nixpkgs/nixos/tests/systemd-journal-upload.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

import ./make-test-python.nix ({ pkgs, ... }:
{
  name = "systemd-journal-upload";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ minijackson raitobezarius ];
  };

  nodes.server = { nodes, ... }: {
    services.journald.remote = {
      enable = true;
      listen = "http";
      settings.Remote = {
        ServerCertificateFile = "/run/secrets/sever.cert.pem";
        ServerKeyFile = "/run/secrets/sever.key.pem";
        TrustedCertificateFile = "/run/secrets/ca.cert.pem";
        Seal = true;
      };
    };

    networking.firewall.allowedTCPPorts = [ nodes.server.services.journald.remote.port ];
  };

  nodes.client = { lib, nodes, ... }: {
    services.journald.upload = {
      enable = true;
      settings.Upload = {
        URL = "http://server:${toString nodes.server.services.journald.remote.port}";
        ServerCertificateFile = "/run/secrets/client.cert.pem";
        ServerKeyFile = "/run/secrets/client.key.pem";
        TrustedCertificateFile = "/run/secrets/ca.cert.pem";
      };
    };

    # Wait for the PEMs to arrive
    systemd.services.systemd-journal-upload.wantedBy = lib.mkForce [];
    systemd.paths.systemd-journal-upload = {
      wantedBy = [ "default.target" ];
      # This file must be copied last
      pathConfig.PathExists = [ "/run/secrets/ca.cert.pem" ];
    };
  };

  testScript = ''
    import subprocess
    import tempfile

    tmpdir_o = tempfile.TemporaryDirectory()
    tmpdir = tmpdir_o.name

    def generate_pems(domain: str):
      subprocess.run(
        [
          "${pkgs.minica}/bin/minica",
          "--ca-key=ca.key.pem",
          "--ca-cert=ca.cert.pem",
          f"--domains={domain}",
        ],
        cwd=str(tmpdir),
      )

    with subtest("Creating keys and certificates"):
      generate_pems("server")
      generate_pems("client")

    server.wait_for_unit("multi-user.target")
    client.wait_for_unit("multi-user.target")

    def copy_pems(machine: Machine, domain: str):
      machine.succeed("mkdir /run/secrets")
      machine.copy_from_host(
        source=f"{tmpdir}/{domain}/cert.pem",
        target=f"/run/secrets/{domain}.cert.pem",
      )
      machine.copy_from_host(
        source=f"{tmpdir}/{domain}/key.pem",
        target=f"/run/secrets/{domain}.key.pem",
      )
      # Should be last
      machine.copy_from_host(
        source=f"{tmpdir}/ca.cert.pem",
        target="/run/secrets/ca.cert.pem",
      )

    with subtest("Copying keys and certificates"):
      copy_pems(server, "server")
      copy_pems(client, "client")

    client.wait_for_unit("systemd-journal-upload.service")
    # The journal upload should have started the remote service, triggered by
    # the .socket unit
    server.wait_for_unit("systemd-journal-remote.service")

    identifier = "nixos-test"
    message = "Hello from NixOS test infrastructure"

    client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
    server.wait_until_succeeds(
      f"journalctl --file /var/log/journal/remote/remote-*.journal --identifier={identifier} | grep -F '{message}'"
    )
  '';
})