Split tests up based on certain use cases:
- http01-builtin: Tests most functionality of the core module, such
as the systemd and hashing components, whilst utilising lego's built
in http01 resolution mechanis.
- dns01: Tests only that DNS01 renewal works as expected.
- nginx: Tests nginx compatability
- httpd: Tests httpd compatability
- caddy: Tests caddy compatability
This test has always been broken. The fix is not obvious, there was an attempt to set up mount namespaces, but this will fail if the output directory doesn't exist. In the default configuration it will fail because the directory doesn't exist until cross-seed runs the first time. This points at a real issue with the module that should be addressed. But for now let's remove the broken test, then we can add it back in working condition.
Original PR: https://github.com/NixOS/nixpkgs/pull/383409
This lets us remove an assertion, because `pathWith` can require that a
file not be in the store.
Note that the old assertion didn't quite do what we wanted: it prevented
you from using top level store paths (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates`), but was
ok with sub-files (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates/intermediate-password-file`).
Now that we're stricter, we need some way to populate
`intermediatePasswordFile` in our test without making the type unhappy.
I opted to solve that by creating a file in `/etc`.
On my machine, I see that this `curl` command often fails. This is
because the caddy server hasn't finished the ACME dance with the step-ca
server yet.
This seems like the simplest fix. Alternatives I considered (and would
be happy to implement if folks prefer):
- Use `wait_for_file` to wait for the certificate to appear
- Increase caddy's log level and scrape its logs for the "certificate obtained"
message.
The pull request fixes the systemd-timesyncd NixOS test, which was
broken for quite a while.
I'm merging this in despite any review since that pull request has been
open for two weeks and since it's just fixing something that is broken
right now, I highly doubt that there would be much opposition (and you
can't break something that's already broken).
If there are objections on *how* I fixed this, we can still alter or
revert the change later.
The dynamic setup requires less network configuration and allows to use
features of the nixos testing driver, e.g. port forwarding and SSH
access to nodes in interactive mode.
This is done in view of the Release of the new v3 of Bird.
Switch to the bird3 package for the `services.bird.package` option.
Switch the `bird` package alias to bird3.
- Set wallpaper (where it doesn't cause issues) to simplify image for OCR
- Raise sleep before OCR to 30 (fixes OCR on my local aarch64 hardware? maybe being overloaded...)
The description for options.nixpkgs.system already hints at this:
Neither ${opt.system} nor any other option in nixpkgs.* is meant
to be read by modules and configurations.
Use pkgs.stdenv.hostPlatform instead.
We can support this goal by not elaborating the systems anymore, forcing
users to go via pkgs.stdenv.
This will prevent problems when making the top-level package sets
composable in the next commit. For this to work, you should pass a fully
elaborated system to nixpkgs' localSystem or crossSystem options.
We need to do the virtio link setup prior to `network.target`, since
systemd-networkd orders itself before `network.target`. So in order for
the bond to properly enslave the two virtio links, they should be
configured as a part of `network-pre.target`.
Version 257.1 of systemd changed[1] the PrivateTmp setting for the
systemd-timesyncd service from "yes" to "disconnected", which broke our
systemd-timesyncd test.
The reason for this is because the systemd-tmpfiles-setup.service is
*only*[2] added as a dependency of systemd-timesyncd.service if
PrivateTmp is set to "yes" but not when it is set to "disconnected"
(which would make sense given that the tmpfiles.d mechanism was
originally designed for temporary files).
Commit 339a866b7c switched the activation
script to using systemd-tmpfiles, but the commit in question doesn't
provide an explanation why this was necessary in this particular case.
However the pull request[3] lists an ongoing effort to get rid of Perl
and in the future get also rid of BASH for activation. The reasons for
doing this are outlined in the document[4]:
> The simple presence of interpreters on a system pose a security risk.
> An attacker that gains access to a system can abuse them to execute
> arbitrary commands. Mitre lists this as technique T1059. The most
> radical yet simple solution to mitigate this exploit is to remove all
> interpreters from a system (Mitre M1042). This radical solution is
> only really feasible and/or interesting for appliances (i.e.
> non-interactive) systems. Especially for high-security solutions this
> mitigtation is interesting.
I personally don't think this is a very compelling reason, at least for
our activation scripts, since an attacker could simply drop an
executable binary. Nevertheless, getting rid of additional dependencies
on eg. Perl or BASH is something worth pursuing to trim down moving
parts.
To address this, I decided to implement this as a normal systemd service
unit, since we need to guarantee that it's started before
systemd-timesyncd.service and with a dedicated unit we can ensure
explicit ordering. This has the advantage that we don't interfere with
the effort of getting rid of Perl/BASH for activation/boot and also
don't risk running into race conditions (again) because it's very
unlikely that systemd will change/deprecate explicit unit ordering in
the near future.
[1]: 1f6e192848
[2]: 30675a6ee9/src/core/unit.c (L1274)
[3]: https://github.com/NixOS/nixpkgs/pull/263203
[4]: https://pad.lassul.us/nixos-perlless-activation
Signed-off-by: aszlig <aszlig@nix.build>
Fixes this eval warning:
evaluation warning: The option `services.hound.config' defined in `makeTest parameters' has been changed to `services.hound.settings' that has a different type. Please read `services.hound.settings' documentation and update your configuration accordingly.
This allows for instance to reject switching into a configuration, while
still allowing to reboot into that same configuration.
This can be useful for instance to reject switching to a configuration
with a new systemd major version, but setting that same configuration as
the new boot default with `switch-to-configuration boot` is fine.
Now that we are disabling telemetry by default, we should attempt to
override it and other options in existing mutable configs,
if the user had a mutable config and advances their system.stateVersion.
We should disable telemetry but enable security update checks. Make both
controlable in the module without digging into settings.
Disabling telemetry also makes NixOS tests faster because the server
tries to send telemetry on first start.
Every postgresql testcase essentially does the following things:
* Filter `postgresqlVersions` for server packages
* Filter postgresql server packages for suitable ones (i.e. extensions
must support the given version)
* Generate an attribute-set of testcases
The first item became necessary in
7ab1e88833 given that
`postgresql/default.nix` now exposes JIT and non-JIT servers AND a
`libpq` that is not suitable for the tests here.
This changes restructures this a little bit, i.e.:
* Having an attribute-set that contains a bunch of postgresql servers
and a single client package seems odd (and the sole consumer of
`postgresqlVersions` in nixpkgs, the test suite, has to take that into
account). Hence, postgresql's default.nix now provides `libpq` (the client)
and a `postgresqlVersions` attribute with all supported JIT and non-JIT
variants of postgresql.
* Each test-case gets a third argument, a function called `genTests`:
this function sets `recurseForDerivations = true;` and generates an
attribute-set of tests for each postgresql version given a function
that returns a testcase or multiple test-cases (`makeTestFor`). The
argument to `makeTestFor` is a postgresql server package.
This function also accepts a filter predicate that is passed against
`filterAttrs` to remove postgresql server packages that are not
suitable for the test (e.g. because the version isn't supported by the
extension to test).
I checked by making sure that the `.drv` doesn't change on staging with
this change on top for postgresq, postgresql-jit,
postgresql-wal-receiver, postgresql-tls-client-cert, anonymizer, pgjwt,
pgvecto-rs, timescaledb, tsja and wal2json.
While it is possible to globally enable or disable security wrappers, it
isn't possible to disable only a subset of them. Consequently, users
will have to overwrite the security wrappers completely and re-add the
desired subset in case they want to disable a subset of those set up by
the NixOS modules.
Address this usecase by adding a new per-wrapper enable option.
The `autoDeployCharts` option further improves the auto deploying
capabilities of the k3s module by allowing to deploy and configure Helm charts
that are then instaled via the k3s Helm controller. Although this was
also previously possible by using auto deploying manifests, it required
some knowledge of the k3s Helm controller and led to a lot of
boilerplate code.
A couple of improvements:
1. Avoid the generally discouraged apply argument to options, as it has
quite weird semantics
2. Avoid issues when a user calls a preSwitchCheck `script`, which
would've been silently overridden by the existing implementation.
Reliance on a special attribute name like that is bound to lead to a
very-hard-to-debug problem for someone at some point
3. Use writeShellApplication so that the preSwitchChecks are checked by
shellcheck and and so that they run with basic bash guardrails
4. Fix shellcheck issue (testing the value of $?)
5. Add a positive preSwitchCheck to the nixos test, to make sure that
that works as intended
Previously in https://github.com/NixOS/nixpkgs/pull/308740
`BindReadOnlyPaths=` was fixed, but remained mounting non-existing Git repositories:
vm-test-run-public-inbox> machine # [ 19.503051] (ox-httpd)[1489]:
public-inbox-httpd.service: Failed to set up mount namespacing:
/var/lib/gitolite/repositories/user/repo1.git: No such file or directory
This patch changes the implementation of the subtests to
check for redis' cache being non empty to only run redis-cli
and jq in a shell and assert the returned length in python.
This fixes jq "len" simply not compiling and makes sure
regressions get noticed.
This patch adds a subtest and corresponding configuration to
with-declarative-redis-and-secrets to test for nextcloud notify_push
to be working, just as in with-postgresql-and-redis.
As notify_push needs to connect to the database, including it
in this test checks that it can read the dbpassFile properly.
