commit 51fcc2c92eb522f32348485065f34a4cfae4695c · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2411.section.md

···

       24
       24
        
       

     

       25
       25
        
       - [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf).

     

       26
       26
        
       

     

       27
       27
       +
       - [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable).

     

       28
       28
       +
       

     

       27
       29
        
       - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).

     

       28
       30
        
       

     

       29
       31
        
       - [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).

nixos/modules/module-list.nix

···

       803
       803
        
         ./services/misc/pufferpanel.nix

     

       804
       804
        
         ./services/misc/pykms.nix

     

       805
       805
        
         ./services/misc/radarr.nix

     

       806
       806
       +
         ./services/misc/radicle.nix

     

       806
       807
        
         ./services/misc/readarr.nix

     

       807
       808
        
         ./services/misc/redmine.nix

     

       808
       809
        
         ./services/misc/renovate.nix

+347

nixos/modules/services/misc/radicle.nix

···

       1
       1
       +
       { config, lib, pkgs, ... }:

     

       2
       2
       +
       with lib;

     

       3
       3
       +
       let

     

       4
       4
       +
         cfg = config.services.radicle;

     

       5
       5
       +
       

     

       6
       6
       +
         json = pkgs.formats.json { };

     

       7
       7
       +
       

     

       8
       8
       +
         env = rec {

     

       9
       9
       +
           # rad fails if it cannot stat $HOME/.gitconfig

     

       10
       10
       +
           HOME = "/var/lib/radicle";

     

       11
       11
       +
           RAD_HOME = HOME;

     

       12
       12
       +
         };

     

       13
       13
       +
       

     

       14
       14
       +
         # Convenient wrapper to run `rad` in the namespaces of `radicle-node.service`

     

       15
       15
       +
         rad-system = pkgs.writeShellScriptBin "rad-system" ''

     

       16
       16
       +
           set -o allexport

     

       17
       17
       +
           ${toShellVars env}

     

       18
       18
       +
           # Note that --env is not used to preserve host's envvars like $TERM

     

       19
       19
       +
           exec ${getExe' pkgs.util-linux "nsenter"} -a \

     

       20
       20
       +
             -t "$(${getExe' config.systemd.package "systemctl"} show -P MainPID radicle-node.service)" \

     

       21
       21
       +
             -S "$(${getExe' config.systemd.package "systemctl"} show -P UID radicle-node.service)" \

     

       22
       22
       +
             -G "$(${getExe' config.systemd.package "systemctl"} show -P GID radicle-node.service)" \

     

       23
       23
       +
             ${getExe' cfg.package "rad"} "$@"

     

       24
       24
       +
         '';

     

       25
       25
       +
       

     

       26
       26
       +
         commonServiceConfig = serviceName: {

     

       27
       27
       +
           environment = env // {

     

       28
       28
       +
             RUST_LOG = mkDefault "info";

     

       29
       29
       +
           };

     

       30
       30
       +
           path = [

     

       31
       31
       +
             pkgs.gitMinimal

     

       32
       32
       +
           ];

     

       33
       33
       +
           documentation = [

     

       34
       34
       +
             "https://docs.radicle.xyz/guides/seeder"

     

       35
       35
       +
           ];

     

       36
       36
       +
           after = [

     

       37
       37
       +
             "network.target"

     

       38
       38
       +
             "network-online.target"

     

       39
       39
       +
           ];

     

       40
       40
       +
           requires = [

     

       41
       41
       +
             "network-online.target"

     

       42
       42
       +
           ];

     

       43
       43
       +
           wantedBy = [ "multi-user.target" ];

     

       44
       44
       +
           serviceConfig = mkMerge [

     

       45
       45
       +
             {

     

       46
       46
       +
               BindReadOnlyPaths = [

     

       47
       47
       +
                 "${cfg.configFile}:${env.RAD_HOME}/config.json"

     

       48
       48
       +
                 "${if isPath cfg.publicKeyFile then cfg.publicKeyFile else pkgs.writeText "radicle.pub" cfg.publicKeyFile}:${env.RAD_HOME}/keys/radicle.pub"

     

       49
       49
       +
               ];

     

       50
       50
       +
               KillMode = "process";

     

       51
       51
       +
               StateDirectory = [ "radicle" ];

     

       52
       52
       +
               User = config.users.users.radicle.name;

     

       53
       53
       +
               Group = config.users.groups.radicle.name;

     

       54
       54
       +
               WorkingDirectory = env.HOME;

     

       55
       55
       +
             }

     

       56
       56
       +
             # The following options are only for optimizing:

     

       57
       57
       +
             # systemd-analyze security ${serviceName}

     

       58
       58
       +
             {

     

       59
       59
       +
               BindReadOnlyPaths = [

     

       60
       60
       +
                 "-/etc/resolv.conf"

     

       61
       61
       +
                 "/etc/ssl/certs/ca-certificates.crt"

     

       62
       62
       +
                 "/run/systemd"

     

       63
       63
       +
               ];

     

       64
       64
       +
               AmbientCapabilities = "";

     

       65
       65
       +
               CapabilityBoundingSet = "";

     

       66
       66
       +
               DeviceAllow = ""; # ProtectClock= adds DeviceAllow=char-rtc r

     

       67
       67
       +
               LockPersonality = true;

     

       68
       68
       +
               MemoryDenyWriteExecute = true;

     

       69
       69
       +
               NoNewPrivileges = true;

     

       70
       70
       +
               PrivateTmp = true;

     

       71
       71
       +
               ProcSubset = "pid";

     

       72
       72
       +
               ProtectClock = true;

     

       73
       73
       +
               ProtectHome = true;

     

       74
       74
       +
               ProtectHostname = true;

     

       75
       75
       +
               ProtectKernelLogs = true;

     

       76
       76
       +
               ProtectProc = "invisible";

     

       77
       77
       +
               ProtectSystem = "strict";

     

       78
       78
       +
               RemoveIPC = true;

     

       79
       79
       +
               RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];

     

       80
       80
       +
               RestrictNamespaces = true;

     

       81
       81
       +
               RestrictRealtime = true;

     

       82
       82
       +
               RestrictSUIDSGID = true;

     

       83
       83
       +
               RuntimeDirectoryMode = "700";

     

       84
       84
       +
               SocketBindDeny = [ "any" ];

     

       85
       85
       +
               StateDirectoryMode = "0750";

     

       86
       86
       +
               SystemCallFilter = [

     

       87
       87
       +
                 "@system-service"

     

       88
       88
       +
                 "~@aio"

     

       89
       89
       +
                 "~@chown"

     

       90
       90
       +
                 "~@keyring"

     

       91
       91
       +
                 "~@memlock"

     

       92
       92
       +
                 "~@privileged"

     

       93
       93
       +
                 "~@resources"

     

       94
       94
       +
                 "~@setuid"

     

       95
       95
       +
                 "~@timer"

     

       96
       96
       +
               ];

     

       97
       97
       +
               SystemCallArchitectures = "native";

     

       98
       98
       +
               # This is for BindPaths= and BindReadOnlyPaths=

     

       99
       99
       +
               # to allow traversal of directories they create inside RootDirectory=

     

       100
       100
       +
               UMask = "0066";

     

       101
       101
       +
             }

     

       102
       102
       +
           ];

     

       103
       103
       +
           confinement = {

     

       104
       104
       +
             enable = true;

     

       105
       105
       +
             mode = "full-apivfs";

     

       106
       106
       +
             packages = [

     

       107
       107
       +
               pkgs.gitMinimal

     

       108
       108
       +
               cfg.package

     

       109
       109
       +
               pkgs.iana-etc

     

       110
       110
       +
               (getLib pkgs.nss)

     

       111
       111
       +
               pkgs.tzdata

     

       112
       112
       +
             ];

     

       113
       113
       +
           };

     

       114
       114
       +
         };

     

       115
       115
       +
       in

     

       116
       116
       +
       {

     

       117
       117
       +
         options = {

     

       118
       118
       +
           services.radicle = {

     

       119
       119
       +
             enable = mkEnableOption "Radicle Seed Node";

     

       120
       120
       +
             package = mkPackageOption pkgs "radicle-node" { };

     

       121
       121
       +
             privateKeyFile = mkOption {

     

       122
       122
       +
               type = with types; either path str;

     

       123
       123
       +
               description = ''

     

       124
       124
       +
                 SSH private key generated by `rad auth`.

     

       125
       125
       +
       

     

       126
       126
       +
                 If it contains a colon (`:`) the string before the colon

     

       127
       127
       +
                 is taken as the credential name

     

       128
       128
       +
                 and the string after as a path encrypted with `systemd-creds`.

     

       129
       129
       +
               '';

     

       130
       130
       +
             };

     

       131
       131
       +
             publicKeyFile = mkOption {

     

       132
       132
       +
               type = with types; either path str;

     

       133
       133
       +
               description = ''

     

       134
       134
       +
                 SSH public key generated by `rad auth`.

     

       135
       135
       +
               '';

     

       136
       136
       +
             };

     

       137
       137
       +
             node = {

     

       138
       138
       +
               listenAddress = mkOption {

     

       139
       139
       +
                 type = types.str;

     

       140
       140
       +
                 default = "0.0.0.0";

     

       141
       141
       +
                 example = "127.0.0.1";

     

       142
       142
       +
                 description = "The IP address on which `radicle-node` listens.";

     

       143
       143
       +
               };

     

       144
       144
       +
               listenPort = mkOption {

     

       145
       145
       +
                 type = types.port;

     

       146
       146
       +
                 default = 8776;

     

       147
       147
       +
                 description = "The port on which `radicle-node` listens.";

     

       148
       148
       +
               };

     

       149
       149
       +
               openFirewall = mkEnableOption "opening the firewall for `radicle-node`";

     

       150
       150
       +
               extraArgs = mkOption {

     

       151
       151
       +
                 type = with types; listOf str;

     

       152
       152
       +
                 default = [ ];

     

       153
       153
       +
                 description = "Extra arguments for `radicle-node`";

     

       154
       154
       +
               };

     

       155
       155
       +
             };

     

       156
       156
       +
             configFile = mkOption {

     

       157
       157
       +
               type = types.package;

     

       158
       158
       +
               internal = true;

     

       159
       159
       +
               default = (json.generate "config.json" cfg.settings).overrideAttrs (previousAttrs: {

     

       160
       160
       +
                 preferLocalBuild = true;

     

       161
       161
       +
                 # None of the usual phases are run here because runCommandWith uses buildCommand,

     

       162
       162
       +
                 # so just append to buildCommand what would usually be a checkPhase.

     

       163
       163
       +
                 buildCommand = previousAttrs.buildCommand + optionalString cfg.checkConfig ''

     

       164
       164
       +
                   ln -s $out config.json

     

       165
       165
       +
                   install -D -m 644 /dev/stdin keys/radicle.pub <<<"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgFMhajUng+Rjj/sCFXI9PzG8BQjru2n7JgUVF1Kbv5 snakeoil"

     

       166
       166
       +
                   export RAD_HOME=$PWD

     

       167
       167
       +
                   ${getExe' pkgs.buildPackages.radicle-node "rad"} config >/dev/null || {

     

       168
       168
       +
                     cat -n config.json

     

       169
       169
       +
                     echo "Invalid config.json according to rad."

     

       170
       170
       +
                     echo "Please double-check your services.radicle.settings (producing the config.json above),"

     

       171
       171
       +
                     echo "some settings may be missing or have the wrong type."

     

       172
       172
       +
                     exit 1

     

       173
       173
       +
                   } >&2

     

       174
       174
       +
                 '';

     

       175
       175
       +
               });

     

       176
       176
       +
             };

     

       177
       177
       +
             checkConfig = mkEnableOption "checking the {file}`config.json` file resulting from {option}`services.radicle.settings`" // { default = true; };

     

       178
       178
       +
             settings = mkOption {

     

       179
       179
       +
               description = ''

     

       180
       180
       +
                 See https://app.radicle.xyz/nodes/seed.radicle.garden/rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5/tree/radicle/src/node/config.rs#L275

     

       181
       181
       +
               '';

     

       182
       182
       +
               default = { };

     

       183
       183
       +
               type = types.submodule {

     

       184
       184
       +
                 freeformType = json.type;

     

       185
       185
       +
               };

     

       186
       186
       +
             };

     

       187
       187
       +
             httpd = {

     

       188
       188
       +
               enable = mkEnableOption "Radicle HTTP gateway to radicle-node";

     

       189
       189
       +
               package = mkPackageOption pkgs "radicle-httpd" { };

     

       190
       190
       +
               listenAddress = mkOption {

     

       191
       191
       +
                 type = types.str;

     

       192
       192
       +
                 default = "127.0.0.1";

     

       193
       193
       +
                 description = "The IP address on which `radicle-httpd` listens.";

     

       194
       194
       +
               };

     

       195
       195
       +
               listenPort = mkOption {

     

       196
       196
       +
                 type = types.port;

     

       197
       197
       +
                 default = 8080;

     

       198
       198
       +
                 description = "The port on which `radicle-httpd` listens.";

     

       199
       199
       +
               };

     

       200
       200
       +
               nginx = mkOption {

     

       201
       201
       +
                 # Type of a single virtual host, or null.

     

       202
       202
       +
                 type = types.nullOr (types.submodule (

     

       203
       203
       +
                   recursiveUpdate (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) {

     

       204
       204
       +
                     options.serverName = {

     

       205
       205
       +
                       default = "radicle-${config.networking.hostName}.${config.networking.domain}";

     

       206
       206
       +
                       defaultText = "radicle-\${config.networking.hostName}.\${config.networking.domain}";

     

       207
       207
       +
                     };

     

       208
       208
       +
                   }

     

       209
       209
       +
                 ));

     

       210
       210
       +
                 default = null;

     

       211
       211
       +
                 example = literalExpression ''

     

       212
       212
       +
                   {

     

       213
       213
       +
                     serverAliases = [

     

       214
       214
       +
                       "seed.''${config.networking.domain}"

     

       215
       215
       +
                     ];

     

       216
       216
       +
                     enableACME = false;

     

       217
       217
       +
                     useACMEHost = config.networking.domain;

     

       218
       218
       +
                   }

     

       219
       219
       +
                 '';

     

       220
       220
       +
                 description = ''

     

       221
       221
       +
                   With this option, you can customize an nginx virtual host which already has sensible defaults for `radicle-httpd`.

     

       222
       222
       +
                   Set to `{}` if you do not need any customization to the virtual host.

     

       223
       223
       +
                   If enabled, then by default, the {option}`serverName` is

     

       224
       224
       +
                   `radicle-''${config.networking.hostName}.''${config.networking.domain}`,

     

       225
       225
       +
                   TLS is active, and certificates are acquired via ACME.

     

       226
       226
       +
                   If this is set to null (the default), no nginx virtual host will be configured.

     

       227
       227
       +
                 '';

     

       228
       228
       +
               };

     

       229
       229
       +
               extraArgs = mkOption {

     

       230
       230
       +
                 type = with types; listOf str;

     

       231
       231
       +
                 default = [ ];

     

       232
       232
       +
                 description = "Extra arguments for `radicle-httpd`";

     

       233
       233
       +
               };

     

       234
       234
       +
             };

     

       235
       235
       +
           };

     

       236
       236
       +
         };

     

       237
       237
       +
       

     

       238
       238
       +
         config = mkIf cfg.enable (mkMerge [

     

       239
       239
       +
           {

     

       240
       240
       +
             systemd.services.radicle-node = mkMerge [

     

       241
       241
       +
               (commonServiceConfig "radicle-node")

     

       242
       242
       +
               {

     

       243
       243
       +
                 description = "Radicle Node";

     

       244
       244
       +
                 documentation = [ "man:radicle-node(1)" ];

     

       245
       245
       +
                 serviceConfig = {

     

       246
       246
       +
                   ExecStart = "${getExe' cfg.package "radicle-node"} --force --listen ${cfg.node.listenAddress}:${toString cfg.node.listenPort} ${escapeShellArgs cfg.node.extraArgs}";

     

       247
       247
       +
                   Restart = mkDefault "on-failure";

     

       248
       248
       +
                   RestartSec = "30";

     

       249
       249
       +
                   SocketBindAllow = [ "tcp:${toString cfg.node.listenPort}" ];

     

       250
       250
       +
                   SystemCallFilter = mkAfter [

     

       251
       251
       +
                     # Needed by git upload-pack which calls alarm() and setitimer() when providing a rad clone

     

       252
       252
       +
                     "@timer"

     

       253
       253
       +
                   ];

     

       254
       254
       +
                 };

     

       255
       255
       +
                 confinement.packages = [

     

       256
       256
       +
                   cfg.package

     

       257
       257
       +
                 ];

     

       258
       258
       +
               }

     

       259
       259
       +
               # Give only access to the private key to radicle-node.

     

       260
       260
       +
               {

     

       261
       261
       +
                 serviceConfig =

     

       262
       262
       +
                   let keyCred = builtins.split ":" "${cfg.privateKeyFile}"; in

     

       263
       263
       +
                   if length keyCred > 1

     

       264
       264
       +
                   then {

     

       265
       265
       +
                     LoadCredentialEncrypted = [ cfg.privateKeyFile ];

     

       266
       266
       +
                     # Note that neither %d nor ${CREDENTIALS_DIRECTORY} works in BindReadOnlyPaths=

     

       267
       267
       +
                     BindReadOnlyPaths = [ "/run/credentials/radicle-node.service/${head keyCred}:${env.RAD_HOME}/keys/radicle" ];

     

       268
       268
       +
                   }

     

       269
       269
       +
                   else {

     

       270
       270
       +
                     LoadCredential = [ "radicle:${cfg.privateKeyFile}" ];

     

       271
       271
       +
                     BindReadOnlyPaths = [ "/run/credentials/radicle-node.service/radicle:${env.RAD_HOME}/keys/radicle" ];

     

       272
       272
       +
                   };

     

       273
       273
       +
               }

     

       274
       274
       +
             ];

     

       275
       275
       +
       

     

       276
       276
       +
             environment.systemPackages = [

     

       277
       277
       +
               rad-system

     

       278
       278
       +
             ];

     

       279
       279
       +
       

     

       280
       280
       +
             networking.firewall = mkIf cfg.node.openFirewall {

     

       281
       281
       +
               allowedTCPPorts = [ cfg.node.listenPort ];

     

       282
       282
       +
             };

     

       283
       283
       +
       

     

       284
       284
       +
             users = {

     

       285
       285
       +
               users.radicle = {

     

       286
       286
       +
                 description = "Radicle";

     

       287
       287
       +
                 group = "radicle";

     

       288
       288
       +
                 home = env.HOME;

     

       289
       289
       +
                 isSystemUser = true;

     

       290
       290
       +
               };

     

       291
       291
       +
               groups.radicle = {

     

       292
       292
       +
               };

     

       293
       293
       +
             };

     

       294
       294
       +
           }

     

       295
       295
       +
       

     

       296
       296
       +
           (mkIf cfg.httpd.enable (mkMerge [

     

       297
       297
       +
             {

     

       298
       298
       +
               systemd.services.radicle-httpd = mkMerge [

     

       299
       299
       +
                 (commonServiceConfig "radicle-httpd")

     

       300
       300
       +
                 {

     

       301
       301
       +
                   description = "Radicle HTTP gateway to radicle-node";

     

       302
       302
       +
                   documentation = [ "man:radicle-httpd(1)" ];

     

       303
       303
       +
                   serviceConfig = {

     

       304
       304
       +
                     ExecStart = "${getExe' cfg.httpd.package "radicle-httpd"} --listen ${cfg.httpd.listenAddress}:${toString cfg.httpd.listenPort} ${escapeShellArgs cfg.httpd.extraArgs}";

     

       305
       305
       +
                     Restart = mkDefault "on-failure";

     

       306
       306
       +
                     RestartSec = "10";

     

       307
       307
       +
                     SocketBindAllow = [ "tcp:${toString cfg.httpd.listenPort}" ];

     

       308
       308
       +
                     SystemCallFilter = mkAfter [

     

       309
       309
       +
                       # Needed by git upload-pack which calls alarm() and setitimer() when providing a git clone

     

       310
       310
       +
                       "@timer"

     

       311
       311
       +
                     ];

     

       312
       312
       +
                   };

     

       313
       313
       +
                 confinement.packages = [

     

       314
       314
       +
                   cfg.httpd.package

     

       315
       315
       +
                 ];

     

       316
       316
       +
                 }

     

       317
       317
       +
               ];

     

       318
       318
       +
             }

     

       319
       319
       +
       

     

       320
       320
       +
             (mkIf (cfg.httpd.nginx != null) {

     

       321
       321
       +
               services.nginx.virtualHosts.${cfg.httpd.nginx.serverName} = lib.mkMerge [

     

       322
       322
       +
                 cfg.httpd.nginx

     

       323
       323
       +
                 {

     

       324
       324
       +
                   forceSSL = mkDefault true;

     

       325
       325
       +
                   enableACME = mkDefault true;

     

       326
       326
       +
                   locations."/" = {

     

       327
       327
       +
                     proxyPass = "http://${cfg.httpd.listenAddress}:${toString cfg.httpd.listenPort}";

     

       328
       328
       +
                     recommendedProxySettings = true;

     

       329
       329
       +
                   };

     

       330
       330
       +
                 }

     

       331
       331
       +
               ];

     

       332
       332
       +
       

     

       333
       333
       +
               services.radicle.settings = {

     

       334
       334
       +
                 node.alias = mkDefault cfg.httpd.nginx.serverName;

     

       335
       335
       +
                 node.externalAddresses = mkDefault [

     

       336
       336
       +
                   "${cfg.httpd.nginx.serverName}:${toString cfg.node.listenPort}"

     

       337
       337
       +
                 ];

     

       338
       338
       +
               };

     

       339
       339
       +
             })

     

       340
       340
       +
           ]))

     

       341
       341
       +
         ]);

     

       342
       342
       +
       

     

       343
       343
       +
         meta.maintainers = with lib.maintainers; [

     

       344
       344
       +
           julm

     

       345
       345
       +
           lorenzleutgeb

     

       346
       346
       +
         ];

     

       347
       347
       +
       }

nixos/tests/all-tests.nix

···

       813
       813
        
         rabbitmq = handleTest ./rabbitmq.nix {};

     

       814
       814
        
         radarr = handleTest ./radarr.nix {};

     

       815
       815
        
         radicale = handleTest ./radicale.nix {};

     

       816
       816
       +
         radicle = runTest ./radicle.nix;

     

       816
       817
        
         ragnarwm = handleTest ./ragnarwm.nix {};

     

       817
       818
        
         rasdaemon = handleTest ./rasdaemon.nix {};

     

       818
       819
        
         readarr = handleTest ./readarr.nix {};

+207

nixos/tests/radicle.nix

···

       1
       1
       +
       # This test runs the radicle-node and radicle-httpd services on a seed host,

     

       2
       2
       +
       # and verifies that an alice peer can host a repository on the seed,

     

       3
       3
       +
       # and that a bob peer can send alice a patch via the seed.

     

       4
       4
       +
       

     

       5
       5
       +
       { pkgs, ... }:

     

       6
       6
       +
       

     

       7
       7
       +
       let

     

       8
       8
       +
         # The Node ID depends on nodes.seed.services.radicle.privateKeyFile

     

       9
       9
       +
         seed-nid = "z6Mkg52RcwDrPKRzzHaYgBkHH3Gi5p4694fvPstVE9HTyMB6";

     

       10
       10
       +
         seed-ssh-keys = import ./ssh-keys.nix pkgs;

     

       11
       11
       +
         seed-tls-certs = import common/acme/server/snakeoil-certs.nix;

     

       12
       12
       +
       

     

       13
       13
       +
         commonHostConfig = { nodes, config, pkgs, ... }: {

     

       14
       14
       +
           environment.systemPackages = [

     

       15
       15
       +
             config.services.radicle.package

     

       16
       16
       +
             pkgs.curl

     

       17
       17
       +
             pkgs.gitMinimal

     

       18
       18
       +
             pkgs.jq

     

       19
       19
       +
           ];

     

       20
       20
       +
           environment.etc."gitconfig".text = ''

     

       21
       21
       +
             [init]

     

       22
       22
       +
               defaultBranch = main

     

       23
       23
       +
             [user]

     

       24
       24
       +
               email = root@${config.networking.hostName}

     

       25
       25
       +
               name = ${config.networking.hostName}

     

       26
       26
       +
           '';

     

       27
       27
       +
           networking = {

     

       28
       28
       +
             extraHosts = ''

     

       29
       29
       +
               ${nodes.seed.networking.primaryIPAddress} ${nodes.seed.services.radicle.httpd.nginx.serverName}

     

       30
       30
       +
             '';

     

       31
       31
       +
           };

     

       32
       32
       +
           security.pki.certificateFiles = [

     

       33
       33
       +
             seed-tls-certs.ca.cert

     

       34
       34
       +
           ];

     

       35
       35
       +
         };

     

       36
       36
       +
       

     

       37
       37
       +
         radicleConfig = { nodes, ... }: alias:

     

       38
       38
       +
           pkgs.writeText "config.json" (builtins.toJSON {

     

       39
       39
       +
             preferredSeeds = [

     

       40
       40
       +
               "${seed-nid}@seed:${toString nodes.seed.services.radicle.node.listenPort}"

     

       41
       41
       +
             ];

     

       42
       42
       +
             node = {

     

       43
       43
       +
               inherit alias;

     

       44
       44
       +
               relay = "never";

     

       45
       45
       +
               seedingPolicy = {

     

       46
       46
       +
                 default = "block";

     

       47
       47
       +
               };

     

       48
       48
       +
             };

     

       49
       49
       +
           });

     

       50
       50
       +
       in

     

       51
       51
       +
       

     

       52
       52
       +
       {

     

       53
       53
       +
         name = "radicle";

     

       54
       54
       +
       

     

       55
       55
       +
         meta = with pkgs.lib.maintainers; {

     

       56
       56
       +
           maintainers = [

     

       57
       57
       +
             julm

     

       58
       58
       +
             lorenzleutgeb

     

       59
       59
       +
           ];

     

       60
       60
       +
         };

     

       61
       61
       +
       

     

       62
       62
       +
         nodes = {

     

       63
       63
       +
           seed = { pkgs, config, ... }: {

     

       64
       64
       +
             imports = [ commonHostConfig ];

     

       65
       65
       +
       

     

       66
       66
       +
             services.radicle = {

     

       67
       67
       +
               enable = true;

     

       68
       68
       +
               privateKeyFile = seed-ssh-keys.snakeOilEd25519PrivateKey;

     

       69
       69
       +
               publicKeyFile = seed-ssh-keys.snakeOilEd25519PublicKey;

     

       70
       70
       +
               node = {

     

       71
       71
       +
                 openFirewall = true;

     

       72
       72
       +
               };

     

       73
       73
       +
               httpd = {

     

       74
       74
       +
                 enable = true;

     

       75
       75
       +
                 nginx = {

     

       76
       76
       +
                   serverName = seed-tls-certs.domain;

     

       77
       77
       +
                   addSSL = true;

     

       78
       78
       +
                   sslCertificate = seed-tls-certs.${seed-tls-certs.domain}.cert;

     

       79
       79
       +
                   sslCertificateKey = seed-tls-certs.${seed-tls-certs.domain}.key;

     

       80
       80
       +
                 };

     

       81
       81
       +
               };

     

       82
       82
       +
               settings = {

     

       83
       83
       +
                 preferredSeeds = [];

     

       84
       84
       +
                 node = {

     

       85
       85
       +
                   relay = "always";

     

       86
       86
       +
                   seedingPolicy = {

     

       87
       87
       +
                     default = "allow";

     

       88
       88
       +
                     scope = "all";

     

       89
       89
       +
                   };

     

       90
       90
       +
                 };

     

       91
       91
       +
               };

     

       92
       92
       +
             };

     

       93
       93
       +
       

     

       94
       94
       +
             services.nginx = {

     

       95
       95
       +
               enable = true;

     

       96
       96
       +
             };

     

       97
       97
       +
       

     

       98
       98
       +
             networking.firewall.allowedTCPPorts = [ 443 ];

     

       99
       99
       +
           };

     

       100
       100
       +
       

     

       101
       101
       +
           alice = {

     

       102
       102
       +
             imports = [ commonHostConfig ];

     

       103
       103
       +
           };

     

       104
       104
       +
       

     

       105
       105
       +
           bob = {

     

       106
       106
       +
             imports = [ commonHostConfig ];

     

       107
       107
       +
           };

     

       108
       108
       +
         };

     

       109
       109
       +
       

     

       110
       110
       +
         testScript = { nodes, ... }@args: ''

     

       111
       111
       +
           start_all()

     

       112
       112
       +
       

     

       113
       113
       +
           with subtest("seed can run radicle-node"):

     

       114
       114
       +
             # The threshold and/or hardening may have to be changed with new features/checks

     

       115
       115
       +
             print(seed.succeed("systemd-analyze security radicle-node.service --threshold=10 --no-pager"))

     

       116
       116
       +
             seed.wait_for_unit("radicle-node.service")

     

       117
       117
       +
             seed.wait_for_open_port(${toString nodes.seed.services.radicle.node.listenPort})

     

       118
       118
       +
       

     

       119
       119
       +
           with subtest("seed can run radicle-httpd"):

     

       120
       120
       +
             # The threshold and/or hardening may have to be changed with new features/checks

     

       121
       121
       +
             print(seed.succeed("systemd-analyze security radicle-httpd.service --threshold=10 --no-pager"))

     

       122
       122
       +
             seed.wait_for_unit("radicle-httpd.service")

     

       123
       123
       +
             seed.wait_for_open_port(${toString nodes.seed.services.radicle.httpd.listenPort})

     

       124
       124
       +
             seed.wait_for_open_port(443)

     

       125
       125
       +
             assert alice.succeed("curl -sS 'https://${nodes.seed.services.radicle.httpd.nginx.serverName}/api/v1' | jq -r .nid") == "${seed-nid}\n"

     

       126
       126
       +
             assert bob.succeed("curl -sS 'https://${nodes.seed.services.radicle.httpd.nginx.serverName}/api/v1' | jq -r .nid") == "${seed-nid}\n"

     

       127
       127
       +
       

     

       128
       128
       +
           with subtest("alice can create a Node ID"):

     

       129
       129
       +
             alice.succeed("rad auth --alias alice --stdin </dev/null")

     

       130
       130
       +
             alice.copy_from_host("${radicleConfig args "alice"}", "/root/.radicle/config.json")

     

       131
       131
       +
           with subtest("alice can run a node"):

     

       132
       132
       +
             alice.succeed("rad node start")

     

       133
       133
       +
           with subtest("alice can create a Git repository"):

     

       134
       134
       +
             alice.succeed(

     

       135
       135
       +
               "mkdir /tmp/repo",

     

       136
       136
       +
               "git -C /tmp/repo init",

     

       137
       137
       +
               "echo hello world > /tmp/repo/testfile",

     

       138
       138
       +
               "git -C /tmp/repo add .",

     

       139
       139
       +
               "git -C /tmp/repo commit -m init"

     

       140
       140
       +
             )

     

       141
       141
       +
           with subtest("alice can create a Repository ID"):

     

       142
       142
       +
             alice.succeed(

     

       143
       143
       +
               "cd /tmp/repo && rad init --name repo --description descr --default-branch main --public"

     

       144
       144
       +
             )

     

       145
       145
       +
           alice_repo_rid=alice.succeed("cd /tmp/repo && rad inspect --rid").rstrip("\n")

     

       146
       146
       +
           with subtest("alice can send a repository to the seed"):

     

       147
       147
       +
             alice.succeed(f"rad sync --seed ${seed-nid} {alice_repo_rid}")

     

       148
       148
       +
       

     

       149
       149
       +
           with subtest(f"seed can receive the repository {alice_repo_rid}"):

     

       150
       150
       +
             seed.wait_until_succeeds("test 1 = \"$(rad-system stats | jq .local.repos)\"")

     

       151
       151
       +
       

     

       152
       152
       +
           with subtest("bob can create a Node ID"):

     

       153
       153
       +
             bob.succeed("rad auth --alias bob --stdin </dev/null")

     

       154
       154
       +
             bob.copy_from_host("${radicleConfig args "bob"}", "/root/.radicle/config.json")

     

       155
       155
       +
             bob.succeed("rad node start")

     

       156
       156
       +
           with subtest("bob can clone alice's repository from the seed"):

     

       157
       157
       +
             bob.succeed(f"rad clone {alice_repo_rid} /tmp/repo")

     

       158
       158
       +
             assert bob.succeed("cat /tmp/repo/testfile") == "hello world\n"

     

       159
       159
       +
       

     

       160
       160
       +
           with subtest("bob can clone alice's repository from the seed through the HTTP gateway"):

     

       161
       161
       +
             bob.succeed(f"git clone https://${nodes.seed.services.radicle.httpd.nginx.serverName}/{alice_repo_rid[4:]}.git /tmp/repo-http")

     

       162
       162
       +
             assert bob.succeed("cat /tmp/repo-http/testfile") == "hello world\n"

     

       163
       163
       +
       

     

       164
       164
       +
           with subtest("alice can push the main branch to the rad remote"):

     

       165
       165
       +
             alice.succeed(

     

       166
       166
       +
               "echo hello bob > /tmp/repo/testfile",

     

       167
       167
       +
               "git -C /tmp/repo add .",

     

       168
       168
       +
               "git -C /tmp/repo commit -m 'hello to bob'",

     

       169
       169
       +
               "git -C /tmp/repo push rad main"

     

       170
       170
       +
             )

     

       171
       171
       +
           with subtest("bob can sync bob's repository from the seed"):

     

       172
       172
       +
             bob.succeed(

     

       173
       173
       +
               "cd /tmp/repo && rad sync --seed ${seed-nid}",

     

       174
       174
       +
               "cd /tmp/repo && git pull"

     

       175
       175
       +
             )

     

       176
       176
       +
             assert bob.succeed("cat /tmp/repo/testfile") == "hello bob\n"

     

       177
       177
       +
       

     

       178
       178
       +
           with subtest("bob can push a patch"):

     

       179
       179
       +
             bob.succeed(

     

       180
       180
       +
               "echo hello alice > /tmp/repo/testfile",

     

       181
       181
       +
               "git -C /tmp/repo checkout -b for-alice",

     

       182
       182
       +
               "git -C /tmp/repo add .",

     

       183
       183
       +
               "git -C /tmp/repo commit -m 'hello to alice'",

     

       184
       184
       +
               "git -C /tmp/repo push -o patch.message='hello for alice' rad HEAD:refs/patches"

     

       185
       185
       +
             )

     

       186
       186
       +
       

     

       187
       187
       +
           bob_repo_patch1_pid=bob.succeed("cd /tmp/repo && git branch --remotes | sed -ne 's:^ *rad/patches/::'p").rstrip("\n")

     

       188
       188
       +
           with subtest("alice can receive the patch"):

     

       189
       189
       +
             alice.wait_until_succeeds("test 1 = \"$(rad stats | jq .local.patches)\"")

     

       190
       190
       +
             alice.succeed(

     

       191
       191
       +
               f"cd /tmp/repo && rad patch show {bob_repo_patch1_pid} | grep 'opened by bob'",

     

       192
       192
       +
               f"cd /tmp/repo && rad patch checkout {bob_repo_patch1_pid}"

     

       193
       193
       +
             )

     

       194
       194
       +
             assert alice.succeed("cat /tmp/repo/testfile") == "hello alice\n"

     

       195
       195
       +
           with subtest("alice can comment the patch"):

     

       196
       196
       +
             alice.succeed(

     

       197
       197
       +
               f"cd /tmp/repo && rad patch comment {bob_repo_patch1_pid} -m thank-you"

     

       198
       198
       +
             )

     

       199
       199
       +
           with subtest("alice can merge the patch"):

     

       200
       200
       +
             alice.succeed(

     

       201
       201
       +
               "git -C /tmp/repo checkout main",

     

       202
       202
       +
               f"git -C /tmp/repo merge patch/{bob_repo_patch1_pid[:7]}",

     

       203
       203
       +
               "git -C /tmp/repo push rad main",

     

       204
       204
       +
               "cd /tmp/repo && rad patch list | grep -qxF 'Nothing to show.'"

     

       205
       205
       +
             )

     

       206
       206
       +
         '';

     

       207
       207
       +
       }

+15

pkgs/by-name/ra/radicle-node/package.nix

···

       7
       7
        
       , lib

     

       8
       8
        
       , makeWrapper

     

       9
       9
        
       , man-db

     

       10
       10
       +
       , nixos

     

       11
       11
       +
       , nixosTests

     

       10
       12
        
       , openssh

     

       11
       13
        
       , radicle-node

     

       12
       14
        
       , runCommand

     
···

       89
       91
        
       

     

       90
       92
        
               touch $out

     

       91
       93
        
             '';

     

       94
       94
       +
             nixos-build = lib.recurseIntoAttrs {

     

       95
       95
       +
               checkConfig-success = (nixos {

     

       96
       96
       +
                   services.radicle.settings = {

     

       97
       97
       +
                     node.alias = "foo";

     

       98
       98
       +
                   };

     

       99
       99
       +
                 }).config.services.radicle.configFile;

     

       100
       100
       +
               checkConfig-failure = testers.testBuildFailure (nixos {

     

       101
       101
       +
                   services.radicle.settings = {

     

       102
       102
       +
                     node.alias = null;

     

       103
       103
       +
                   };

     

       104
       104
       +
                 }).config.services.radicle.configFile;

     

       105
       105
       +
             };

     

       106
       106
       +
             nixos-run = nixosTests.radicle;

     

       92
       107
        
           };

     

       93
       108
        
       

     

       94
       109
        
         meta = {