nixos/tests/cryptpad.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / cryptpad.nix
at 25.11-pre 2.8 kB view raw
 1{ pkgs, ... }:
 2let
 3  certs = pkgs.runCommand "cryptpadSelfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
 4    mkdir -p $out
 5    cd $out
 6    openssl req -x509 -newkey rsa:4096 \
 7      -keyout key.pem -out cert.pem -nodes -days 3650 \
 8      -subj '/CN=cryptpad.localhost' \
 9      -addext 'subjectAltName = DNS.1:cryptpad.localhost, DNS.2:cryptpad-sandbox.localhost'
10  '';
11  # data sniffed from cryptpad's /checkup network trace, seems to be re-usable
12  test_write_data = pkgs.writeText "cryptpadTestData" ''
13    {"command":"WRITE_BLOCK","content":{"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","signature":"aXcM9SMO59lwA7q7HbYB+AnzymmxSyy/KhkG/cXIBVzl8v+kkPWXmFuWhcuKfRF8yt3Zc3ktIsHoFyuyDSAwAA==","ciphertext":"AFwCIfBHKdFzDKjMg4cu66qlJLpP+6Yxogbl3o9neiQou5P8h8yJB8qgnQ=="},"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","nonce":"bitSbJMNSzOsg98nEzN80a231PCkBQeH"}
14  '';
15in
16{
17  name = "cryptpad";
18  meta = with pkgs.lib.maintainers; {
19    maintainers = [ martinetd ];
20  };
21
22  nodes.machine = {
23    services.cryptpad = {
24      enable = true;
25      configureNginx = true;
26      settings = {
27        httpUnsafeOrigin = "https://cryptpad.localhost";
28        httpSafeOrigin = "https://cryptpad-sandbox.localhost";
29      };
30    };
31    services.nginx = {
32      virtualHosts."cryptpad.localhost" = {
33        enableACME = false;
34        sslCertificate = "${certs}/cert.pem";
35        sslCertificateKey = "${certs}/key.pem";
36      };
37    };
38    security = {
39      pki.certificateFiles = [ "${certs}/cert.pem" ];
40    };
41  };
42
43  testScript = ''
44    machine.wait_for_unit("cryptpad.service")
45    machine.wait_for_unit("nginx.service")
46    machine.wait_for_open_port(3000)
47
48    # test home page
49    machine.succeed("curl --fail https://cryptpad.localhost -o /tmp/cryptpad_home.html")
50    machine.succeed("grep -F 'CryptPad: Collaboration suite' /tmp/cryptpad_home.html")
51
52    # test scripts/build.js actually generated customize content from config
53    machine.succeed("grep -F 'meta property=\"og:url\" content=\"https://cryptpad.localhost/index.html' /tmp/cryptpad_home.html")
54
55    # make sure child pages are accessible (e.g. check nginx try_files paths)
56    machine.succeed(
57        "grep -oE '/(customize|components)[^\"]*' /tmp/cryptpad_home.html"
58        "  | while read -r page; do"
59        "        curl -O --fail https://cryptpad.localhost$page || exit;"
60        "    done")
61
62    # test some API (e.g. check cryptpad main process)
63    machine.succeed("curl --fail -d @${test_write_data} -H 'Content-Type: application/json' https://cryptpad.localhost/api/auth")
64
65    # test telemetry has been disabled
66    machine.fail("journalctl -u cryptpad | grep TELEMETRY");
67
68    # for future improvements
69    machine.log(machine.execute("systemd-analyze security cryptpad.service")[1])
70  '';
71}