From 1b06a1842c10ab98217233f1226b657e369974af Mon Sep 17 00:00:00 2001
From: Olivia Lee <olivia@computer.surgery>
Date: Sun, 6 Apr 2025 21:41:51 -0700
Subject: [PATCH 1/2] add nixos module test

This is very basic for now, just ensures that the grapevine systemd unit
is able to start. Config validation plus the federation self-test should
hopefully still be able to catch some issues this way.
---
 flake.nix             |  4 +++
 nix/tests/default.nix | 66 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 nix/tests/default.nix

diff --git a/flake.nix b/flake.nix
index f390239a..4b8702e7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -128,6 +128,10 @@
         devShells.all-features = ((mkScope pkgs).overrideDefaultPackage {
           all-features = true;
         }).shell;
+
+        checks.nixosModule = pkgs.testers.runNixOSTest {
+          imports = [ (import ./nix/tests/default.nix inputs) ];
+        };
       }
     )
     //
diff --git a/nix/tests/default.nix b/nix/tests/default.nix
new file mode 100644
index 00000000..5e5242c7
--- /dev/null
+++ b/nix/tests/default.nix
@@ -0,0 +1,66 @@
+inputs:
+
+{
+  name = "grapevine";
+
+  nodes.machine = { pkgs, lib, ... }:  let
+    certs = 
+      import "${pkgs.path}/nixos/tests/common/acme/server/snakeoil-certs.nix";
+    domain = certs.domain;
+  in {
+    imports = [ inputs.self.nixosModules.default ];
+
+    security.pki.certificateFiles = [ certs.ca.cert ];
+
+    services.grapevine = {
+      enable = true;
+
+      settings = {
+        server_name = domain;
+        server_discovery = {
+          server.authority = "${domain}:443";
+          client.base_url = "https://${domain}:443";
+        };
+
+        federation.self_test = false;
+
+        # Enable debug logs, for easier debugging test issues
+        observability.logs.filter = "debug,ruma_state_res=warn";
+
+        tls = {
+          certs = certs.${domain}.cert;
+          key = certs.${domain}.key;
+        };
+
+        listen = [
+          {
+            type = "tcp";
+            address = "127.0.0.1";
+            port = 443;
+            tls = true;
+          }
+        ];
+      };
+    };
+
+    systemd.services.grapevine.serviceConfig = {
+      # To allow binding port 443, which is needed to serve .well-known without
+      # a reverse proxy.
+      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+
+      # TODO: we probably don't want to do this, but capabilities don't work
+      # otherwise
+      PrivateUsers = lib.mkForce false;
+    };
+
+    networking.extraHosts = ''
+      127.0.0.1 ${certs.domain}
+    '';
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("grapevine.service")
+  '';
+}

From 25c3c9effa968321eb9a40b2a7e78163f6a85213 Mon Sep 17 00:00:00 2001
From: Olivia Lee <olivia@computer.surgery>
Date: Sun, 27 Apr 2025 15:48:04 -0700
Subject: [PATCH 2/2] run nix tests in CI

TODO: this is probably going to use non-KVM qemu to run the test VM.
Measure how long it takes, that might be too slow for us to put up with.
---
 engage.toml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/engage.toml b/engage.toml
index 94c2bd5e..eb88dca7 100644
--- a/engage.toml
+++ b/engage.toml
@@ -129,3 +129,8 @@ env DIRENV_DEVSHELL=all-features \
         -- \
         --color=always
 """
+
+[[task]]
+name = "nix"
+group = "tests"
+script = "nix flake check -L"