refactor domain and subdomain vars in tests

This commit is contained in:
ibizaman 2025-01-23 20:29:34 +01:00 committed by Pierre Penninckx
parent 441907b134
commit 072979fce2
12 changed files with 188 additions and 180 deletions

View file

@ -1,5 +1,8 @@
{ pkgs, lib }:
let
inherit (lib) mkOption;
inherit (lib.types) str;
baseImports = {
imports = [
(pkgs.path + "/nixos/modules/profiles/headless.nix")
@ -8,9 +11,7 @@ let
};
accessScript = lib.makeOverridable ({
subdomain
, domain
, hasSSL
hasSSL
, waitForServices ? s: []
, waitForPorts ? p: []
, waitForUnixSocket ? u: []
@ -18,13 +19,15 @@ let
, redirectSSO ? false
}: { nodes, ... }:
let
fqdn = "${subdomain}.${domain}";
cfg = nodes.server.test;
fqdn = "${cfg.subdomain}.${cfg.domain}";
proto_fqdn = if hasSSL args then "https://${fqdn}" else "http://${fqdn}";
args = {
node.name = "server";
node.config = nodes.server;
inherit proto_fqdn;
inherit fqdn proto_fqdn;
};
in
''
@ -36,7 +39,7 @@ let
''
+ lib.strings.concatMapStrings (s: ''server.wait_for_unit("${s}")'' + "\n") (
waitForServices args
++ (lib.optionals redirectSSO [ "authelia-auth.${domain}.service" ])
++ (lib.optionals redirectSSO [ "authelia-auth.${cfg.domain}.service" ])
)
+ lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
waitForPorts args
@ -57,7 +60,7 @@ let
+ " --connect-to ${fqdn}:443:server:443"
+ " --connect-to ${fqdn}:80:server:80"
# Client must be able to resolve talking to auth server
+ " --connect-to auth.${domain}:443:server:443"
+ " --connect-to auth.${cfg.domain}:443:server:443"
+ (f" --data '{data}'" if data != "" else "")
+ (f" --silent --output /dev/null --write-out '{format}'" if format != "" else "")
+ (f" {extra}" if extra != "" else "")
@ -83,8 +86,8 @@ let
if response['code'] != 200:
raise Exception(f"Code is {response['code']}")
if response['auth_host'] != "auth.${domain}":
raise Exception(f"auth host should be auth.${domain} but is {response['auth_host']}")
if response['auth_host'] != "auth.${cfg.domain}":
raise Exception(f"auth host should be auth.${cfg.domain} but is {response['auth_host']}")
if response['auth_query'] != "rd=${proto_fqdn}/":
raise Exception(f"auth query should be rd=${proto_fqdn}/ but is {response['auth_query']}")
''
@ -114,18 +117,32 @@ in
backup = backupScript args;
};
baseModule = {
imports =
[
baseImports
../modules/blocks/postgresql.nix
../modules/blocks/authelia.nix
../modules/blocks/nginx.nix
../modules/blocks/hardcodedsecret.nix
];
# HTTP(s) server port.
networking.firewall.allowedTCPPorts = [ 80 443 ];
baseModule = { config, ... }: {
options.test = {
domain = mkOption {
type = str;
default = "example.com";
};
subdomain = mkOption {
type = str;
};
fqdn = mkOption {
type = str;
readOnly = true;
default = "${config.test.subdomain}.${config.test.domain}";
};
};
imports = [
baseImports
../modules/blocks/postgresql.nix
../modules/blocks/authelia.nix
../modules/blocks/nginx.nix
../modules/blocks/hardcodedsecret.nix
];
config = {
# HTTP(s) server port.
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
};
backup = backupOption: { config, ... }: {
@ -152,7 +169,7 @@ in
};
};
certs = domain: { config, ... }: {
certs = { config, ... }: {
imports = [
../modules/blocks/ssl.nix
];
@ -164,7 +181,7 @@ in
certs.selfsigned = {
n = {
ca = config.shb.certs.cas.selfsigned.myca;
domain = "*.${domain}";
domain = "*.${config.test.domain}";
group = "nginx";
};
};
@ -174,13 +191,13 @@ in
systemd.services.nginx.requires = [ config.shb.certs.certs.selfsigned.n.systemdService ];
};
ldap = domain: pkgs: { config, ... }: {
ldap = pkgs: { config, ... }: {
imports = [
../modules/blocks/ldap.nix
];
networking.hosts = {
"127.0.0.1" = [ "ldap.${domain}" ];
"127.0.0.1" = [ "ldap.${config.test.domain}" ];
};
shb.hardcodedsecret.ldapUserPassword = {
@ -194,7 +211,7 @@ in
shb.ldap = {
enable = true;
inherit domain;
inherit (config.test) domain;
subdomain = "ldap";
ldapPort = 3890;
webUIListenPort = 17170;
@ -204,18 +221,18 @@ in
};
};
sso = domain: pkgs: ssl: { config, ... }: {
sso = pkgs: ssl: { config, ... }: {
imports = [
../modules/blocks/authelia.nix
];
networking.hosts = {
"127.0.0.1" = [ "auth.${domain}" ];
"127.0.0.1" = [ "auth.${config.test.domain}" ];
};
shb.authelia = {
enable = true;
inherit domain;
inherit (config.test) domain;
subdomain = "auth";
ssl = config.shb.certs.certs.selfsigned.n;

View file

@ -2,59 +2,56 @@
let
pkgs' = pkgs;
domain = "example.com";
healthUrl = "/health";
loginUrl = "/UI/Login";
testLib = pkgs.callPackage ../common.nix {};
# TODO: Test login
commonTestScript = appname: cfgPathFn:
let
commonTestScript = appname: cfgPathFn: testLib.mkScripts {
hasSSL = { node, ... }: !(isNull node.config.shb.arr.${appname}.ssl);
waitForServices = { ... }: [
"${appname}.service"
"nginx.service"
];
waitForPorts = { node, ... }: [
node.config.shb.arr.${appname}.settings.Port
];
extraScript = { node, fqdn, proto_fqdn, ... }: let
shbapp = node.config.shb.arr.${appname};
cfgPath = cfgPathFn shbapp;
apiKey = if (shbapp.settings ? ApiKey) then "01234567890123456789" else null;
in ''
# These curl requests still return a 200 even with sso redirect.
with subtest("health"):
response = curl(client, """{"code":%{response_code}}""", "${fqdn}${healthUrl}")
print("response =", response)
if response['code'] != 200:
raise Exception(f"Code is {response['code']}")
with subtest("login"):
response = curl(client, """{"code":%{response_code}}""", "${fqdn}${loginUrl}")
if response['code'] != 200:
raise Exception(f"Code is {response['code']}")
'' + lib.optionalString (apiKey != null) ''
with subtest("apikey"):
config = server.succeed("cat ${cfgPath}")
if "${apiKey}" not in config:
raise Exception(f"Unexpected API Key. Want '${apiKey}', got '{config}'")
'';
};
basic = appname: { config, ... }: {
test = {
subdomain = appname;
fqdn = "${subdomain}.${domain}";
in testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.arr.${appname}.ssl);
waitForServices = { ... }: [
"${appname}.service"
"nginx.service"
];
waitForPorts = { node, ... }: [
node.config.shb.arr.${appname}.settings.Port
];
extraScript = { node, proto_fqdn, ... }: let
shbapp = node.config.shb.arr.${appname};
cfgPath = cfgPathFn shbapp;
apiKey = if (shbapp.settings ? ApiKey) then "01234567890123456789" else null;
in ''
# These curl requests still return a 200 even with sso redirect.
with subtest("health"):
response = curl(client, """{"code":%{response_code}}""", "${fqdn}${healthUrl}")
print("response =", response)
if response['code'] != 200:
raise Exception(f"Code is {response['code']}")
with subtest("login"):
response = curl(client, """{"code":%{response_code}}""", "${fqdn}${loginUrl}")
if response['code'] != 200:
raise Exception(f"Code is {response['code']}")
'' + lib.optionalString (apiKey != null) ''
with subtest("apikey"):
config = server.succeed("cat ${cfgPath}")
if "${apiKey}" not in config:
raise Exception(f"Unexpected API Key. Want '${apiKey}', got '{config}'")
'';
};
basic = appname: { ... }: {
shb.arr.${appname} = {
enable = true;
inherit domain;
subdomain = appname;
inherit (config.test) subdomain domain;
settings.ApiKey.source = pkgs.writeText "APIKey" "01234567890123456789"; # Needs to be >=20 characters.
};
@ -106,7 +103,7 @@ let
imports = [
testLib.baseModule
../../modules/services/arr.nix
(testLib.certs domain)
testLib.certs
(basic appname)
(https appname)
];
@ -130,11 +127,11 @@ let
imports = [
testLib.baseModule
../../modules/services/arr.nix
(testLib.certs domain)
testLib.certs
(basic appname)
(https appname)
(testLib.ldap domain pkgs')
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.ldap pkgs')
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
(sso appname)
];
};

View file

@ -1,15 +1,10 @@
{ pkgs, lib, ... }:
{ pkgs, ... }:
let
pkgs' = pkgs;
testLib = pkgs.callPackage ../common.nix {};
subdomain = "a";
domain = "example.com";
fqdn = "${subdomain}.${domain}";
commonTestScript = testLib.accessScript {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.audiobookshelf.ssl);
waitForServices = { ... }: [
"audiobookshelf.service"
@ -23,10 +18,13 @@ let
# '';
};
basic = {
basic = { config, ... }: {
test = {
subdomain = "a";
};
shb.audiobookshelf = {
enable = true;
inherit subdomain domain;
inherit (config.test) subdomain domain;
};
};
@ -72,7 +70,7 @@ in
imports = [
testLib.baseModule
../../modules/services/audiobookshelf.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -90,11 +88,11 @@ in
imports = [
testLib.baseModule
../../modules/services/audiobookshelf.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.ldap pkgs')
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,14 +1,10 @@
{ pkgs, lib, ... }:
{ pkgs, ... }:
let
pkgs' = pkgs;
subdomain = "d";
domain = "example.com";
testLib = pkgs.callPackage ../common.nix {};
commonTestScript = testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.deluge.ssl);
waitForServices = { ... }: [
"nginx.service"
@ -74,9 +70,13 @@ let
'';
basic = { config, ... }: {
test = {
subdomain = "d";
};
shb.deluge = {
enable = true;
inherit domain subdomain;
inherit (config.test) domain subdomain;
settings = {
downloadLocation = "/var/lib/deluge";
@ -160,7 +160,7 @@ in
testLib.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/deluge.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -179,11 +179,11 @@ in
testLib.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/deluge.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.ldap pkgs')
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
sso
];
};
@ -203,7 +203,7 @@ in
testLib.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/deluge.nix
(testLib.certs domain)
testLib.certs
basic
https
prometheus

View file

@ -4,13 +4,9 @@ let
testLib = pkgs.callPackage ../common.nix {};
subdomain = "f";
domain = "example.com";
adminPassword = "AdminPassword";
commonTestScript = testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.forgejo.ssl);
waitForServices = { ... }: [
"forgejo.service"
@ -26,9 +22,13 @@ let
};
basic = { config, ... }: {
test = {
subdomain = "f";
};
shb.forgejo = {
enable = true;
inherit domain subdomain;
inherit (config.test) subdomain domain;
adminPassword.result = config.shb.hardcodedsecret.forgejoAdminPassword.result;
databasePassword.result = config.shb.hardcodedsecret.forgejoDatabasePassword.result;
@ -36,7 +36,7 @@ let
# Needed for gitea-runner-local to be able to ping forgejo.
networking.hosts = {
"127.0.0.1" = [ "${subdomain}.${domain}" ];
"127.0.0.1" = [ "${config.test.subdomain}.${config.test.domain}" ];
};
shb.hardcodedsecret.forgejoAdminPassword = {
@ -135,7 +135,7 @@ in
imports = [
testLib.baseModule
../../modules/services/forgejo.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -154,7 +154,7 @@ in
testLib.baseModule
../../modules/services/forgejo.nix
basic
(testLib.ldap domain pkgs')
(testLib.ldap pkgs')
ldap
];
};
@ -171,11 +171,11 @@ in
imports = [
testLib.baseModule
../../modules/services/forgejo.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.ldap pkgs')
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,15 +1,8 @@
{ pkgs, lib, ... }:
let
pkgs' = pkgs;
testLib = pkgs.callPackage ../common.nix {};
subdomain = "g";
domain = "example.com";
fqdn = "${subdomain}.${domain}";
commonTestScript = lib.makeOverridable testLib.accessScript {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.grocy.ssl);
waitForServices = { ... }: [
"phpfpm-grocy.service"
@ -24,9 +17,13 @@ let
};
basic = { config, ... }: {
test = {
subdomain = "g";
};
shb.grocy = {
enable = true;
inherit domain subdomain;
inherit (config.test) subdomain domain;
};
};
@ -60,7 +57,7 @@ in
imports = [
testLib.baseModule
../../modules/services/grocy.nix
(testLib.certs domain)
testLib.certs
basic
https
];

View file

@ -4,13 +4,9 @@ let
testLib = pkgs.callPackage ../common.nix {};
subdomain = "h";
domain = "example.com";
adminPassword = "AdminPassword";
commonTestScript = testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.hledger.ssl);
waitForServices = { ... }: [
"hledger-web.service"
@ -19,9 +15,13 @@ let
};
basic = { config, ... }: {
test = {
subdomain = "h";
};
shb.hledger = {
enable = true;
inherit domain subdomain;
inherit (config.test) subdomain domain;
};
};
@ -78,7 +78,7 @@ in
imports = [
testLib.baseModule
../../modules/services/hledger.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -96,11 +96,11 @@ in
imports = [
testLib.baseModule
../../modules/services/hledger.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.ldap pkgs')
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -1,14 +1,10 @@
{ pkgs, lib, ... }:
{ pkgs, ... }:
let
pkgs' = pkgs;
testLib = pkgs.callPackage ../common.nix {};
subdomain = "ha";
domain = "example.com";
commonTestScript = testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.home-assistant.ssl);
waitForServices = { ... }: [
"home-assistant.service"
@ -20,9 +16,13 @@ let
};
basic = { config, ... }: {
test = {
subdomain = "ha";
};
shb.home-assistant = {
enable = true;
inherit subdomain domain;
inherit (config.test) subdomain domain;
config = {
name = "Tiserbox";
@ -146,7 +146,7 @@ in
imports = [
testLib.baseModule
../../modules/services/home-assistant.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -165,7 +165,7 @@ in
testLib.baseModule
../../modules/services/home-assistant.nix
basic
(testLib.ldap domain pkgs')
(testLib.ldap pkgs')
ldap
];
};

View file

@ -4,11 +4,7 @@ let
testLib = pkgs.callPackage ../common.nix {};
subdomain = "j";
domain = "example.com";
commonTestScript = testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.jellyfin.ssl);
waitForServices = { ... }: [
"jellyfin.service"
@ -19,10 +15,14 @@ let
];
};
basic = {
basic = { config, ... }: {
test = {
subdomain = "v";
};
shb.jellyfin = {
enable = true;
inherit domain subdomain;
inherit (config.test) subdomain domain;
};
};
@ -111,7 +111,7 @@ in
imports = [
testLib.baseModule
../../modules/services/jellyfin.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -130,7 +130,7 @@ in
testLib.baseModule
../../modules/services/jellyfin.nix
basic
(testLib.ldap domain pkgs')
(testLib.ldap pkgs')
ldap
];
};
@ -147,11 +147,11 @@ in
imports = [
testLib.baseModule
../../modules/services/jellyfin.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.ldap pkgs')
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -4,13 +4,9 @@ let
testLib = pkgs.callPackage ../common.nix {};
subdomain = "grafana";
domain = "example.com";
password = "securepw";
commonTestScript = testLib.accessScript {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.monitoring.ssl);
waitForServices = { ... }: [
"grafana.service"
@ -21,9 +17,13 @@ let
};
basic = { config, ... }: {
test = {
subdomain = "g";
};
shb.monitoring = {
enable = true;
inherit subdomain domain;
inherit (config.test) subdomain domain;
grafanaPort = 3000;
adminPassword.result = config.shb.hardcodedsecret."admin_password".result;
@ -70,7 +70,7 @@ in
imports = [
testLib.baseModule
../../modules/blocks/monitoring.nix
(testLib.certs domain)
testLib.certs
basic
https
];

View file

@ -5,14 +5,9 @@ let
adminPass = "rootpw";
oidcSecret = "oidcSecret";
subdomain = "n";
domain = "example.com";
fqdn = "${subdomain}.${domain}";
testLib = pkgs.callPackage ../common.nix {};
commonTestScript = testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.nextcloud.ssl);
waitForServices = { ... }: [
"phpfpm-nextcloud.service"
@ -21,7 +16,7 @@ let
waitForUnixSocket = { node, ... }: [
node.config.services.phpfpm.pools.nextcloud.socket
];
extraScript = { node, proto_fqdn, ... }: ''
extraScript = { node, fqdn, proto_fqdn, ... }: ''
import time
def find_in_logs(unit, text):
@ -116,16 +111,20 @@ let
};
basic = { config, ... }: {
test = {
subdomain = "n";
};
shb.nextcloud = {
enable = true;
inherit domain subdomain;
inherit (config.test) subdomain domain;
dataDir = "/var/lib/nextcloud";
tracing = null;
defaultPhoneRegion = "US";
# This option is only needed because we do not access Nextcloud at the default port in the VM.
externalFqdn = "${fqdn}:8080";
externalFqdn = "${config.test.fqdn}:8080";
adminUser = adminUser;
adminPass.result = config.shb.hardcodedsecret.adminPass.result;
@ -273,7 +272,7 @@ in
imports = [
testLib.baseModule
../../modules/services/nextcloud-server.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -292,7 +291,7 @@ in
imports = [
testLib.baseModule
../../modules/services/nextcloud-server.nix
(testLib.certs domain)
testLib.certs
basic
https
previewgenerator
@ -311,7 +310,7 @@ in
imports = [
testLib.baseModule
../../modules/services/nextcloud-server.nix
(testLib.certs domain)
testLib.certs
basic
https
externalstorage
@ -330,10 +329,10 @@ in
imports = [
testLib.baseModule
../../modules/services/nextcloud-server.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.ldap pkgs')
ldap
];
};
@ -350,12 +349,12 @@ in
imports = [
testLib.baseModule
../../modules/services/nextcloud-server.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.ldap pkgs')
ldap
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
sso
];
};

View file

@ -4,11 +4,7 @@ let
testLib = pkgs.callPackage ../common.nix {};
subdomain = "v";
domain = "example.com";
commonTestScript = testLib.mkScripts {
inherit subdomain domain;
hasSSL = { node, ... }: !(isNull node.config.shb.vaultwarden.ssl);
waitForServices = { ... }: [
"vaultwarden.service"
@ -51,10 +47,14 @@ let
};
basic = { config, ... }: {
test = {
subdomain = "v";
};
shb.nginx.accessLog = true;
shb.vaultwarden = {
enable = true;
inherit subdomain domain;
inherit (config.test) subdomain domain;
port = 8222;
databasePassword.result = config.shb.hardcodedsecret.passphrase.result;
@ -115,7 +115,7 @@ in
testLib.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/vaultwarden.nix
(testLib.certs domain)
testLib.certs
basic
https
];
@ -152,11 +152,11 @@ in
testLib.baseModule
../../modules/blocks/hardcodedsecret.nix
../../modules/services/vaultwarden.nix
(testLib.certs domain)
testLib.certs
basic
https
(testLib.ldap domain pkgs')
(testLib.sso domain pkgs' config.shb.certs.certs.selfsigned.n)
(testLib.ldap pkgs')
(testLib.sso pkgs' config.shb.certs.certs.selfsigned.n)
sso
];
};
@ -169,14 +169,14 @@ in
5432
9091
];
extraScript = { proto_fqdn, ... }: ''
extraScript = { node, proto_fqdn, ... }: ''
with subtest("unauthenticated access is not granted to /admin"):
response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}/admin")
if response['code'] != 200:
raise Exception(f"Code is {response['code']}")
if response['auth_host'] != "auth.${domain}":
raise Exception(f"auth host should be auth.${domain} but is {response['auth_host']}")
if response['auth_host'] != "auth.${node.config.test.domain}":
raise Exception(f"auth host should be auth.${node.config.test.domain} but is {response['auth_host']}")
if response['auth_query'] != "rd=${proto_fqdn}/admin":
raise Exception(f"auth query should be rd=${proto_fqdn}/admin but is {response['auth_query']}")
'';