WIP: test: Set up service tests

fix(lock): Add missing lockfile update
2025-11-19 15:46:25 +08:00 · 2025-11-19 15:46:25 +08:00
7 changed files with 127 additions and 17 deletions
--- a/checks/default.nix
+++ b/checks/default.nix
@ -6,6 +6,8 @@ let
 in
 {
  x86_64-linux = lib.mergeAttrsList [
+    flake-inputs.self.nixosConfigurations.hetzner-1.config.serviceTests
+
    {
      nix = checkLib.mkLint {
        name = "nix-lints";
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -11,7 +11,7 @@
    flake-inputs.tlaternet-webserver.nixosModules.default

    "${modulesPath}/profiles/minimal.nix"
-    (import ../modules)
+    ../modules

    ./services/backups.nix
    ./services/battery-manager.nix
--- a/configuration/nginx/default.nix
+++ b/configuration/nginx/default.nix
@ -1,4 +1,9 @@
-{ lib, ... }:
+{
+  flake-inputs,
+  pkgs,
+  lib,
+  ...
+}:
 {
  imports = [
    ./logging.nix
@ -10,13 +15,64 @@
    description = "The base domain name to append to virtual domain names";
  };

-  config.services.nginx = {
-    enable = true;
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-    clientMaxBodySize = "10G";
-    statusPage = true; # For metrics, should be accessible only from localhost
+  config = {
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      clientMaxBodySize = "10G";
+      statusPage = true; # For metrics, should be accessible only from localhost
+    };
+
+    serviceTests =
+      let
+        testHostConfig =
+          { config, ... }:
+          {
+            _module.args = { inherit flake-inputs; };
+            imports = [
+              ./.
+              ../../modules/serviceTests/mocks.nix
+              flake-inputs.sops-nix.nixosModules.sops
+            ];
+
+            services.nginx = {
+              domain = "testHost";
+
+              virtualHosts."${config.services.nginx.domain}" = {
+                useACMEHost = "tlater.net";
+                forceSSL = true;
+                enableHSTS = true;
+                locations."/".return = "200 ok";
+              };
+            };
+          };
+      in
+      {
+        hstsIsSet = pkgs.testers.runNixOSTest {
+          name = "assert-hsts";
+          nodes = {
+            testHost = testHostConfig;
+
+            client =
+              { pkgs, ... }:
+              {
+                environment.systemPackages = [ pkgs.curl ];
+              };
+          };
+
+          testScript = ''
+            start_all()
+
+            testHost.wait_for_unit("nginx")
+            testHost.succeed("systemctl start network-online.target")
+            testHost.wait_for_unit("network-online.target")
+
+            client.succeed("curl http://testHost")
+          '';
+        };
+      };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -136,11 +136,11 @@
        "pyproject-nix": "pyproject-nix"
      },
      "locked": {
-        "lastModified": 1754978539,
-        "narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=",
+        "lastModified": 1763413832,
+        "narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=",
        "owner": "nix-community",
        "repo": "dream2nix",
-        "rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214",
+        "rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743",
        "type": "github"
      },
      "original": {
@ -356,11 +356,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1762868777,
-        "narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=",
+        "lastModified": 1763319842,
+        "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "c5c3147730384576196fb5da048a6e45dee10d56",
+        "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761",
        "type": "github"
      },
      "original": {
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1 +1,6 @@
-{ imports = [ ./crowdsec ]; }
+{
+  imports = [
+    ./crowdsec
+    ./serviceTests/stub.nix
+  ];
+}
--- a/modules/serviceTests/mocks.nix
+++ b/modules/serviceTests/mocks.nix
@ -0,0 +1,27 @@
+/**
+  Module containing mock definitions for service test runners.
+*/
+{ lib, ... }:
+{
+  imports = [
+    ../.
+    ../../configuration/services/backups.nix
+  ];
+  # imports = [ flake-inputs.sops-nix.nixosModules.sops ];
+
+  sops.defaultSopsFile = ../../keys/staging.yaml;
+  environment.etc."staging.key" = {
+    mode = "0400";
+    source = ../../keys/hosts/staging.key;
+  };
+  services.openssh = {
+    enable = true;
+    hostKeys = lib.mkForce [
+      {
+        type = "rsa";
+        bits = 4096;
+        path = "/etc/staging.key";
+      }
+    ];
+  };
+}
--- a/modules/serviceTests/stub.nix
+++ b/modules/serviceTests/stub.nix
@ -0,0 +1,20 @@
+/**
+  Module to make writing service-specific tests easy.
+*/
+{ lib, ... }:
+let
+  inherit (lib) mkOption types;
+in
+{
+  options = {
+    serviceTests = mkOption {
+      type = types.attrsOf types.package;
+
+      description = ''
+        NixOS tests to run.
+      '';
+
+      default = { };
+    };
+  };
+}
Author	SHA1	Message	Date
Tristan Daniël Maat	30a5843fdf	WIP: test: Set up service tests	2025-11-19 15:46:25 +08:00
Tristan Daniël Maat	82e9a58bb1	fix(lock): Add missing lockfile update	2025-11-19 15:46:25 +08:00