WIP: test: Set up service tests

configuration/nginx/default.nix

@@ -1,9 +1,4 @@
-{
+{ lib, ... }:
-  flake-inputs,
-  pkgs,
-  lib,
-  ...
-}:
 {
   imports = [
     ./logging.nix
@@ -15,64 +10,13 @@
     description = "The base domain name to append to virtual domain names";
   };
 
-  config = {
+  config.services.nginx = {
-    services.nginx = {
+    enable = true;
-      enable = true;
+    recommendedTlsSettings = true;
-      recommendedTlsSettings = true;
+    recommendedOptimisation = true;
-      recommendedOptimisation = true;
+    recommendedGzipSettings = true;
-      recommendedGzipSettings = true;
+    recommendedProxySettings = true;
-      recommendedProxySettings = true;
+    clientMaxBodySize = "10G";
-      clientMaxBodySize = "10G";
+    statusPage = true; # For metrics, should be accessible only from localhost
-      statusPage = true; # For metrics, should be accessible only from localhost
-    };
-
-    serviceTests =
-      let
-        testHostConfig =
-          { config, ... }:
-          {
-            _module.args = { inherit flake-inputs; };
-            imports = [
-              ./.
-              ../../modules/serviceTests/mocks.nix
-              flake-inputs.sops-nix.nixosModules.sops
-            ];
-
-            services.nginx = {
-              domain = "testHost";
-
-              virtualHosts."${config.services.nginx.domain}" = {
-                useACMEHost = "tlater.net";
-                forceSSL = true;
-                enableHSTS = true;
-                locations."/".return = "200 ok";
-              };
-            };
-          };
-      in
-      {
-        hstsIsSet = pkgs.testers.runNixOSTest {
-          name = "assert-hsts";
-          nodes = {
-            testHost = testHostConfig;
-
-            client =
-              { pkgs, ... }:
-              {
-                environment.systemPackages = [ pkgs.curl ];
-              };
-          };
-
-          testScript = ''
-            start_all()
-
-            testHost.wait_for_unit("nginx")
-            testHost.succeed("systemctl start network-online.target")
-            testHost.wait_for_unit("network-online.target")
-
-            client.succeed("curl http://testHost")
-          '';
-        };
-      };
   };
 }

configuration/nginx/ssl.nix

@@ -64,10 +64,5 @@
         in
         ''${pkgs.runtimeShell} -c '${confirm}' '';
     };
-
-    sops.secrets = {
-      "porkbun/api-key".owner = "acme";
-      "porkbun/secret-api-key".owner = "acme";
-    };
   };
 }

configuration/services/backups.nix

@@ -265,18 +265,5 @@ in
       };
       groups.backup = { };
     };
-
-    sops.secrets = {
-      "restic/storagebox-backups" = {
-        owner = "root";
-        group = "backup";
-        mode = "0440";
-      };
-      "restic/storagebox-ssh-key" = {
-        owner = "backup";
-        group = "backup";
-        mode = "0040";
-      };
-    };
   };
 }

configuration/sops.nix

@@ -38,12 +38,30 @@
         group = "nextcloud";
       };
 
+      # Porkbub/ACME
+      "porkbun/api-key" = {
+        owner = "acme";
+      };
+      "porkbun/secret-api-key" = {
+        owner = "acme";
+      };
+
       # Restic
       "restic/local-backups" = {
         owner = "root";
         group = "backup";
         mode = "0440";
       };
+      "restic/storagebox-backups" = {
+        owner = "root";
+        group = "backup";
+        mode = "0440";
+      };
+      "restic/storagebox-ssh-key" = {
+        owner = "backup";
+        group = "backup";
+        mode = "0040";
+      };
 
       # Steam
       "steam/tlater" = { };

flake.lock

@@ -136,11 +136,11 @@
         "pyproject-nix": "pyproject-nix"
       },
       "locked": {
-        "lastModified": 1763413832,
+        "lastModified": 1754978539,
-        "narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=",
+        "narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=",
         "owner": "nix-community",
         "repo": "dream2nix",
-        "rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743",
+        "rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214",
         "type": "github"
       },
       "original": {
@@ -356,11 +356,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763319842,
+        "lastModified": 1762868777,
-        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
+        "narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
+        "rev": "c5c3147730384576196fb5da048a6e45dee10d56",
         "type": "github"
       },
       "original": {

modules/default.nix

@@ -1,6 +1,6 @@
 {
   imports = [
     ./crowdsec
-    ./serviceTests/stub.nix
+    ./serviceTests.nix
   ];
 }

modules/serviceTests/mocks.nix

@@ -1,27 +0,0 @@
-/**
-  Module containing mock definitions for service test runners.
-*/
-{ lib, ... }:
-{
-  imports = [
-    ../.
-    ../../configuration/services/backups.nix
-  ];
-  # imports = [ flake-inputs.sops-nix.nixosModules.sops ];
-
-  sops.defaultSopsFile = ../../keys/staging.yaml;
-  environment.etc."staging.key" = {
-    mode = "0400";
-    source = ../../keys/hosts/staging.key;
-  };
-  services.openssh = {
-    enable = true;
-    hostKeys = lib.mkForce [
-      {
-        type = "rsa";
-        bits = 4096;
-        path = "/etc/staging.key";
-      }
-    ];
-  };
-}