test(nginx): Add simple tests to assert nginx features work

2025-11-13 05:20:09 +08:00 · 2025-11-13 05:20:09 +08:00 · ffe8e4acf6
commit ffe8e4acf6
parent 4e59582de2
8 changed files with 191 additions and 11 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -11,7 +11,7 @@
    flake-inputs.tlaternet-webserver.nixosModules.default

    "${modulesPath}/profiles/minimal.nix"
-    (import ../modules)
+    ../modules

    ./services/backups.nix
    ./services/battery-manager.nix
--- a/configuration/nginx/default.nix
+++ b/configuration/nginx/default.nix
@ -10,13 +10,15 @@
    description = "The base domain name to append to virtual domain names";
  };

-  config.services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-    clientMaxBodySize = "10G";
-    statusPage = true; # For metrics, should be accessible only from localhost
+  config = {
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      clientMaxBodySize = "10G";
+      statusPage = true; # For metrics, should be accessible only from localhost
+    };
  };
 }
--- a/configuration/nginx/logging.nix
+++ b/configuration/nginx/logging.nix
@ -1,4 +1,10 @@
-{ config, lib, ... }:
+{
+  flake-inputs,
+  pkgs,
+  config,
+  lib,
+  ...
+}:
 let
  hostNames = lib.attrNames config.services.nginx.virtualHosts;
  logPath = name: "/var/log/nginx/${name}/access.log";
@ -80,5 +86,55 @@ in
        };
      };
    };
+
+    serviceTests =
+      let
+        testHostConfig =
+          { config, ... }:
+          {
+            imports = [
+              ./.
+              ../../modules/serviceTests/mocks.nix
+            ];
+
+            networking.firewall.allowedTCPPorts = [ 80 ];
+
+            services.nginx = {
+              domain = "testHost";
+              virtualHosts."${config.services.nginx.domain}".locations."/".return = "200 ok";
+            };
+          };
+      in
+      {
+        nginxMetricsWork = pkgs.testers.runNixOSTest {
+          name = "nginx-metrics-work";
+          node.specialArgs = { inherit flake-inputs; };
+
+          nodes = {
+            testHost = testHostConfig;
+
+            client =
+              { pkgs, ... }:
+              {
+                environment.systemPackages = [ pkgs.curl ];
+              };
+          };
+
+          testScript = ''
+            import time
+
+            start_all()
+
+            testHost.wait_for_unit("nginx.service")
+            client.succeed("curl --max-time 10 http://testHost")
+
+            # Wait a bit for the prometheus exporter to scrape our logs
+            time.sleep(5)
+
+            res = testHost.succeed("curl localhost:${builtins.toString config.services.prometheus.exporters.nginxlog.port}/metrics")
+            assert 'nginxlog_http_response_count_total{method="GET",status="200",vhost="testHost"} 1' in res, res
+          '';
+        };
+      };
  };
 }
--- a/configuration/nginx/ssl.nix
+++ b/configuration/nginx/ssl.nix
@ -1,4 +1,5 @@
 {
+  flake-inputs,
  pkgs,
  config,
  lib,
@ -69,5 +70,72 @@
      "porkbun/api-key".owner = "acme";
      "porkbun/secret-api-key".owner = "acme";
    };
+
+    serviceTests =
+      let
+        testHostConfig =
+          { config, ... }:
+          {
+            imports = [
+              ./.
+              ../../modules/serviceTests/mocks.nix
+            ];
+
+            networking.firewall.allowedTCPPorts = [
+              80
+              443
+            ];
+
+            security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ];
+
+            services.nginx = {
+              domain = "testHost";
+
+              virtualHosts."${config.services.nginx.domain}" = {
+                useACMEHost = "tlater.net";
+                forceSSL = true;
+                enableHSTS = true;
+                locations."/".return = "200 ok";
+              };
+            };
+          };
+      in
+      {
+        hstsIsSet = pkgs.testers.runNixOSTest {
+          name = "hsts-is-set";
+
+          node.specialArgs = { inherit flake-inputs; };
+          nodes = {
+            testHost = testHostConfig;
+
+            client =
+              { pkgs, ... }:
+              {
+                environment.systemPackages = [ pkgs.curl ];
+              };
+          };
+
+          testScript = ''
+            start_all()
+
+            testHost.wait_for_unit("nginx.service")
+            testHost.copy_from_vm("/var/lib/acme/tlater.net/", "certs")
+            client.copy_from_host(f"{testHost.out_dir}/certs", "/certs")
+
+            client.succeed("curl --max-time 10 http://testHost")
+            res = client.succeed(" ".join([
+                "curl",
+                "--show-error",
+                "--silent",
+                "--dump-header -",
+                "--cacert /certs/tlater.net/fullchain.pem",
+                "https://testHost",
+                "-o /dev/null"
+            ]))
+
+            assert "strict-transport-security: max-age=15552000; includeSubDomains" in res
+          '';
+        };
+      };
  };
 }