nixos/tests/systemd-journal-upload.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-journal-upload.nix
at 25.11-pre 3.4 kB view raw
  1import ./make-test-python.nix (
  2  { pkgs, ... }:
  3  {
  4    name = "systemd-journal-upload";
  5    meta = with pkgs.lib.maintainers; {
  6      maintainers = [
  7        minijackson
  8        raitobezarius
  9      ];
 10    };
 11
 12    nodes.server =
 13      { nodes, ... }:
 14      {
 15        services.journald.remote = {
 16          enable = true;
 17          listen = "http";
 18          settings.Remote = {
 19            ServerCertificateFile = "/run/secrets/sever.cert.pem";
 20            ServerKeyFile = "/run/secrets/sever.key.pem";
 21            TrustedCertificateFile = "/run/secrets/ca.cert.pem";
 22            Seal = true;
 23          };
 24        };
 25
 26        networking.firewall.allowedTCPPorts = [ nodes.server.services.journald.remote.port ];
 27      };
 28
 29    nodes.client =
 30      { lib, nodes, ... }:
 31      {
 32        services.journald.upload = {
 33          enable = true;
 34          settings.Upload = {
 35            URL = "http://server:${toString nodes.server.services.journald.remote.port}";
 36            ServerCertificateFile = "/run/secrets/client.cert.pem";
 37            ServerKeyFile = "/run/secrets/client.key.pem";
 38            TrustedCertificateFile = "/run/secrets/ca.cert.pem";
 39          };
 40        };
 41
 42        # Wait for the PEMs to arrive
 43        systemd.services.systemd-journal-upload.wantedBy = lib.mkForce [ ];
 44        systemd.paths.systemd-journal-upload = {
 45          wantedBy = [ "default.target" ];
 46          # This file must be copied last
 47          pathConfig.PathExists = [ "/run/secrets/ca.cert.pem" ];
 48        };
 49      };
 50
 51    testScript = ''
 52      import subprocess
 53      import tempfile
 54
 55      tmpdir_o = tempfile.TemporaryDirectory()
 56      tmpdir = tmpdir_o.name
 57
 58      def generate_pems(domain: str):
 59        subprocess.run(
 60          [
 61            "${pkgs.minica}/bin/minica",
 62            "--ca-key=ca.key.pem",
 63            "--ca-cert=ca.cert.pem",
 64            f"--domains={domain}",
 65          ],
 66          cwd=str(tmpdir),
 67        )
 68
 69      with subtest("Creating keys and certificates"):
 70        generate_pems("server")
 71        generate_pems("client")
 72
 73      server.wait_for_unit("multi-user.target")
 74      client.wait_for_unit("multi-user.target")
 75
 76      def copy_pems(machine: Machine, domain: str):
 77        machine.succeed("mkdir /run/secrets")
 78        machine.copy_from_host(
 79          source=f"{tmpdir}/{domain}/cert.pem",
 80          target=f"/run/secrets/{domain}.cert.pem",
 81        )
 82        machine.copy_from_host(
 83          source=f"{tmpdir}/{domain}/key.pem",
 84          target=f"/run/secrets/{domain}.key.pem",
 85        )
 86        # Should be last
 87        machine.copy_from_host(
 88          source=f"{tmpdir}/ca.cert.pem",
 89          target="/run/secrets/ca.cert.pem",
 90        )
 91
 92      with subtest("Copying keys and certificates"):
 93        copy_pems(server, "server")
 94        copy_pems(client, "client")
 95
 96      client.wait_for_unit("systemd-journal-upload.service")
 97      # The journal upload should have started the remote service, triggered by
 98      # the .socket unit
 99      server.wait_for_unit("systemd-journal-remote.service")
100
101      identifier = "nixos-test"
102      message = "Hello from NixOS test infrastructure"
103
104      client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
105      server.wait_until_succeeds(
106        f"journalctl --file /var/log/journal/remote/remote-*.journal --identifier={identifier} | grep -F '{message}'"
107      )
108    '';
109  }
110)