
   };
   testScript = ''
-    start_all()
+    def runTest(machine, port, user):
+      machine.wait_for_unit("miniflux.service")
+      machine.wait_for_open_port(port)
+      machine.succeed(f"curl --fail 'http://localhost:{port}/healthcheck' | grep OK")
+      machine.succeed(
+          f"curl 'http://localhost:{port}/v1/me' -u '{user}' -H Content-Type:application/json | grep '\"is_admin\":true'"
+      )
+      machine.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
 
-    default.wait_for_unit("miniflux.service")
-    default.wait_for_open_port(${toString defaultPort})
-    default.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep OK")
-    default.succeed(
-        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
-    )
-    default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
+    default.start()
+    withoutSudo.start()
+    customized.start()
+    postgresTcp.start()
 
-    withoutSudo.wait_for_unit("miniflux.service")
-    withoutSudo.wait_for_open_port(${toString defaultPort})
-    withoutSudo.succeed("curl --fail 'http://localhost:${toString defaultPort}/healthcheck' | grep OK")
-    withoutSudo.succeed(
-        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
-    )
-    withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
+    runTest(default, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
+    runTest(withoutSudo, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
+    runTest(customized, ${toString port}, "${username}:${password}")
 
-    customized.wait_for_unit("miniflux.service")
-    customized.wait_for_open_port(${toString port})
-    customized.succeed("curl --fail 'http://localhost:${toString port}/healthcheck' | grep OK")
-    customized.succeed(
-        "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'"
-    )
-    customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
+    postgresTcp.wait_for_unit("postgresql.service")
+    externalDb.start()
+    runTest(externalDb, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
   '';
 })