+1 -1

.envrc

··· 1 1 - use flake . --impure 1 1 + use flake .

+40 -18

.github/workflows/test.yml

··· 1 1 + --- 1 2 name: "Test" 2 3 on: 3 4 pull_request: ··· 28 29 authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" 29 30 - name: Build 30 31 run: nix develop --print-build-logs -v --command pre-commit run --all-files 31 31 - # flake-checks: 32 32 - # runs-on: ubuntu-latest 33 33 - # strategy: 34 34 - # matrix: 35 35 - # check: [treefmt] 36 36 - # needs: pre-job 37 37 - # if: needs.pre-job.outputs.should_skip != 'true' 38 38 - # steps: 39 39 - # - uses: actions/checkout@v4 40 40 - # - uses: cachix/install-nix-action@v31 41 41 - # with: 42 42 - # nix_path: nixpkgs=channel:nixos-unstable 43 43 - # - uses: cachix/cachix-action@v16 44 44 - # with: 45 45 - # name: wires 46 46 - # authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" 47 47 - # - name: Build 48 48 - # run: nix build .#checks.x86_64-linux.${{ matrix.check }} --print-build-logs 49 32 nextest: 50 33 runs-on: ubuntu-latest 51 34 needs: pre-job ··· 68 51 authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" 69 52 - name: Nextest 70 53 run: nix develop --print-build-logs -v --command cargo nextest run 54 54 + find-vm-tests: 55 55 + runs-on: ubuntu-latest 56 56 + needs: pre-job 57 57 + if: needs.pre-job.outputs.should_skip != 'true' 58 58 + outputs: 59 59 + tests: ${{ steps.tests.outputs.tests }} 60 60 + steps: 61 61 + - uses: actions/checkout@v4 62 62 + - uses: cachix/install-nix-action@v31 63 63 + with: 64 64 + nix_path: nixpkgs=channel:nixos-unstable 65 65 + - uses: cachix/cachix-action@v16 66 66 + with: 67 67 + name: wires 68 68 + authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" 69 69 + - name: find tests 70 70 + id: tests 71 71 + run: | 72 72 + echo "tests=$( 73 73 + nix eval --impure --json --expr \ 74 74 + 'with builtins; filter ((import <nixpkgs>{}).lib.hasPrefix "nixos-vm-test") (attrNames (getFlake "${{ github.workspace }}").checks.x86_64-linux)' 75 75 + )" >> "$GITHUB_OUTPUT" 76 76 + vm-tests: 77 77 + runs-on: self-hosted 78 78 + needs: find-vm-tests 79 79 + strategy: 80 80 + matrix: 81 81 + test: ${{ fromJSON(needs.find-vm-tests.outputs.tests) }} 82 82 + steps: 83 83 + - uses: actions/checkout@v4 84 84 + # - uses: cachix/install-nix-action@v31 85 85 + # with: 86 86 + # nix_path: nixpkgs=channel:nixos-unstable 87 87 + # - uses: cachix/cachix-action@v16 88 88 + # with: 89 89 + # name: wires 90 90 + # authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" 91 91 + - name: Build 92 92 + run: nix build .#checks.x86_64-linux.${{ matrix.test }} --print-build-logs

+3

flake.nix

··· 12 12 }; 13 13 outputs = 14 14 { 15 15 + self, 15 16 flake-parts, 16 17 systems, 17 18 git-hooks, ··· 30 31 ./wire/cli 31 32 ./wire/key_agent 32 33 ./doc 34 34 + ./tests/nix 33 35 ]; 34 36 systems = import systems; 35 37 ··· 45 47 _module.args = { 46 48 toolchain = inputs'.fenix.packages.complete; 47 49 craneLib = (crane.mkLib pkgs).overrideToolchain config._module.args.toolchain.toolchain; 50 50 + inherit self; 48 51 }; 49 52 treefmt = { 50 53 programs = {

-108

intergration-testing/default.nix

··· 1 1 - { 2 2 - wire ? (import ../default.nix).flake.outputs.packages.x86_64-linux.wire, 3 3 - pkgs ? (import ./nixpkgs.nix), 4 4 - ... 5 5 - }: 6 6 - let 7 7 - inherit (pkgs) lib; 8 8 - sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs; 9 9 - 10 10 - commonModule = 11 11 - { pkgs, ... }: 12 12 - { 13 13 - nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; 14 14 - nix.settings.substituters = lib.mkForce [ ]; 15 15 - virtualisation = { 16 16 - memorySize = lib.mkForce (1024 * 5); 17 17 - writableStore = true; 18 18 - additionalPaths = [ 19 19 - pkgs.path 20 20 - (getPrebuiltNode "node") 21 21 - (import ../default.nix).tarball 22 22 - (import ../default.nix).flake.inputs.nixpkgs.outPath 23 23 - ./.. 24 24 - ]; 25 25 - }; 26 26 - 27 27 - services.openssh.enable = true; 28 28 - users.users.root.openssh.authorizedKeys.keys = [ 29 29 - sshKeys.snakeOilPublicKey 30 30 - ]; 31 31 - 32 32 - boot.loader.grub.enable = false; 33 33 - }; 34 34 - 35 35 - deployerModule = 36 36 - { pkgs, ... }: 37 37 - { 38 38 - imports = [ commonModule ]; 39 39 - environment.systemPackages = [ 40 40 - wire 41 41 - pkgs.git 42 42 - (pkgs.writeShellScriptBin "run-copy-stderr" '' 43 43 - exec "$@" 2>&1 44 44 - '') 45 45 - ]; 46 46 - }; 47 47 - 48 48 - targetModule = 49 49 - { ... }: 50 50 - { 51 51 - imports = [ commonModule ]; 52 52 - system.switch.enable = true; 53 53 - }; 54 54 - 55 55 - nodes = { 56 56 - deployer = deployerModule; 57 57 - node = targetModule; 58 58 - }; 59 59 - 60 60 - evalTest = 61 61 - module: 62 62 - pkgs.testers.runNixOSTest { 63 63 - inherit nodes; 64 64 - name = "deployer"; 65 65 - 66 66 - imports = [ 67 67 - module 68 68 - # commonModule 69 69 - ]; 70 70 - }; 71 71 - 72 72 - evaluate = import ../runtime/evaluate.nix; 73 73 - getPrebuiltNode = 74 74 - name: 75 75 - (evaluate { 76 76 - hive = import ./hive.nix; 77 77 - path = ./.; 78 78 - nixosConfigurations = { }; 79 79 - nixpkgs = pkgs; 80 80 - }).getTopLevel 81 81 - name; 82 82 - in 83 83 - evalTest ( 84 84 - { pkgs, ... }: 85 85 - { 86 86 - testScript = _: '' 87 87 - start_all() 88 88 - 89 89 - deployer.succeed("nix-store -qR ${getPrebuiltNode "node"}") 90 90 - node.succeed("nix-store -qR ${getPrebuiltNode "node"}") 91 91 - deployer.succeed("nix-store -qR ${pkgs.path}") 92 92 - node.succeed("nix-store -qR ${pkgs.path}") 93 93 - deployer.succeed("ln -sf ${pkgs.path} /nixpkgs") 94 94 - node.succeed("ln -sf ${pkgs.path} /nixpkgs") 95 95 - 96 96 - node.wait_for_unit("sshd.service") 97 97 - 98 98 - # Make deployer use ssh snake oil 99 99 - deployer.succeed("mkdir -p /root/.ssh && touch /root/.ssh/id_rsa && chmod 0600 /root/.ssh/id_rsa && cat ${sshKeys.snakeOilPrivateKey} > /root/.ssh/id_rsa") 100 100 - 101 101 - deployer.wait_until_succeeds("ssh -o StrictHostKeyChecking=accept-new node true", timeout=30) 102 102 - 103 103 - deployer.succeed("wire apply switch --no-progress -vv --no-keys --path ${../.}/intergration-testing/") 104 104 - 105 105 - # node.succeed("stat /etc/post-switch") 106 106 - ''; 107 107 - } 108 108 - )

-47

intergration-testing/hive.nix

··· 1 1 - { 2 2 - meta.nixpkgs = import ./nixpkgs.nix; 3 3 - 4 4 - node = 5 5 - { 6 6 - pkgs, 7 7 - lib, 8 8 - ... 9 9 - }: 10 10 - let 11 11 - sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs; 12 12 - in 13 13 - { 14 14 - deployment.target.host = "node"; 15 15 - deployment.buildOnTarget = false; 16 16 - 17 17 - nix.nixPath = [ "nixpkgs=/nixpkgs" ]; 18 18 - nix.settings.substituters = lib.mkForce [ ]; 19 19 - virtualisation = { 20 20 - memorySize = lib.mkForce (1024 * 5); 21 21 - writableStore = true; 22 22 - additionalPaths = [ pkgs.path ]; 23 23 - }; 24 24 - 25 25 - services.openssh.enable = true; 26 26 - users.users.root.openssh.authorizedKeys.keys = [ 27 27 - sshKeys.snakeOilPublicKey 28 28 - ]; 29 29 - 30 30 - system.switch.enable = true; 31 31 - 32 32 - imports = 33 33 - let 34 34 - # WTF is this and why does it work? 35 35 - pkgs = import ./nixpkgs.nix; 36 36 - in 37 37 - [ 38 38 - (pkgs.path + "/nixos/lib/testing/nixos-test-base.nix") 39 39 - ]; 40 40 - 41 41 - boot.loader.grub.enable = false; 42 42 - 43 43 - environment.etc."post-switch" = { 44 44 - text = "exists"; 45 45 - }; 46 46 - }; 47 47 - }

-4

intergration-testing/nixpkgs.nix

··· 1 1 - let 2 2 - nixpkgs = (import ../default.nix).flake.inputs.nixpkgs.outPath; 3 3 - in 4 4 - import nixpkgs { }

+124

tests/nix/default.nix

··· 1 1 + { 2 2 + self, 3 3 + config, 4 4 + lib, 5 5 + inputs, 6 6 + ... 7 7 + }: 8 8 + let 9 9 + inherit (lib) 10 10 + mkOption 11 11 + mapAttrs' 12 12 + mapAttrsToList 13 13 + flatten 14 14 + ; 15 15 + inherit (lib.types) 16 16 + submodule 17 17 + lines 18 18 + attrsOf 19 19 + anything 20 20 + lazyAttrsOf 21 21 + ; 22 22 + cfg = config.wire.testing; 23 23 + in 24 24 + { 25 25 + imports = [ ./suite/test_basic_deploy ]; 26 26 + options.wire.testing = mkOption { 27 27 + type = attrsOf ( 28 28 + submodule ( 29 29 + { name, ... }: 30 30 + { 31 31 + options = { 32 32 + nodes = mkOption { 33 33 + type = lazyAttrsOf anything; 34 34 + }; 35 35 + testScript = mkOption { 36 36 + type = lines; 37 37 + default = ''''; 38 38 + description = "test script for runNixOSTest"; 39 39 + }; 40 40 + testDir = mkOption { 41 41 + default = "${self}/tests/nix/suite/${name}"; 42 42 + readOnly = true; 43 43 + }; 44 44 + }; 45 45 + } 46 46 + ) 47 47 + ); 48 48 + description = "A set of test cases for wire VM testing suite"; 49 49 + }; 50 50 + 51 51 + config.perSystem = 52 52 + { 53 53 + pkgs, 54 54 + self', 55 55 + ... 56 56 + }: 57 57 + { 58 58 + checks = mapAttrs' (testName: opts: rec { 59 59 + name = "nixos-vm-test-${testName}"; 60 60 + value = pkgs.testers.runNixOSTest { 61 61 + inherit (opts) nodes; 62 62 + name = testName; 63 63 + defaults = 64 64 + { 65 65 + pkgs, 66 66 + evaluateHive, 67 67 + testDir, 68 68 + ... 69 69 + }: 70 70 + let 71 71 + 72 72 + hive = evaluateHive { 73 73 + nixpkgs = pkgs.path; 74 74 + path = testDir; 75 75 + hive = builtins.scopedImport { 76 76 + __nixPath = _b: null; 77 77 + __findFile = path: name: if name == "nixpkgs" then pkgs.path else throw "oops!!"; 78 78 + } "${testDir}/hive.nix"; 79 79 + }; 80 80 + nodes = mapAttrsToList (_: val: val.config.system.build.toplevel.drvPath) hive.nodes; 81 81 + # fetch **all** dependencies of a flake 82 82 + # it's called fetchLayer because my naming skills are awful 83 83 + fetchLayer = 84 84 + input: 85 85 + let 86 86 + subLayers = if input ? inputs then map fetchLayer (builtins.attrValues input.inputs) else [ ]; 87 87 + in 88 88 + [ 89 89 + input.outPath 90 90 + ] 91 91 + ++ subLayers; 92 92 + in 93 93 + { 94 94 + imports = [ ./test-opts.nix ]; 95 95 + nix = { 96 96 + nixPath = [ "nixpkgs=${pkgs.path}" ]; 97 97 + settings.substituters = lib.mkForce [ ]; 98 98 + }; 99 99 + 100 100 + virtualisation.memorySize = 4096; 101 101 + virtualisation.additionalPaths = flatten (nodes ++ (mapAttrsToList (_: fetchLayer) inputs)); 102 102 + 103 103 + }; 104 104 + node.specialArgs = { 105 105 + evaluateHive = import "${self}/runtime/evaluate.nix"; 106 106 + inherit testName; 107 107 + snakeOil = import "${pkgs.path}/nixos/tests/ssh-keys.nix" pkgs; 108 108 + inherit (opts) testDir; 109 109 + inherit (self'.packages) wire; 110 110 + }; 111 111 + # NOTE: there is surely a better way of doing this in a more 112 112 + # "controlled" manner, but until a need is asked for, this will remain 113 113 + # as is. 114 114 + testScript = 115 115 + '' 116 116 + start_all() 117 117 + '' 118 118 + + lib.concatStringsSep "\n" (mapAttrsToList (_: value: value._wire.testScript) value.nodes) 119 119 + + opts.testScript; 120 120 + }; 121 121 + 122 122 + }) cfg; 123 123 + }; 124 124 + }

+15

tests/nix/suite/test_basic_deploy/default.nix

··· 1 1 + { config, ... }: 2 2 + { 3 3 + wire.testing.test_basic_deploy = { 4 4 + nodes.deployer = { 5 5 + _wire.deployer = true; 6 6 + }; 7 7 + nodes.receiver = { 8 8 + _wire.receiver = true; 9 9 + }; 10 10 + testScript = '' 11 11 + deployer.succeed("wire apply --on receiver --no-progress --path ${config.wire.testing.test_basic_deploy.testDir}/hive.nix --no-keys -vvv >&2") 12 12 + receiver.succeed("test -f /etc/a") 13 13 + ''; 14 14 + }; 15 15 + }

+9

tests/nix/suite/test_basic_deploy/hive.nix

··· 1 1 + let 2 2 + mkHiveNode = import ../utils.nix { testName = "test_basic_deploy"; }; 3 3 + in 4 4 + { 5 5 + meta.nixpkgs = import <nixpkgs> { system = "x86_64-linux"; }; 6 6 + receiver = mkHiveNode { hostname = "receiver"; } { 7 7 + environment.etc."a".text = "b"; 8 8 + }; 9 9 + }

+42

tests/nix/suite/utils.nix

··· 1 1 + { testName }: 2 2 + let 3 3 + # Use the flake-compat code in project root to access the tests which are 4 4 + # defined through Flakes, as flake-parts is heavily depended on here. 5 5 + flake = import ../../../.; 6 6 + in 7 7 + { 8 8 + 9 9 + # This is glue for the newly deployed VMs as they need specific configuration 10 10 + # such as static network configuration and other nitpicky VM-specific options. 11 11 + # I thank Colmena & NixOps devs for providing me pointers on how to correctly create this, so 12 12 + # thank you to those who made them! 13 13 + # 14 14 + mkHiveNode = 15 15 + { 16 16 + hostname, 17 17 + system ? "x86_64-linux", 18 18 + }: 19 19 + cfg: { 20 20 + imports = [ 21 21 + cfg 22 22 + ( 23 23 + { 24 24 + modulesPath, 25 25 + ... 26 26 + }: 27 27 + { 28 28 + imports = [ 29 29 + "${modulesPath}/virtualisation/qemu-vm.nix" 30 30 + "${modulesPath}/testing/test-instrumentation.nix" 31 31 + flake.checks.${system}."nixos-vm-test-${testName}".nodes.${hostname}.system.build.networkConfig 32 32 + ]; 33 33 + 34 34 + nixpkgs.hostPlatform = system; 35 35 + boot.loader.grub.enable = false; 36 36 + } 37 37 + ) 38 38 + ]; 39 39 + }; 40 40 + 41 41 + __functor = self: self.mkHiveNode; 42 42 + }

+52

tests/nix/test-opts.nix

··· 1 1 + { 2 2 + lib, 3 3 + snakeOil, 4 4 + wire, 5 5 + config, 6 6 + ... 7 7 + }: 8 8 + let 9 9 + inherit (lib) 10 10 + mkEnableOption 11 11 + mkMerge 12 12 + mkIf 13 13 + mkOption 14 14 + ; 15 15 + inherit (lib.types) lines; 16 16 + cfg = config._wire; 17 17 + in 18 18 + { 19 19 + options._wire = { 20 20 + deployer = mkEnableOption "deployment-specific settings"; 21 21 + receiver = mkEnableOption "receiver-specific settings"; 22 22 + testScript = mkOption { 23 23 + type = lines; 24 24 + default = ""; 25 25 + description = "node-specific test script"; 26 26 + }; 27 27 + }; 28 28 + 29 29 + config = mkMerge [ 30 30 + (mkIf cfg.deployer { 31 31 + systemd.tmpfiles.rules = [ 32 32 + "C+ /root/.ssh/id_ed25519 600 - - - ${snakeOil.snakeOilEd25519PrivateKey}" 33 33 + ]; 34 34 + environment.systemPackages = [ wire ]; 35 35 + # It's important to note that you should never ever use this configuration 36 36 + # for production. You are risking a MITM attack with this! 37 37 + programs.ssh.extraConfig = '' 38 38 + Host * 39 39 + StrictHostKeyChecking no 40 40 + UserKnownHostsFile /dev/null 41 41 + ''; 42 42 + 43 43 + }) 44 44 + (mkIf cfg.receiver { 45 45 + services.openssh.enable = true; 46 46 + users.users.root.openssh.authorizedKeys.keys = [ snakeOil.snakeOilEd25519PublicKey ]; 47 47 + _wire.testScript = '' 48 48 + ${config.networking.hostName}.wait_for_unit("sshd.service") 49 49 + ''; 50 50 + }) 51 51 + ]; 52 52 + }