diff options
Diffstat (limited to 'nixpkgs/nixos/tests')
-rw-r--r-- | nixpkgs/nixos/tests/acme.nix | 24 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/all-tests.nix | 4 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/btrbk.nix | 110 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/coturn.nix | 29 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/jenkins-cli.nix | 30 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/kubernetes/base.nix | 9 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/mysql/mysql.nix | 16 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/sanoid.nix | 2 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/trafficserver.nix | 1 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/vault.nix | 4 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/vaultwarden.nix (renamed from nixpkgs/nixos/tests/bitwarden.nix) | 20 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/yggdrasil.nix | 18 | ||||
-rw-r--r-- | nixpkgs/nixos/tests/zsh-history.nix | 2 |
13 files changed, 235 insertions, 34 deletions
diff --git a/nixpkgs/nixos/tests/acme.nix b/nixpkgs/nixos/tests/acme.nix index fe8c4af3ea21..6532fc4ac1d4 100644 --- a/nixpkgs/nixos/tests/acme.nix +++ b/nixpkgs/nixos/tests/acme.nix @@ -330,30 +330,38 @@ in import ./make-test-python.nix ({ lib, ... }: { with subtest("Can request certificate with HTTPS-01 challenge"): webserver.wait_for_unit("acme-finished-a.example.test.target") - check_fullchain(webserver, "a.example.test") - check_issuer(webserver, "a.example.test", "pebble") - check_connection(client, "a.example.test") with subtest("Certificates and accounts have safe + valid permissions"): group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}" webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" ) webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/.lego/a.example.test/**/a.example.test* | tee /dev/stderr | grep '600 acme {group}' | wc -l) -eq 4" ) webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" ) webserver.succeed( - f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" + f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" ) + with subtest("Certs are accepted by web server"): + webserver.succeed("systemctl start nginx.service") + check_fullchain(webserver, "a.example.test") + check_issuer(webserver, "a.example.test", "pebble") + check_connection(client, "a.example.test") + + # Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal with subtest("Can generate valid selfsigned certs"): webserver.succeed("systemctl clean acme-a.example.test.service --what=state") webserver.succeed("systemctl start acme-selfsigned-a.example.test.service") check_fullchain(webserver, "a.example.test") check_issuer(webserver, "a.example.test", "minica") + # Check selfsigned permissions + webserver.succeed( + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + ) # Will succeed if nginx can load the certs webserver.succeed("systemctl start nginx-config-reload.service") @@ -376,6 +384,8 @@ in import ./make-test-python.nix ({ lib, ... }: { webserver.wait_for_unit("acme-finished-a.example.test.target") check_connection_key_bits(client, "a.example.test", "384") webserver.succeed("grep testing /var/lib/acme/a.example.test/test") + # Clean to remove the testing file (and anything else messy we did) + webserver.succeed("systemctl clean acme-a.example.test.service --what=state") with subtest("Correctly implements OCSP stapling"): switch_to(webserver, "ocsp-stapling") diff --git a/nixpkgs/nixos/tests/all-tests.nix b/nixpkgs/nixos/tests/all-tests.nix index b5126be8af7a..741606732144 100644 --- a/nixpkgs/nixos/tests/all-tests.nix +++ b/nixpkgs/nixos/tests/all-tests.nix @@ -42,12 +42,12 @@ in bind = handleTest ./bind.nix {}; bitcoind = handleTest ./bitcoind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; - bitwarden = handleTest ./bitwarden.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {}; boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; borgbackup = handleTest ./borgbackup.nix {}; botamusique = handleTest ./botamusique.nix {}; + btrbk = handleTest ./btrbk.nix {}; buildbot = handleTest ./buildbot.nix {}; buildkite-agents = handleTest ./buildkite-agents.nix {}; caddy = handleTest ./caddy.nix {}; @@ -88,6 +88,7 @@ in containers-tmpfs = handleTest ./containers-tmpfs.nix {}; convos = handleTest ./convos.nix {}; corerad = handleTest ./corerad.nix {}; + coturn = handleTest ./coturn.nix {}; couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["x86_64-linux"] ./cri-o.nix {}; custom-ca = handleTest ./custom-ca.nix {}; @@ -446,6 +447,7 @@ in v2ray = handleTest ./v2ray.nix {}; vault = handleTest ./vault.nix {}; vault-postgresql = handleTest ./vault-postgresql.nix {}; + vaultwarden = handleTest ./vaultwarden.nix {}; vector = handleTest ./vector.nix {}; victoriametrics = handleTest ./victoriametrics.nix {}; virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; diff --git a/nixpkgs/nixos/tests/btrbk.nix b/nixpkgs/nixos/tests/btrbk.nix new file mode 100644 index 000000000000..2689bb66c63a --- /dev/null +++ b/nixpkgs/nixos/tests/btrbk.nix @@ -0,0 +1,110 @@ +import ./make-test-python.nix ({ pkgs, ... }: + + let + privateKey = '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrwAAAJB+cF5HfnBe + RwAAAAtzc2gtZWQyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrw + AAAEBN75NsJZSpt63faCuaD75Unko0JjlSDxMhYHAPJk2/xXHxQHThDpD9/AMWNqQer3Tg + 9gXMb2lTZMn0pelo8xyvAAAADXJzY2h1ZXR6QGt1cnQ= + -----END OPENSSH PRIVATE KEY----- + ''; + publicKey = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHxQHThDpD9/AMWNqQer3Tg9gXMb2lTZMn0pelo8xyv + ''; + in + { + name = "btrbk"; + meta = with pkgs.lib; { + maintainers = with maintainers; [ symphorien ]; + }; + + nodes = { + archive = { ... }: { + environment.systemPackages = with pkgs; [ btrfs-progs ]; + # note: this makes the privateKey world readable. + # don't do it with real ssh keys. + environment.etc."btrbk_key".text = privateKey; + services.btrbk = { + extraPackages = [ pkgs.lz4 ]; + instances = { + remote = { + onCalendar = "minutely"; + settings = { + ssh_identity = "/etc/btrbk_key"; + ssh_user = "btrbk"; + stream_compress = "lz4"; + volume = { + "ssh://main/mnt" = { + target = "/mnt"; + snapshot_dir = "btrbk/remote"; + subvolume = "to_backup"; + }; + }; + }; + }; + }; + }; + }; + + main = { ... }: { + environment.systemPackages = with pkgs; [ btrfs-progs ]; + services.openssh = { + enable = true; + passwordAuthentication = false; + challengeResponseAuthentication = false; + }; + services.btrbk = { + extraPackages = [ pkgs.lz4 ]; + sshAccess = [ + { + key = publicKey; + roles = [ "source" "send" "info" "delete" ]; + } + ]; + instances = { + local = { + onCalendar = "minutely"; + settings = { + volume = { + "/mnt" = { + snapshot_dir = "btrbk/local"; + subvolume = "to_backup"; + }; + }; + }; + }; + }; + }; + }; + }; + + testScript = '' + start_all() + + # create btrfs partition at /mnt + for machine in (archive, main): + machine.succeed("dd if=/dev/zero of=/data_fs bs=120M count=1") + machine.succeed("mkfs.btrfs /data_fs") + machine.succeed("mkdir /mnt") + machine.succeed("mount /data_fs /mnt") + + # what to backup and where + main.succeed("btrfs subvolume create /mnt/to_backup") + main.succeed("mkdir -p /mnt/btrbk/{local,remote}") + + # check that local snapshots work + with subtest("local"): + main.succeed("echo foo > /mnt/to_backup/bar") + main.wait_until_succeeds("cat /mnt/btrbk/local/*/bar | grep foo") + main.succeed("echo bar > /mnt/to_backup/bar") + main.succeed("cat /mnt/btrbk/local/*/bar | grep foo") + + # check that btrfs send/receive works and ssh access works + with subtest("remote"): + archive.wait_until_succeeds("cat /mnt/*/bar | grep bar") + main.succeed("echo baz > /mnt/to_backup/bar") + archive.succeed("cat /mnt/*/bar | grep bar") + ''; + }) diff --git a/nixpkgs/nixos/tests/coturn.nix b/nixpkgs/nixos/tests/coturn.nix new file mode 100644 index 000000000000..dff832281c7c --- /dev/null +++ b/nixpkgs/nixos/tests/coturn.nix @@ -0,0 +1,29 @@ +import ./make-test-python.nix ({ ... }: { + name = "coturn"; + nodes = { + default = { + services.coturn.enable = true; + }; + secretsfile = { + boot.postBootCommands = '' + echo "some-very-secret-string" > /run/coturn-secret + ''; + services.coturn = { + enable = true; + static-auth-secret-file = "/run/coturn-secret"; + }; + }; + }; + + testScript = + '' + start_all() + + with subtest("by default works without configuration"): + default.wait_for_unit("coturn.service") + + with subtest("works with static-auth-secret-file"): + secretsfile.wait_for_unit("coturn.service") + secretsfile.succeed("grep 'some-very-secret-string' /run/coturn/turnserver.cfg") + ''; +}) diff --git a/nixpkgs/nixos/tests/jenkins-cli.nix b/nixpkgs/nixos/tests/jenkins-cli.nix new file mode 100644 index 000000000000..f25e1604da33 --- /dev/null +++ b/nixpkgs/nixos/tests/jenkins-cli.nix @@ -0,0 +1,30 @@ +import ./make-test-python.nix ({ pkgs, ...} : rec { + name = "jenkins-cli"; + meta = with pkgs.lib.maintainers; { + maintainers = [ pamplemousse ]; + }; + + nodes = { + machine = + { ... }: + { + services.jenkins = { + enable = true; + withCLI = true; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("jenkins") + + assert "JENKINS_URL" in machine.succeed("env") + assert "http://0.0.0.0:8080" in machine.succeed("echo $JENKINS_URL") + + machine.succeed( + "jenkins-cli -auth admin:$(cat /var/lib/jenkins/secrets/initialAdminPassword)" + ) + ''; +}) diff --git a/nixpkgs/nixos/tests/kubernetes/base.nix b/nixpkgs/nixos/tests/kubernetes/base.nix index 8cfac10b6dc4..1f23ca55fb23 100644 --- a/nixpkgs/nixos/tests/kubernetes/base.nix +++ b/nixpkgs/nixos/tests/kubernetes/base.nix @@ -40,7 +40,7 @@ let allowedTCPPorts = [ 10250 # kubelet ]; - trustedInterfaces = ["docker0"]; + trustedInterfaces = ["mynet"]; extraCommands = concatMapStrings (node: '' iptables -A INPUT -s ${node.config.networking.primaryIPAddress} -j ACCEPT @@ -61,6 +61,13 @@ let advertiseAddress = master.ip; }; masterAddress = "${masterName}.${config.networking.domain}"; + # workaround for: + # https://github.com/kubernetes/kubernetes/issues/102676 + # (workaround from) https://github.com/kubernetes/kubernetes/issues/95488 + kubelet.extraOpts = ''\ + --cgroups-per-qos=false \ + --enforce-node-allocatable="" \ + ''; }; } (optionalAttrs (any (role: role == "master") machine.roles) { diff --git a/nixpkgs/nixos/tests/mysql/mysql.nix b/nixpkgs/nixos/tests/mysql/mysql.nix index c21136416d47..2ec9c3d50a3c 100644 --- a/nixpkgs/nixos/tests/mysql/mysql.nix +++ b/nixpkgs/nixos/tests/mysql/mysql.nix @@ -98,7 +98,7 @@ import ./../make-test-python.nix ({ pkgs, ...} : { }]; services.mysql.settings = { mysqld = { - plugin-load-add = [ "ha_rocksdb.so" ]; + plugin-load-add = [ "ha_mroonga.so" "ha_rocksdb.so" ]; }; }; services.mysql.package = pkgs.mariadb; @@ -172,6 +172,20 @@ import ./../make-test-python.nix ({ pkgs, ...} : { "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42" ) + # Check if Mroonga plugin works + mariadb.succeed( + "echo 'use testdb; create table mroongadb (test_id INT, PRIMARY KEY (test_id)) ENGINE = Mroonga;' | sudo -u testuser mysql -u testuser" + ) + mariadb.succeed( + "echo 'use testdb; insert into mroongadb values (25);' | sudo -u testuser mysql -u testuser" + ) + mariadb.succeed( + "echo 'use testdb; select test_id from mroongadb;' | sudo -u testuser mysql -u testuser -N | grep 25" + ) + mariadb.succeed( + "echo 'use testdb; drop table mroongadb;' | sudo -u testuser mysql -u testuser" + ) + # Check if RocksDB plugin works mariadb.succeed( "echo 'use testdb; create table rocksdb (test_id INT, PRIMARY KEY (test_id)) ENGINE = RocksDB;' | sudo -u testuser mysql -u testuser" diff --git a/nixpkgs/nixos/tests/sanoid.nix b/nixpkgs/nixos/tests/sanoid.nix index c691bfc08ef7..1983945915fe 100644 --- a/nixpkgs/nixos/tests/sanoid.nix +++ b/nixpkgs/nixos/tests/sanoid.nix @@ -33,7 +33,7 @@ in { autosnap = true; }; - datasets."pool/sanoid".useTemplate = [ "test" ]; + datasets."pool/sanoid".use_template = [ "test" ]; extraArgs = [ "--verbose" ]; }; diff --git a/nixpkgs/nixos/tests/trafficserver.nix b/nixpkgs/nixos/tests/trafficserver.nix index 3979a1b4a482..983ded4f172e 100644 --- a/nixpkgs/nixos/tests/trafficserver.nix +++ b/nixpkgs/nixos/tests/trafficserver.nix @@ -104,6 +104,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { ats.wait_for_open_port(80) httpbin.wait_for_unit("httpbin") httpbin.wait_for_open_port(80) + client.wait_for_unit("network-online.target") with subtest("Traffic Server is running"): out = ats.succeed("traffic_ctl server status") diff --git a/nixpkgs/nixos/tests/vault.nix b/nixpkgs/nixos/tests/vault.nix index 59bccbe25959..c3b28b62695a 100644 --- a/nixpkgs/nixos/tests/vault.nix +++ b/nixpkgs/nixos/tests/vault.nix @@ -19,6 +19,8 @@ import ./make-test-python.nix ({ pkgs, ... }: machine.wait_for_unit("vault.service") machine.wait_for_open_port(8200) machine.succeed("vault operator init") - machine.succeed("vault status | grep Sealed | grep true") + # vault now returns exit code 2 for sealed vaults + machine.fail("vault status") + machine.succeed("vault status || test $? -eq 2") ''; }) diff --git a/nixpkgs/nixos/tests/bitwarden.nix b/nixpkgs/nixos/tests/vaultwarden.nix index f64cf171f01f..b5343f5cad2d 100644 --- a/nixpkgs/nixos/tests/bitwarden.nix +++ b/nixpkgs/nixos/tests/vaultwarden.nix @@ -4,7 +4,7 @@ }: # These tests will: -# * Set up a bitwarden-rs server +# * Set up a vaultwarden server # * Have Firefox use the web vault to create an account, log in, and save a password to the valut # * Have the bw cli log in and read that password from the vault # @@ -24,8 +24,8 @@ let storedPassword = "seeeecret"; - makeBitwardenTest = backend: makeTest { - name = "bitwarden_rs-${backend}"; + makeVaultwardenTest = backend: makeTest { + name = "vaultwarden-${backend}"; meta = { maintainers = with pkgs.lib.maintainers; [ jjjollyjim ]; }; @@ -45,9 +45,9 @@ let package = pkgs.mariadb; }; - services.bitwarden_rs.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + services.vaultwarden.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden"; - systemd.services.bitwarden_rs.after = [ "mysql.service" ]; + systemd.services.vaultwarden.after = [ "mysql.service" ]; }; postgresql = { @@ -60,9 +60,9 @@ let ''; }; - services.bitwarden_rs.config.databaseUrl = "postgresql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + services.vaultwarden.config.databaseUrl = "postgresql://bitwardenuser:${dbPassword}@localhost/bitwarden"; - systemd.services.bitwarden_rs.after = [ "postgresql.service" ]; + systemd.services.vaultwarden.after = [ "postgresql.service" ]; }; sqlite = { }; @@ -71,7 +71,7 @@ let mkMerge [ backendConfig.${backend} { - services.bitwarden_rs = { + services.vaultwarden = { enable = true; dbBackend = backend; config.rocketPort = 80; @@ -152,7 +152,7 @@ let testScript = '' start_all() - server.wait_for_unit("bitwarden_rs.service") + server.wait_for_unit("vaultwarden.service") server.wait_for_open_port(80) with subtest("configure the cli"): @@ -184,6 +184,6 @@ let in builtins.listToAttrs ( map - (backend: { name = backend; value = makeBitwardenTest backend; }) + (backend: { name = backend; value = makeVaultwardenTest backend; }) backends ) diff --git a/nixpkgs/nixos/tests/yggdrasil.nix b/nixpkgs/nixos/tests/yggdrasil.nix index 0e75ed54db28..b409d9ed7853 100644 --- a/nixpkgs/nixos/tests/yggdrasil.nix +++ b/nixpkgs/nixos/tests/yggdrasil.nix @@ -1,23 +1,19 @@ let - aliceIp6 = "200:3b91:b2d8:e708:fbf3:f06:fdd5:90d0"; + aliceIp6 = "202:b70:9b0b:cf34:f93c:8f18:bbfd:7034"; aliceKeys = { - EncryptionPublicKey = "13e23986fe76bc3966b42453f479bc563348b7ff76633b7efcb76e185ec7652f"; - EncryptionPrivateKey = "9f86947b15e86f9badac095517a1982e39a2db37ca726357f95987b898d82208"; - SigningPublicKey = "e2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4"; - SigningPrivateKey = "fe3add8da35316c05f6d90d3ca79bd2801e6ccab6d37e5339fef4152589398abe2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4"; + PublicKey = "3e91ec9e861960d86e1ce88051f97c435bdf2859640ab681dfa906eb45ad5182"; + PrivateKey = "a867f9e078e4ce58d310cf5acd4622d759e2a21df07e1d6fc380a2a26489480d3e91ec9e861960d86e1ce88051f97c435bdf2859640ab681dfa906eb45ad5182"; }; - bobIp6 = "201:ebbd:bde9:f138:c302:4afa:1fb6:a19a"; - bobPrefix = "301:ebbd:bde9:f138"; + bobIp6 = "202:a483:73a4:9f2d:a559:4a19:bc9:8458"; + bobPrefix = "302:a483:73a4:9f2d"; bobConfig = { InterfacePeers = { eth1 = [ "tcp://192.168.1.200:12345" ]; }; MulticastInterfaces = [ "eth1" ]; LinkLocalTCPPort = 54321; - EncryptionPublicKey = "c99d6830111e12d1b004c52fe9e5a2eef0f6aefca167aca14589a370b7373279"; - EncryptionPrivateKey = "2e698a53d3fdce5962d2ff37de0fe77742a5c8b56cd8259f5da6aa792f6e8ba3"; - SigningPublicKey = "de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b"; - SigningPrivateKey = "2a6c21550f3fca0331df50668ffab66b6dce8237bcd5728e571e8033b363e247de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b"; + PublicKey = "2b6f918b6c1a4b54d6bcde86cf74e074fb32ead4ee439b7930df2aa60c825186"; + PrivateKey = "0c4a24acd3402722ce9277ed179f4a04b895b49586493c25fbaed60653d857d62b6f918b6c1a4b54d6bcde86cf74e074fb32ead4ee439b7930df2aa60c825186"; }; danIp6 = bobPrefix + "::2"; diff --git a/nixpkgs/nixos/tests/zsh-history.nix b/nixpkgs/nixos/tests/zsh-history.nix index 3109c3f65081..355687798406 100644 --- a/nixpkgs/nixos/tests/zsh-history.nix +++ b/nixpkgs/nixos/tests/zsh-history.nix @@ -23,7 +23,7 @@ import ./make-test-python.nix ({ pkgs, ...} : { # Login default.wait_until_tty_matches(1, "login: ") default.send_chars("root\n") - default.wait_until_tty_matches(1, "root@default>") + default.wait_until_tty_matches(1, r"\nroot@default\b") # Generate some history default.send_chars("echo foobar\n") |