nixos/tests/systemd-journal-upload.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-journal-upload.nix
at 24.11-pre 3.1 kB view raw
  1import ./make-test-python.nix ({ pkgs, ... }:
  2{
  3  name = "systemd-journal-upload";
  4  meta = with pkgs.lib.maintainers; {
  5    maintainers = [ minijackson raitobezarius ];
  6  };
  7
  8  nodes.server = { nodes, ... }: {
  9    services.journald.remote = {
 10      enable = true;
 11      listen = "http";
 12      settings.Remote = {
 13        ServerCertificateFile = "/run/secrets/sever.cert.pem";
 14        ServerKeyFile = "/run/secrets/sever.key.pem";
 15        TrustedCertificateFile = "/run/secrets/ca.cert.pem";
 16        Seal = true;
 17      };
 18    };
 19
 20    networking.firewall.allowedTCPPorts = [ nodes.server.services.journald.remote.port ];
 21  };
 22
 23  nodes.client = { lib, nodes, ... }: {
 24    services.journald.upload = {
 25      enable = true;
 26      settings.Upload = {
 27        URL = "http://server:${toString nodes.server.services.journald.remote.port}";
 28        ServerCertificateFile = "/run/secrets/client.cert.pem";
 29        ServerKeyFile = "/run/secrets/client.key.pem";
 30        TrustedCertificateFile = "/run/secrets/ca.cert.pem";
 31      };
 32    };
 33
 34    # Wait for the PEMs to arrive
 35    systemd.services.systemd-journal-upload.wantedBy = lib.mkForce [];
 36    systemd.paths.systemd-journal-upload = {
 37      wantedBy = [ "default.target" ];
 38      # This file must be copied last
 39      pathConfig.PathExists = [ "/run/secrets/ca.cert.pem" ];
 40    };
 41  };
 42
 43  testScript = ''
 44    import subprocess
 45    import tempfile
 46
 47    tmpdir_o = tempfile.TemporaryDirectory()
 48    tmpdir = tmpdir_o.name
 49
 50    def generate_pems(domain: str):
 51      subprocess.run(
 52        [
 53          "${pkgs.minica}/bin/minica",
 54          "--ca-key=ca.key.pem",
 55          "--ca-cert=ca.cert.pem",
 56          f"--domains={domain}",
 57        ],
 58        cwd=str(tmpdir),
 59      )
 60
 61    with subtest("Creating keys and certificates"):
 62      generate_pems("server")
 63      generate_pems("client")
 64
 65    server.wait_for_unit("multi-user.target")
 66    client.wait_for_unit("multi-user.target")
 67
 68    def copy_pems(machine: Machine, domain: str):
 69      machine.succeed("mkdir /run/secrets")
 70      machine.copy_from_host(
 71        source=f"{tmpdir}/{domain}/cert.pem",
 72        target=f"/run/secrets/{domain}.cert.pem",
 73      )
 74      machine.copy_from_host(
 75        source=f"{tmpdir}/{domain}/key.pem",
 76        target=f"/run/secrets/{domain}.key.pem",
 77      )
 78      # Should be last
 79      machine.copy_from_host(
 80        source=f"{tmpdir}/ca.cert.pem",
 81        target="/run/secrets/ca.cert.pem",
 82      )
 83
 84    with subtest("Copying keys and certificates"):
 85      copy_pems(server, "server")
 86      copy_pems(client, "client")
 87
 88    client.wait_for_unit("systemd-journal-upload.service")
 89    # The journal upload should have started the remote service, triggered by
 90    # the .socket unit
 91    server.wait_for_unit("systemd-journal-remote.service")
 92
 93    identifier = "nixos-test"
 94    message = "Hello from NixOS test infrastructure"
 95
 96    client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
 97    server.wait_until_succeeds(
 98      f"journalctl --file /var/log/journal/remote/remote-*.journal --identifier={identifier} | grep -F '{message}'"
 99    )
100  '';
101})