diff --git a/checks/default.nix b/checks/default.nix index 674b19d..737313d 100644 --- a/checks/default.nix +++ b/checks/default.nix @@ -6,6 +6,8 @@ let in { x86_64-linux = lib.mergeAttrsList [ + flake-inputs.self.nixosConfigurations.hetzner-1.config.serviceTests + { nix = checkLib.mkLint { name = "nix-lints"; diff --git a/configuration/default.nix b/configuration/default.nix index 631e93e..3eec2c0 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -11,7 +11,7 @@ flake-inputs.tlaternet-webserver.nixosModules.default "${modulesPath}/profiles/minimal.nix" - (import ../modules) + ../modules ./services/backups.nix ./services/battery-manager.nix diff --git a/configuration/nginx/default.nix b/configuration/nginx/default.nix index dab0259..2ef1527 100644 --- a/configuration/nginx/default.nix +++ b/configuration/nginx/default.nix @@ -1,4 +1,9 @@ -{ lib, ... }: +{ + flake-inputs, + pkgs, + lib, + ... +}: { imports = [ ./logging.nix @@ -10,13 +15,64 @@ description = "The base domain name to append to virtual domain names"; }; - config.services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - clientMaxBodySize = "10G"; - statusPage = true; # For metrics, should be accessible only from localhost + config = { + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "10G"; + statusPage = true; # For metrics, should be accessible only from localhost + }; + + serviceTests = + let + testHostConfig = + { config, ... }: + { + _module.args = { inherit flake-inputs; }; + imports = [ + ./. + ../../modules/serviceTests/mocks.nix + flake-inputs.sops-nix.nixosModules.sops + ]; + + services.nginx = { + domain = "testHost"; + + virtualHosts."${config.services.nginx.domain}" = { + useACMEHost = "tlater.net"; + forceSSL = true; + enableHSTS = true; + locations."/".return = "200 ok"; + }; + }; + }; + in + { + hstsIsSet = pkgs.testers.runNixOSTest { + name = "assert-hsts"; + nodes = { + testHost = testHostConfig; + + client = + { pkgs, ... }: + { + environment.systemPackages = [ pkgs.curl ]; + }; + }; + + testScript = '' + start_all() + + testHost.wait_for_unit("nginx") + testHost.succeed("systemctl start network-online.target") + testHost.wait_for_unit("network-online.target") + + client.succeed("curl http://testHost") + ''; + }; + }; }; } diff --git a/modules/default.nix b/modules/default.nix index 9483c66..1bf5314 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1 +1,6 @@ -{ imports = [ ./crowdsec ]; } +{ + imports = [ + ./crowdsec + ./serviceTests/stub.nix + ]; +} diff --git a/modules/serviceTests/mocks.nix b/modules/serviceTests/mocks.nix new file mode 100644 index 0000000..6d7be84 --- /dev/null +++ b/modules/serviceTests/mocks.nix @@ -0,0 +1,27 @@ +/** + Module containing mock definitions for service test runners. +*/ +{ lib, ... }: +{ + imports = [ + ../. + ../../configuration/services/backups.nix + ]; + # imports = [ flake-inputs.sops-nix.nixosModules.sops ]; + + sops.defaultSopsFile = ../../keys/staging.yaml; + environment.etc."staging.key" = { + mode = "0400"; + source = ../../keys/hosts/staging.key; + }; + services.openssh = { + enable = true; + hostKeys = lib.mkForce [ + { + type = "rsa"; + bits = 4096; + path = "/etc/staging.key"; + } + ]; + }; +} diff --git a/modules/serviceTests/stub.nix b/modules/serviceTests/stub.nix new file mode 100644 index 0000000..d4a4b78 --- /dev/null +++ b/modules/serviceTests/stub.nix @@ -0,0 +1,20 @@ +/** + Module to make writing service-specific tests easy. +*/ +{ lib, ... }: +let + inherit (lib) mkOption types; +in +{ + options = { + serviceTests = mkOption { + type = types.attrsOf types.package; + + description = '' + NixOS tests to run. + ''; + + default = { }; + }; + }; +}