Merge branch 'olivia/nixos-test' into 'main'

Draft: add nixos module test Closes #105 See merge request matrix/grapevine!184
2025-12-16 23:31:24 +01:00 · 2025-07-20 18:32:54 -07:00 · 2025-07-20 18:32:54 -07:00 · 3bfcd44bf7
commit 3bfcd44bf7
parent 55a01e7113 25c3c9effa
3 changed files with 75 additions and 0 deletions
--- a/engage.toml
+++ b/engage.toml
@ -129,3 +129,8 @@ env DIRENV_DEVSHELL=all-features \
        -- \
        --color=always
 """
+
+[[task]]
+name = "nix"
+group = "tests"
+script = "nix flake check -L"
--- a/flake.nix
+++ b/flake.nix
@ -128,6 +128,10 @@
        devShells.all-features = ((mkScope pkgs).overrideDefaultPackage {
          all-features = true;
        }).shell;
+
+        checks.nixosModule = pkgs.testers.runNixOSTest {
+          imports = [ (import ./nix/tests/default.nix inputs) ];
+        };
      }
    )
    //
--- a/nix/tests/default.nix
+++ b/nix/tests/default.nix
@ -0,0 +1,66 @@
+inputs:
+
+{
+  name = "grapevine";
+
+  nodes.machine = { pkgs, lib, ... }:  let
+    certs = 
+      import "${pkgs.path}/nixos/tests/common/acme/server/snakeoil-certs.nix";
+    domain = certs.domain;
+  in {
+    imports = [ inputs.self.nixosModules.default ];
+
+    security.pki.certificateFiles = [ certs.ca.cert ];
+
+    services.grapevine = {
+      enable = true;
+
+      settings = {
+        server_name = domain;
+        server_discovery = {
+          server.authority = "${domain}:443";
+          client.base_url = "https://${domain}:443";
+        };
+
+        federation.self_test = false;
+
+        # Enable debug logs, for easier debugging test issues
+        observability.logs.filter = "debug,ruma_state_res=warn";
+
+        tls = {
+          certs = certs.${domain}.cert;
+          key = certs.${domain}.key;
+        };
+
+        listen = [
+          {
+            type = "tcp";
+            address = "127.0.0.1";
+            port = 443;
+            tls = true;
+          }
+        ];
+      };
+    };
+
+    systemd.services.grapevine.serviceConfig = {
+      # To allow binding port 443, which is needed to serve .well-known without
+      # a reverse proxy.
+      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+
+      # TODO: we probably don't want to do this, but capabilities don't work
+      # otherwise
+      PrivateUsers = lib.mkForce false;
+    };
+
+    networking.extraHosts = ''
+      127.0.0.1 ${certs.domain}
+    '';
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("grapevine.service")
+  '';
+}