pyrox.dev
1# Tests downloading a signed update artifact from a server to a target machine.
2# This test does not rely on the `systemd.timer` units provided by the
3# `systemd-sysupdate` module but triggers the `updatectl` tool directly to
4# demonstrate how to initiate updates manually.
5
6{ lib, pkgs, ... }:
7
8let
9 gpgKeyring = import ./common/gpg-keyring.nix { inherit pkgs; };
10in
11{
12 name = "systemd-sysupdate";
13
14 meta.maintainers = with lib.maintainers; [ nikstur ];
15
16 nodes = {
17 server =
18 { pkgs, ... }:
19 {
20 networking.firewall.enable = false;
21 services.nginx = {
22 enable = true;
23 virtualHosts."server" = {
24 root = pkgs.runCommand "sysupdate-artifacts" { buildInputs = [ pkgs.gnupg ]; } ''
25 mkdir -p $out
26 cd $out
27
28 echo "nixos" > nixos_1.txt
29 sha256sum nixos_1.txt > SHA256SUMS
30
31 export GNUPGHOME="$(mktemp -d)"
32 cp -R ${gpgKeyring}/* $GNUPGHOME
33
34 gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS
35 '';
36 };
37 };
38 };
39
40 target = {
41 systemd.sysupdate = {
42 enable = true;
43 transfers = {
44 "text-file" = {
45 Source = {
46 Type = "url-file";
47 Path = "http://server/";
48 MatchPattern = "nixos_@v.txt";
49 };
50 Target = {
51 Path = "/";
52 MatchPattern = [ "nixos_@v.txt" ];
53 };
54 };
55 };
56 };
57
58 environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg";
59 };
60 };
61
62 testScript = ''
63 server.wait_for_unit("nginx.service")
64
65 print(target.succeed("updatectl list"))
66 target.succeed("updatectl update")
67 assert "nixos" in target.wait_until_succeeds("cat /nixos_1.txt", timeout=5)
68 '';
69}