{ shb, ... }: let oidcSecret = "oidcSecret"; commonTestScript = shb.test.mkScripts { hasSSL = { node, ... }: !(isNull node.config.shb.open-webui.ssl); waitForServices = { ... }: [ "open-webui.service" "nginx.service" ]; waitForPorts = { node, ... }: [ node.config.shb.open-webui.port ]; }; basic = { config, ... }: { imports = [ shb.test.baseModule ../../modules/blocks/hardcodedsecret.nix ../../modules/services/open-webui.nix ]; test = { subdomain = "o"; }; shb.open-webui = { enable = true; inherit (config.test) subdomain domain; }; # Speeds up tests because models can't be downloaded anyway and that leads to retries. services.open-webui.environment = { OFFLINE_MODE = "true"; BYPASS_EMBEDDING_AND_RETRIEVAL = "true"; RAG_EMBEDDING_ENGINE = "ollama"; RAG_EMBEDDING_MODEL = "dummy"; RAG_OLLAMA_BASE_URL = "http://127.0.0.1:9"; }; networking.hosts = { "127.0.0.1" = [ "${config.test.subdomain}.${config.test.domain}" ]; }; }; https = { config, ... }: { shb.open-webui = { ssl = config.shb.certs.certs.selfsigned.n; }; systemd.services.open-webui.environment = { # Needed for open-webui to be able to talk to auth server. SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; }; }; ldap = { config, ... }: { shb.open-webui = { ldap = { userGroup = "user_group"; adminGroup = "admin_group"; }; }; }; clientLoginSso = { config, ... }: { imports = [ shb.test.baseModule shb.test.clientLoginModule ]; virtualisation.memorySize = 4096; test = { subdomain = "o"; }; test.login = { startUrl = "https://${config.test.fqdn}/auth"; beforeHook = '' page.get_by_role("button", name="continue").click() ''; usernameFieldLabelRegex = "Username"; passwordFieldLabelRegex = "Password"; loginButtonNameRegex = "[sS]ign [iI]n"; testLoginWith = [ { username = "alice"; password = "NotAlicePassword"; nextPageExpect = [ "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=20000)" ]; } { username = "alice"; password = "AlicePassword"; nextPageExpect = [ "page.get_by_role('button', name=re.compile('Accept')).click()" "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).not_to_be_visible()" "expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()" "expect(page).to_have_url(re.compile('https://o.example.com/$'), timeout=20000)" "assert page.evaluate(\"async () => { const r = await fetch('/api/v1/auths/'); if (!r.ok) return false; const u = await r.json(); return u.email === 'alice@example.com'; }\")" ]; } { username = "bob"; password = "NotBobPassword"; nextPageExpect = [ "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=20000)" ]; } { username = "bob"; password = "BobPassword"; nextPageExpect = [ "page.get_by_role('button', name=re.compile('Accept')).click()" "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).not_to_be_visible()" "expect(page.get_by_role('button', name=re.compile('Sign In'))).not_to_be_visible()" "expect(page).to_have_url(re.compile('https://o.example.com/$'), timeout=20000)" "assert page.evaluate(\"async () => { const r = await fetch('/api/v1/auths/'); if (!r.ok) return false; const u = await r.json(); return u.email === 'bob@example.com'; }\")" ]; } { username = "charlie"; password = "NotCharliePassword"; nextPageExpect = [ "expect(page.get_by_text(re.compile('[Ii]ncorrect'))).to_be_visible(timeout=20000)" ]; } { username = "charlie"; password = "CharliePassword"; nextPageExpect = [ "page.get_by_role('button', name=re.compile('Accept')).click()" "expect(page.get_by_text('do not have permission')).to_be_visible(timeout=20000)" ]; } ]; }; }; sso = { config, ... }: { virtualisation.memorySize = 4096; shb.open-webui = { sso = { enable = true; authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; clientID = "open-webui"; sharedSecret.result = config.shb.hardcodedsecret.oidcSecret.result; sharedSecretForAuthelia.result = config.shb.hardcodedsecret.oidcAutheliaSecret.result; }; }; shb.hardcodedsecret.oidcSecret = { request = config.shb.open-webui.sso.sharedSecret.request; settings.content = oidcSecret; }; shb.hardcodedsecret.oidcAutheliaSecret = { request = config.shb.open-webui.sso.sharedSecretForAuthelia.request; settings.content = oidcSecret; }; }; in { basic = shb.test.runNixOSTest { name = "open-webui_basic"; nodes.client = { }; nodes.server = { imports = [ basic ]; }; testScript = commonTestScript.access; }; backup = shb.test.runNixOSTest { name = "open-webui_backup"; nodes.server = { config, ... }: { imports = [ basic (shb.test.backup config.shb.open-webui.backup) ]; }; nodes.client = { }; testScript = commonTestScript.backup; }; https = shb.test.runNixOSTest { name = "open-webui_https"; nodes.client = { }; nodes.server = { imports = [ basic shb.test.certs https ]; }; testScript = commonTestScript.access; }; sso = shb.test.runNixOSTest { name = "open-webui_sso"; nodes.client = { imports = [ clientLoginSso ]; }; nodes.server = { config, pkgs, ... }: { imports = [ basic shb.test.certs https shb.test.ldap ldap (shb.test.sso config.shb.certs.certs.selfsigned.n) sso ]; }; testScript = commonTestScript.access; }; }