pyrox.dev
1# Tests downloading a signed update aritfact from a server to a target machine.
2# This test does not rely on the `systemd.timer` units provided by the
3# `systemd-sysupdate` module but triggers the `systemd-sysupdate` service
4# manually to make the test more robust.
5
6{ lib, pkgs, ... }:
7
8let
9 gpgKeyring = import ./common/gpg-keyring.nix { inherit pkgs; };
10in
11{
12 name = "systemd-sysupdate";
13
14 meta.maintainers = with lib.maintainers; [ nikstur ];
15
16 nodes = {
17 server = { pkgs, ... }: {
18 networking.firewall.enable = false;
19 services.nginx = {
20 enable = true;
21 virtualHosts."server" = {
22 root = pkgs.runCommand "sysupdate-artifacts" { buildInputs = [ pkgs.gnupg ]; } ''
23 mkdir -p $out
24 cd $out
25
26 echo "nixos" > nixos_1.efi
27 sha256sum nixos_1.efi > SHA256SUMS
28
29 export GNUPGHOME="$(mktemp -d)"
30 cp -R ${gpgKeyring}/* $GNUPGHOME
31
32 gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS
33 '';
34 };
35 };
36 };
37
38 target = {
39 systemd.sysupdate = {
40 enable = true;
41 transfers = {
42 "uki" = {
43 Source = {
44 Type = "url-file";
45 Path = "http://server/";
46 MatchPattern = "nixos_@v.efi";
47 };
48 Target = {
49 Path = "/boot/EFI/Linux";
50 MatchPattern = "nixos_@v.efi";
51 };
52 };
53 };
54 };
55
56 environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg";
57 };
58 };
59
60 testScript = ''
61 server.wait_for_unit("nginx.service")
62
63 target.succeed("systemctl start systemd-sysupdate")
64 assert "nixos" in target.wait_until_succeeds("cat /boot/EFI/Linux/nixos_1.efi", timeout=5)
65 '';
66}