diff --git a/flake.nix b/flake.nix index f390239a..4b8702e7 100644 --- a/flake.nix +++ b/flake.nix @@ -128,6 +128,10 @@ devShells.all-features = ((mkScope pkgs).overrideDefaultPackage { all-features = true; }).shell; + + checks.nixosModule = pkgs.testers.runNixOSTest { + imports = [ (import ./nix/tests/default.nix inputs) ]; + }; } ) // diff --git a/nix/tests/default.nix b/nix/tests/default.nix new file mode 100644 index 00000000..5e5242c7 --- /dev/null +++ b/nix/tests/default.nix @@ -0,0 +1,66 @@ +inputs: + +{ + name = "grapevine"; + + nodes.machine = { pkgs, lib, ... }: let + certs = + import "${pkgs.path}/nixos/tests/common/acme/server/snakeoil-certs.nix"; + domain = certs.domain; + in { + imports = [ inputs.self.nixosModules.default ]; + + security.pki.certificateFiles = [ certs.ca.cert ]; + + services.grapevine = { + enable = true; + + settings = { + server_name = domain; + server_discovery = { + server.authority = "${domain}:443"; + client.base_url = "https://${domain}:443"; + }; + + federation.self_test = false; + + # Enable debug logs, for easier debugging test issues + observability.logs.filter = "debug,ruma_state_res=warn"; + + tls = { + certs = certs.${domain}.cert; + key = certs.${domain}.key; + }; + + listen = [ + { + type = "tcp"; + address = "127.0.0.1"; + port = 443; + tls = true; + } + ]; + }; + }; + + systemd.services.grapevine.serviceConfig = { + # To allow binding port 443, which is needed to serve .well-known without + # a reverse proxy. + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + + # TODO: we probably don't want to do this, but capabilities don't work + # otherwise + PrivateUsers = lib.mkForce false; + }; + + networking.extraHosts = '' + 127.0.0.1 ${certs.domain} + ''; + }; + + testScript = '' + start_all() + machine.wait_for_unit("grapevine.service") + ''; +}