malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, MacOS. Grandma-approved.
fork atom

docs(MM-135): fix implementation plan smoke tests for devenv-nixpkgs

Address code review issues with MM-135 implementation plans:

1. **Important Issue**: Phase 3 smoke tests (Tasks 2, 3, 5) used flake.inputs.nixpkgs
which lacks lib.nixosSystem in the devenv-nixpkgs fork.
- Added explanation section after Architecture that documents the workaround
- Updated all Task 2, 3, 5 nix eval commands to use builtins.getFlake "nixpkgs"
instead of flake.inputs.nixpkgs, with inline comments explaining the workaround

2. **Minor Issue**: nix flake show commands fail with devenv-nixpkgs due to IFD.
- Added --allow-import-from-derivation flag to both phase_02.md and phase_03.md
nix flake show commands
- Added notes suggesting alternative verification using nix eval for
attribute names (which doesn't require IFD)

All commands now work correctly with the project's nixpkgs pin (cachix/devenv-nixpkgs/rolling)
while remaining compatible with standard nixpkgs registry access via builtins.getFlake.

authored by malpercio.dev and committed by

Tangled 17f362f9 562add74

+786
+199
docs/implementation-plans/2026-03-09-MM-135/phase_01.md
··· 1 + # MM-135 NixOS Module — Phase 1: Write nix/module.nix 2 + 3 + **Goal:** Create the complete NixOS module at `nix/module.nix` with option declarations, TOML config generation, user/group creation, and a hardened systemd service definition. 4 + 5 + **Architecture:** A standalone NixOS module using the `{ lib, pkgs, config, ... }:` module calling convention. It declares the `services.ezpds` option tree and wires it into systemd, users, and groups. Config generation uses `pkgs.formats.toml {}`. The `configFile` escape hatch bypasses generated config for operators using agenix or sops-nix. 6 + 7 + **Tech Stack:** Nix language, NixOS module system (`lib.mkOption`, `lib.mkIf`, `lib.filterAttrs`), `pkgs.formats.toml`, systemd service options. 8 + 9 + **Scope:** Phase 1 of 3. Creates `nix/module.nix`. Phase 2 exposes it as a flake output. Phase 3 validates eval correctness end-to-end. 10 + 11 + **Codebase verified:** 2026-03-09 12 + 13 + --- 14 + 15 + ## Acceptance Criteria Coverage 16 + 17 + This phase creates the module. Eval-based verification (AC1.4, AC1.5, AC2.1–AC2.3, AC3.x) happens in Phase 3. 18 + 19 + ### MM-135.AC1: Module options are correctly declared 20 + - **MM-135.AC1.1 Success:** `nix/module.nix` exists and is tracked by git (`git ls-files nix/module.nix` returns it) 21 + - **MM-135.AC1.2 Success:** `services.ezpds.enable`, `services.ezpds.package`, `services.ezpds.configFile`, and all five `services.ezpds.settings.*` fields are defined as NixOS options 22 + - **MM-135.AC1.3 Success:** Default values match relay.toml defaults — `bind_address = "0.0.0.0"`, `port = 8080`, `data_dir = "/var/lib/ezpds"`, `database_url = null` 23 + 24 + ### MM-135.AC2: TOML config generation 25 + - **MM-135.AC2.4 Success:** The relay `ExecStart` line uses `--config <path>` pointing to the generated TOML derivation 26 + 27 + ### MM-135.AC3: `configFile` escape hatch 28 + - **MM-135.AC3.1 Success:** When `services.ezpds.configFile` is set to a path, `ExecStart` uses that path instead of the generated TOML 29 + - **MM-135.AC3.2 Success:** When `configFile` is set, changes to `settings.*` do not affect the `ExecStart` command 30 + 31 + ### MM-135.AC4: User/group and state directory 32 + - **MM-135.AC4.1 Success:** `users.users.ezpds` is defined as a system user with `group = "ezpds"` and `isSystemUser = true` 33 + - **MM-135.AC4.2 Success:** `users.groups.ezpds` is defined 34 + - **MM-135.AC4.3 Success:** `systemd.services.ezpds.serviceConfig.StateDirectory = "ezpds"` — systemd creates `/var/lib/ezpds` owned by `ezpds:ezpds` on first activation 35 + 36 + ### MM-135.AC6: Scope boundaries 37 + - **MM-135.AC6.1 Negative:** `nix/module.nix` defines no options for `[blobs]`, `[oauth]`, or `[iroh]` relay.toml sections (deferred to later milestones) 38 + 39 + --- 40 + 41 + ## Design Deviations 42 + 43 + **`configFile` type: `lib.types.nullOr lib.types.str` instead of `lib.types.nullOr lib.types.path`** 44 + 45 + The design plan option table (line 86) lists `configFile` as `nullOr path`. This implementation uses `nullOr str` instead. Reason: `lib.types.path` coerces string literals into Nix store paths at evaluation time — e.g., setting `configFile = "/run/secrets/relay.toml"` with a `path` type would produce a store path like `/nix/store/...-relay.toml` that does NOT point to the operator's secret file. This defeats the entire purpose of the escape hatch for agenix/sops-nix secret injection. Using `lib.types.str` preserves the value verbatim, matching the same rationale as `data_dir` (also `str`). The implementation is more correct than the design document on this point. 46 + 47 + --- 48 + 49 + <!-- START_TASK_1 --> 50 + ### Task 1: Create nix/module.nix 51 + 52 + **Verifies:** MM-135.AC1.1, MM-135.AC1.2, MM-135.AC1.3, MM-135.AC2.4, MM-135.AC3.1, MM-135.AC3.2, MM-135.AC4.1, MM-135.AC4.2, MM-135.AC4.3, MM-135.AC6.1 53 + 54 + **Files:** 55 + - Create: `nix/module.nix` 56 + 57 + **Step 1: Create nix/module.nix** 58 + 59 + Create `/Users/jacob.zweifel/workspace/malpercio-dev/ezpds/nix/module.nix` with the following contents: 60 + 61 + ```nix 62 + { lib, pkgs, config, ... }: 63 + 64 + let 65 + cfg = config.services.ezpds; 66 + 67 + # Build the TOML attrset, omitting database_url when null. 68 + # When null, the relay binary derives the database path from data_dir. 69 + settingsToml = lib.filterAttrs (_: v: v != null) { 70 + inherit (cfg.settings) bind_address port data_dir public_url database_url; 71 + }; 72 + 73 + generatedConfigFile = (pkgs.formats.toml { }).generate "relay.toml" settingsToml; 74 + 75 + # When configFile is set, bypass the Nix-store-generated TOML entirely. 76 + # This is the escape hatch for secret injection via agenix or sops-nix. 77 + activeConfigFile = 78 + if cfg.configFile != null then cfg.configFile else generatedConfigFile; 79 + 80 + in 81 + { 82 + options.services.ezpds = { 83 + enable = lib.mkEnableOption "ezpds relay server"; 84 + 85 + package = lib.mkOption { 86 + type = lib.types.package; 87 + description = "The ezpds relay package to use."; 88 + }; 89 + 90 + configFile = lib.mkOption { 91 + type = lib.types.nullOr lib.types.str; 92 + default = null; 93 + description = '' 94 + Path to a relay.toml configuration file. 95 + When set, all settings.* options are ignored and this path is 96 + passed directly to --config. Use with agenix or sops-nix to 97 + keep secrets outside the world-readable Nix store. 98 + ''; 99 + }; 100 + 101 + settings = { 102 + bind_address = lib.mkOption { 103 + type = lib.types.str; 104 + default = "0.0.0.0"; 105 + description = "IP address to bind the relay HTTP server to."; 106 + }; 107 + 108 + port = lib.mkOption { 109 + type = lib.types.port; 110 + default = 8080; 111 + description = "TCP port to bind the relay HTTP server to."; 112 + }; 113 + 114 + data_dir = lib.mkOption { 115 + type = lib.types.str; 116 + default = "/var/lib/ezpds"; 117 + description = '' 118 + Path to the relay data directory. Must be writable by the ezpds user. 119 + Uses lib.types.str (not lib.types.path) to preserve the value as a 120 + literal string and avoid Nix store coercion of runtime paths. 121 + ''; 122 + }; 123 + 124 + public_url = lib.mkOption { 125 + type = lib.types.str; 126 + description = '' 127 + Public URL where this relay is reachable (e.g. https://relay.example.com). 128 + Required — Nix evaluation fails if this option is not set. 129 + ''; 130 + }; 131 + 132 + database_url = lib.mkOption { 133 + type = lib.types.nullOr lib.types.str; 134 + default = null; 135 + description = '' 136 + SQLite database URL. When null (the default), the relay derives 137 + the database path from data_dir. Omitted from the generated 138 + relay.toml when null. 139 + ''; 140 + }; 141 + }; 142 + }; 143 + 144 + config = lib.mkIf cfg.enable { 145 + users.users.ezpds = { 146 + isSystemUser = true; 147 + group = "ezpds"; 148 + description = "ezpds relay service user"; 149 + }; 150 + 151 + users.groups.ezpds = { }; 152 + 153 + systemd.services.ezpds = { 154 + description = "ezpds relay server"; 155 + wantedBy = [ "multi-user.target" ]; 156 + after = [ "network.target" ]; 157 + 158 + serviceConfig = { 159 + User = "ezpds"; 160 + Group = "ezpds"; 161 + ExecStart = "${cfg.package}/bin/relay --config ${activeConfigFile}"; 162 + StateDirectory = "ezpds"; 163 + StateDirectoryMode = "0750"; 164 + Restart = "on-failure"; 165 + PrivateTmp = true; 166 + ProtectSystem = "strict"; 167 + ProtectHome = true; 168 + NoNewPrivileges = true; 169 + }; 170 + }; 171 + }; 172 + } 173 + ``` 174 + 175 + **Step 2: Verify the file is a valid Nix function** 176 + 177 + ```bash 178 + nix eval --impure --expr 'builtins.typeOf (import ./nix/module.nix)' 179 + ``` 180 + 181 + Expected output: `"lambda"` 182 + 183 + This confirms the file is a well-formed Nix function expression (the module calling convention). 184 + 185 + **Step 3: Stage and verify git tracking** 186 + 187 + ```bash 188 + git add nix/module.nix 189 + git ls-files nix/module.nix 190 + ``` 191 + 192 + Expected output: `nix/module.nix` 193 + 194 + **Step 4: Commit** 195 + 196 + ```bash 197 + git commit -m "feat(MM-135): add NixOS module nix/module.nix" 198 + ``` 199 + <!-- END_TASK_1 -->
+109
docs/implementation-plans/2026-03-09-MM-135/phase_02.md
··· 1 + # MM-135 NixOS Module — Phase 2: Extend flake.nix with nixosModules.default 2 + 3 + **Goal:** Expose `nix/module.nix` as a flake output so consumers can import it via `inputs.ezpds.nixosModules.default`. The wrapper injects the flake's own relay build as the default package. 4 + 5 + **Architecture:** Add a `nixosModules.default` top-level output (outside `forEachSystem` — modules are not per-system). The wrapper module captures `self` via closure from the `outputs` function and uses `lib.mkDefault` so the operator can still override the package. 6 + 7 + **Tech Stack:** Nix flake outputs, NixOS module system, `lib.mkDefault`. 8 + 9 + **Scope:** Phase 2 of 3. Requires Phase 1 (`nix/module.nix`) to be complete. Phase 3 validates end-to-end eval. 10 + 11 + **Codebase verified:** 2026-03-09 12 + 13 + --- 14 + 15 + ## Acceptance Criteria Coverage 16 + 17 + ### MM-135.AC5: `nixosModules.default` flake output 18 + - **MM-135.AC5.1 Success:** `nix flake show --accept-flake-config` lists `nixosModules.default` 19 + - **MM-135.AC5.2 Success:** When imported via `nixosModules.default`, `services.ezpds.package` defaults to the flake's `relay` build for the current system 20 + - **MM-135.AC5.3 Success:** The bare `nix/module.nix` is importable directly as `imports = [ ./nix/module.nix ]` without the flake wrapper, provided the user sets `services.ezpds.package` 21 + 22 + --- 23 + 24 + <!-- START_TASK_1 --> 25 + ### Task 1: Add nixosModules.default to flake.nix 26 + 27 + **Verifies:** MM-135.AC5.1, MM-135.AC5.2, MM-135.AC5.3 28 + 29 + **Files:** 30 + - Modify: `flake.nix` (insert before the closing `};` of the outputs let block, after `devShells`) 31 + 32 + Note: use the context code blocks below to locate the insertion point — do not rely on line numbers, which may shift if other changes land first. 33 + 34 + **Step 1: Edit flake.nix** 35 + 36 + In `/Users/jacob.zweifel/workspace/malpercio-dev/ezpds/flake.nix`, insert the `nixosModules.default` output after the closing `);` of the `devShells` output and before the `};` that closes the outputs let block. 37 + 38 + The current end of the outputs block is: 39 + 40 + ```nix 41 + devShells = forEachSystem (system: 42 + let 43 + pkgs = nixpkgs.legacyPackages.${system}; 44 + in { 45 + default = devenv.lib.mkShell { 46 + inherit inputs pkgs; 47 + modules = [ ./devenv.nix ]; 48 + }; 49 + } 50 + ); 51 + }; # ← line 66: closing of outputs let block 52 + } 53 + ``` 54 + 55 + After editing, it should look like: 56 + 57 + ```nix 58 + devShells = forEachSystem (system: 59 + let 60 + pkgs = nixpkgs.legacyPackages.${system}; 61 + in { 62 + default = devenv.lib.mkShell { 63 + inherit inputs pkgs; 64 + modules = [ ./devenv.nix ]; 65 + }; 66 + } 67 + ); 68 + 69 + # nixosModules is not per-system — placed outside forEachSystem. 70 + # self is captured from the outputs function closure. 71 + nixosModules.default = { lib, pkgs, ... }: { 72 + imports = [ ./nix/module.nix ]; 73 + config.services.ezpds.package = 74 + lib.mkDefault self.packages.${pkgs.system}.relay; 75 + }; 76 + }; 77 + } 78 + ``` 79 + 80 + **Step 2: Verify the flake shows nixosModules.default** 81 + 82 + ```bash 83 + nix flake show --accept-flake-config --allow-import-from-derivation 84 + ``` 85 + 86 + Expected output includes a line like: 87 + 88 + ``` 89 + ├── nixosModules 90 + │ └── default: NixOS module 91 + ``` 92 + 93 + *Note:* If `--allow-import-from-derivation` is not available in your nix version, use Step 3 instead, which does not require IFD. 94 + 95 + **Step 3: Verify nixosModules attribute names** 96 + 97 + ```bash 98 + nix eval .#nixosModules --apply builtins.attrNames --accept-flake-config 99 + ``` 100 + 101 + Expected output: `[ "default" ]` 102 + 103 + **Step 4: Commit** 104 + 105 + ```bash 106 + git add flake.nix 107 + git commit -m "feat(MM-135): expose nixosModules.default in flake.nix" 108 + ``` 109 + <!-- END_TASK_1 -->
+399
docs/implementation-plans/2026-03-09-MM-135/phase_03.md
··· 1 + # MM-135 NixOS Module — Phase 3: Validate Module Evaluation 2 + 3 + **Goal:** Confirm the module evaluates correctly across all acceptance criteria using `nix eval` smoke tests — without a live NixOS system. Tests run cross-platform on macOS (aarch64-darwin) by evaluating for `x86_64-linux`. 4 + 5 + **Architecture:** Inline `nix eval --expr` commands use `builtins.getFlake` to reference the local flake and construct minimal `nixosSystem` configurations. Two complementary approaches: 6 + 1. Full `nixpkgs.lib.nixosSystem` eval — tests option enforcement and ExecStart composition. 7 + 2. Direct `lib.filterAttrs` eval — tests TOML key inclusion/exclusion logic isolated from the module system. 8 + 9 + **Tech Stack:** `nix eval`, `nixpkgs.lib.nixosSystem`, `builtins.getFlake`, `nix flake check`. 10 + 11 + **Scope:** Phase 3 of 3. Requires Phases 1 and 2 to be complete. 12 + 13 + **Codebase verified:** 2026-03-09 14 + 15 + --- 16 + 17 + ## Important: nixpkgs Selection for Smoke Tests 18 + 19 + The project's nixpkgs pin (`cachix/devenv-nixpkgs/rolling`) is a fork of nixpkgs optimized for devenv and **does not export `lib.nixosSystem`**. Tasks 2, 3, and 5 below require evaluating `nixosSystem` configurations to test module behavior. 20 + 21 + **Workaround:** Use `builtins.getFlake "nixpkgs"` to access the system nixpkgs registry (which includes `lib.nixosSystem`), instead of `flake.inputs.nixpkgs`. This is documented in the smoke test commands below as `evalNixpkgs`. 22 + 23 + --- 24 + 25 + ## Acceptance Criteria Coverage 26 + 27 + ### MM-135.AC1: Module options are correctly declared 28 + - **MM-135.AC1.4 Failure:** Nix evaluation fails with a missing-option error when `services.ezpds.settings.public_url` is not set 29 + - **MM-135.AC1.5 Failure:** Nix evaluation fails when `services.ezpds.package` is not set and the bare module (not the flake wrapper) is used 30 + 31 + ### MM-135.AC2: TOML config generation 32 + - **MM-135.AC2.1 Success:** Generated `relay.toml` contains `bind_address`, `port`, `data_dir`, and `public_url` when all are set 33 + - **MM-135.AC2.2 Success:** When `settings.database_url` is `null`, the generated TOML does not contain a `database_url` key 34 + - **MM-135.AC2.3 Success:** When `settings.database_url` is set to a string, the generated TOML contains that `database_url` key 35 + - **MM-135.AC2.4 Success:** The relay `ExecStart` line uses `--config <path>` pointing to the generated TOML derivation 36 + 37 + ### MM-135.AC3: `configFile` escape hatch 38 + - **MM-135.AC3.1 Success:** When `services.ezpds.configFile` is set to a path, `ExecStart` uses that path instead of the generated TOML 39 + - **MM-135.AC3.2 Success:** When `configFile` is set, changes to `settings.*` do not affect the `ExecStart` command 40 + 41 + ### MM-135.AC5: `nixosModules.default` flake output 42 + - **MM-135.AC5.1 Success:** `nix flake show --accept-flake-config` lists `nixosModules.default` 43 + - **MM-135.AC5.2 Success:** When imported via `nixosModules.default`, `services.ezpds.package` defaults to the flake's `relay` build for the current system 44 + - **MM-135.AC5.3 Success:** The bare `nix/module.nix` is importable directly as `imports = [ ./nix/module.nix ]` without the flake wrapper, provided the user sets `services.ezpds.package` 45 + 46 + --- 47 + 48 + <!-- START_TASK_1 --> 49 + ### Task 1: Run nix flake check 50 + 51 + **Verifies:** MM-135.AC5.1 (nixosModules.default listed), overall flake validity 52 + 53 + **Files:** None (read-only validation) 54 + 55 + **Step 1: Run flake check** 56 + 57 + ```bash 58 + nix flake check --impure --accept-flake-config 59 + ``` 60 + 61 + `--impure` is required because devenv's CWD detection uses impure operations. `--accept-flake-config` activates the Cachix binary cache. 62 + 63 + Expected: exits with code 0, no errors. You will see warnings about omitted incompatible systems (e.g., `aarch64-linux`) — this is normal on macOS. 64 + 65 + **Step 2: Confirm nixosModules.default is listed** 66 + 67 + ```bash 68 + nix flake show --accept-flake-config --allow-import-from-derivation 69 + ``` 70 + 71 + Expected output includes: 72 + 73 + ``` 74 + ├── nixosModules 75 + │ └── default: NixOS module 76 + ``` 77 + 78 + *Note:* If `--allow-import-from-derivation` is not available in your nix version, use the attribute name check in Step 3 instead, which does not require IFD. 79 + 80 + **Step 3: Confirm attribute name** 81 + 82 + ```bash 83 + nix eval .#nixosModules --apply builtins.attrNames --accept-flake-config 84 + ``` 85 + 86 + Expected: `[ "default" ]` 87 + <!-- END_TASK_1 --> 88 + 89 + <!-- START_TASK_2 --> 90 + ### Task 2: Smoke test — minimal valid configuration 91 + 92 + **Verifies:** MM-135.AC2.4 (ExecStart uses --config), MM-135.AC5.2 (package defaults to flake's relay) 93 + 94 + **Files:** None (read-only validation) 95 + 96 + All `nix eval` commands below must be run from the repo root (`/Users/jacob.zweifel/workspace/malpercio-dev/ezpds`). 97 + 98 + **Step 1: Verify ExecStart with minimal config** 99 + 100 + ```bash 101 + nix eval --impure --accept-flake-config --raw --expr ' 102 + let 103 + flake = builtins.getFlake (builtins.toString ./.); 104 + # devenv-nixpkgs fork lacks lib.nixosSystem; use system nixpkgs from registry 105 + evalNixpkgs = builtins.getFlake "nixpkgs"; 106 + sys = evalNixpkgs.lib.nixosSystem { 107 + system = "x86_64-linux"; 108 + modules = [ 109 + flake.nixosModules.default 110 + { 111 + services.ezpds.enable = true; 112 + services.ezpds.settings.public_url = "https://relay.example.com"; 113 + } 114 + ]; 115 + }; 116 + in sys.config.systemd.services.ezpds.serviceConfig.ExecStart 117 + ' 118 + ``` 119 + 120 + Expected: a string like `/nix/store/...-relay-0.1.0/bin/relay --config /nix/store/...-relay.toml` 121 + 122 + Confirm: 123 + - It starts with a Nix store path ending in `/bin/relay` 124 + - It contains `--config /nix/store/` (generated TOML in store, not a custom path) 125 + 126 + **Step 2: Verify user declaration** 127 + 128 + ```bash 129 + nix eval --impure --accept-flake-config --json --expr ' 130 + let 131 + flake = builtins.getFlake (builtins.toString ./.); 132 + # devenv-nixpkgs fork lacks lib.nixosSystem; use system nixpkgs from registry 133 + evalNixpkgs = builtins.getFlake "nixpkgs"; 134 + sys = evalNixpkgs.lib.nixosSystem { 135 + system = "x86_64-linux"; 136 + modules = [ 137 + flake.nixosModules.default 138 + { 139 + services.ezpds.enable = true; 140 + services.ezpds.settings.public_url = "https://relay.example.com"; 141 + } 142 + ]; 143 + }; 144 + u = sys.config.users.users.ezpds; 145 + in { isSystemUser = u.isSystemUser; group = u.group; } 146 + ' 147 + ``` 148 + 149 + Expected: `{"group":"ezpds","isSystemUser":true}` 150 + <!-- END_TASK_2 --> 151 + 152 + <!-- START_TASK_3 --> 153 + ### Task 3: Smoke test — missing required option fails eval 154 + 155 + **Verifies:** MM-135.AC1.4 (missing public_url causes eval error), MM-135.AC1.5 (missing package causes eval error with bare module) 156 + 157 + **Files:** None (read-only validation) 158 + 159 + **Step 1: Missing public_url must fail** 160 + 161 + ```bash 162 + nix eval --impure --accept-flake-config --raw --expr ' 163 + let 164 + flake = builtins.getFlake (builtins.toString ./.); 165 + # devenv-nixpkgs fork lacks lib.nixosSystem; use system nixpkgs from registry 166 + evalNixpkgs = builtins.getFlake "nixpkgs"; 167 + sys = evalNixpkgs.lib.nixosSystem { 168 + system = "x86_64-linux"; 169 + modules = [ 170 + flake.nixosModules.default 171 + { 172 + services.ezpds.enable = true; 173 + # public_url intentionally not set 174 + } 175 + ]; 176 + }; 177 + in sys.config.systemd.services.ezpds.serviceConfig.ExecStart 178 + ' 179 + echo "Exit code: $?" 180 + ``` 181 + 182 + Expected: exits with non-zero code. The error message should reference `services.ezpds.settings.public_url` as undefined or missing. 183 + 184 + **Step 2: Missing package must fail when using bare module** 185 + 186 + ```bash 187 + nix eval --impure --accept-flake-config --raw --expr ' 188 + let 189 + # devenv-nixpkgs fork lacks lib.nixosSystem; use system nixpkgs from registry 190 + evalNixpkgs = builtins.getFlake "nixpkgs"; 191 + sys = evalNixpkgs.lib.nixosSystem { 192 + system = "x86_64-linux"; 193 + modules = [ 194 + (import ./nix/module.nix) # bare module, no flake wrapper 195 + { 196 + services.ezpds.enable = true; 197 + services.ezpds.settings.public_url = "https://relay.example.com"; 198 + # package intentionally not set 199 + } 200 + ]; 201 + }; 202 + in sys.config.systemd.services.ezpds.serviceConfig.ExecStart 203 + ' 204 + echo "Exit code: $?" 205 + ``` 206 + 207 + Expected: exits with non-zero code. The error should reference `services.ezpds.package` as undefined. 208 + <!-- END_TASK_3 --> 209 + 210 + <!-- START_TASK_4 --> 211 + ### Task 4: Smoke test — TOML key inclusion/exclusion 212 + 213 + **Verifies:** MM-135.AC2.1 (expected keys present), MM-135.AC2.2 (database_url absent when null), MM-135.AC2.3 (database_url present when set) 214 + 215 + **Files:** None (read-only validation) 216 + 217 + These tests verify the `lib.filterAttrs` filtering pattern that the module uses for TOML generation — they test the filtering logic directly using `nixpkgs.lib`, not through the full module. This is the practical approach on macOS because reading the actual generated TOML file requires Import from Derivation (IFD), which requires building the derivation, which requires a Linux builder. 218 + 219 + **Limitation:** These tests verify that `lib.filterAttrs (_: v: v != null)` correctly excludes/includes keys given the same attrset the module constructs. If the module's `settingsToml` let binding were to use a different set of keys (e.g., a typo in a field name), these tests would not catch the regression since they duplicate the logic inline. Task 2 Step 1 (ExecStart eval through the full nixosSystem) provides integration coverage of the generated path existing. 220 + 221 + **On Linux:** The generated TOML file contents can be read directly after building. To read the actual file on a Linux system or CI with a Linux builder: 222 + ```bash 223 + nix eval --impure --accept-flake-config --raw --expr ' 224 + let 225 + flake = builtins.getFlake (builtins.toString ./.); 226 + nixpkgs = flake.inputs.nixpkgs; 227 + sys = nixpkgs.lib.nixosSystem { 228 + system = "x86_64-linux"; 229 + modules = [ 230 + flake.nixosModules.default 231 + { services.ezpds.enable = true; services.ezpds.settings.public_url = "https://relay.example.com"; } 232 + ]; 233 + }; 234 + execStart = sys.config.systemd.services.ezpds.serviceConfig.ExecStart; 235 + # Extract the --config path from ExecStart: "... --config /nix/store/...-relay.toml" 236 + configPath = builtins.elemAt (builtins.match ".* --config (.*)" execStart) 0; 237 + in builtins.readFile configPath 238 + ' 239 + # Then confirm presence/absence of keys in the output 240 + ``` 241 + 242 + **Step 1: Verify database_url is excluded when null** 243 + 244 + ```bash 245 + nix eval --impure --accept-flake-config --expr ' 246 + let 247 + lib = (builtins.getFlake (builtins.toString ./.)).inputs.nixpkgs.lib; 248 + settingsToml = lib.filterAttrs (_: v: v != null) { 249 + bind_address = "0.0.0.0"; 250 + port = 8080; 251 + data_dir = "/var/lib/ezpds"; 252 + public_url = "https://relay.example.com"; 253 + database_url = null; 254 + }; 255 + in lib.hasAttr "database_url" settingsToml 256 + ' 257 + ``` 258 + 259 + Expected: `false` 260 + 261 + **Step 2: Verify all expected keys are present** 262 + 263 + ```bash 264 + nix eval --impure --accept-flake-config --expr ' 265 + let 266 + lib = (builtins.getFlake (builtins.toString ./.)).inputs.nixpkgs.lib; 267 + settingsToml = lib.filterAttrs (_: v: v != null) { 268 + bind_address = "0.0.0.0"; 269 + port = 8080; 270 + data_dir = "/var/lib/ezpds"; 271 + public_url = "https://relay.example.com"; 272 + database_url = null; 273 + }; 274 + keys = builtins.attrNames settingsToml; 275 + in builtins.all (k: builtins.elem k keys) [ "bind_address" "port" "data_dir" "public_url" ] 276 + ' 277 + ``` 278 + 279 + Expected: `true` 280 + 281 + **Step 3: Verify database_url is included when set** 282 + 283 + ```bash 284 + nix eval --impure --accept-flake-config --expr ' 285 + let 286 + lib = (builtins.getFlake (builtins.toString ./.)).inputs.nixpkgs.lib; 287 + settingsToml = lib.filterAttrs (_: v: v != null) { 288 + bind_address = "0.0.0.0"; 289 + port = 8080; 290 + data_dir = "/var/lib/ezpds"; 291 + public_url = "https://relay.example.com"; 292 + database_url = "sqlite:///var/lib/ezpds/custom.db"; 293 + }; 294 + in lib.hasAttr "database_url" settingsToml 295 + ' 296 + ``` 297 + 298 + Expected: `true` 299 + <!-- END_TASK_4 --> 300 + 301 + <!-- START_TASK_5 --> 302 + ### Task 5: Smoke test — configFile escape hatch 303 + 304 + **Verifies:** MM-135.AC3.1 (ExecStart uses configFile path), MM-135.AC3.2 (settings changes don't affect ExecStart when configFile set) 305 + 306 + **Files:** None (read-only validation) 307 + 308 + **Step 1: Verify ExecStart uses configFile when set** 309 + 310 + ```bash 311 + nix eval --impure --accept-flake-config --raw --expr ' 312 + let 313 + flake = builtins.getFlake (builtins.toString ./.); 314 + # devenv-nixpkgs fork lacks lib.nixosSystem; use system nixpkgs from registry 315 + evalNixpkgs = builtins.getFlake "nixpkgs"; 316 + sys = evalNixpkgs.lib.nixosSystem { 317 + system = "x86_64-linux"; 318 + modules = [ 319 + flake.nixosModules.default 320 + { 321 + services.ezpds.enable = true; 322 + services.ezpds.configFile = "/run/secrets/relay.toml"; 323 + services.ezpds.settings.public_url = "https://relay.example.com"; 324 + } 325 + ]; 326 + }; 327 + in sys.config.systemd.services.ezpds.serviceConfig.ExecStart 328 + ' 329 + ``` 330 + 331 + Expected: `.../bin/relay --config /run/secrets/relay.toml` 332 + 333 + The path must be `/run/secrets/relay.toml` (the configFile value), not a `/nix/store/...` path. 334 + 335 + **Step 2: Verify settings changes don't affect ExecStart when configFile is set** 336 + 337 + Run the same eval twice with different `settings.public_url` values — the ExecStart must be identical: 338 + 339 + ```bash 340 + nix eval --impure --accept-flake-config --raw --expr ' 341 + let 342 + flake = builtins.getFlake (builtins.toString ./.); 343 + # devenv-nixpkgs fork lacks lib.nixosSystem; use system nixpkgs from registry 344 + evalNixpkgs = builtins.getFlake "nixpkgs"; 345 + mkSys = url: evalNixpkgs.lib.nixosSystem { 346 + system = "x86_64-linux"; 347 + modules = [ 348 + flake.nixosModules.default 349 + { 350 + services.ezpds.enable = true; 351 + services.ezpds.configFile = "/run/secrets/relay.toml"; 352 + services.ezpds.settings.public_url = url; 353 + } 354 + ]; 355 + }; 356 + execA = (mkSys "https://relay-a.example.com").config.systemd.services.ezpds.serviceConfig.ExecStart; 357 + execB = (mkSys "https://relay-b.example.com").config.systemd.services.ezpds.serviceConfig.ExecStart; 358 + in if execA == execB then "PASS: settings changes do not affect ExecStart" else "FAIL: ExecStart changed" 359 + ' 360 + ``` 361 + 362 + Expected: `PASS: settings changes do not affect ExecStart` 363 + <!-- END_TASK_5 --> 364 + 365 + <!-- START_TASK_6 --> 366 + ### Task 6: Add nix-check recipe to justfile 367 + 368 + **Verifies:** Operationalizes the smoke tests for ongoing use 369 + 370 + **Files:** 371 + - Modify: `justfile` 372 + 373 + **Step 1: Add nix-check recipe** 374 + 375 + Append to `/Users/jacob.zweifel/workspace/malpercio-dev/ezpds/justfile`: 376 + 377 + ```just 378 + # Validate NixOS module evaluation (flake structure check). 379 + # For full smoke tests (ExecStart composition, option enforcement, configFile 380 + # escape hatch), run the nix eval commands in phase_03.md Tasks 2-5 manually. 381 + nix-check: 382 + nix flake check --impure --accept-flake-config 383 + ``` 384 + 385 + **Step 2: Verify it runs** 386 + 387 + ```bash 388 + just nix-check 389 + ``` 390 + 391 + Expected: exits 0. 392 + 393 + **Step 3: Commit** 394 + 395 + ```bash 396 + git add justfile 397 + git commit -m "chore(MM-135): add nix-check recipe to justfile" 398 + ``` 399 + <!-- END_TASK_6 -->
+79
docs/implementation-plans/2026-03-09-MM-135/test-requirements.md
··· 1 + # MM-135 Test Requirements 2 + 3 + ## Automated Tests 4 + 5 + ### MM-135.AC1: Module options are correctly declared 6 + 7 + | Criterion | Description | Test Location | Command / Assertion | Expected Result | 8 + |-----------|-------------|---------------|---------------------|-----------------| 9 + | MM-135.AC1.1 | `nix/module.nix` exists and is tracked by git | Phase 1 Task 1, Step 3 | `git ls-files nix/module.nix` | Returns `nix/module.nix` | 10 + | MM-135.AC1.2 | All option fields are defined (`enable`, `package`, `configFile`, five `settings.*` fields) | Phase 1 Task 1, Step 2 | `nix eval --impure --expr 'builtins.typeOf (import ./nix/module.nix)'` | Returns `"lambda"` (confirms valid module function). Full option presence is structurally verified by Phase 3 Task 2 Step 1 (ExecStart eval succeeds only if all options resolve) and Phase 3 Task 3 (missing required options fail eval). | 11 + | MM-135.AC1.3 | Default values match relay.toml defaults (`bind_address = "0.0.0.0"`, `port = 8080`, `data_dir = "/var/lib/ezpds"`, `database_url = null`) | Phase 3 Task 2 Step 1 + Phase 3 Task 4 Steps 1-2 | Task 2 Step 1: eval a minimal config (only `public_url` set) and extract `ExecStart` — succeeds only if defaults are valid. Task 4 Steps 1-2: verify `database_url` is excluded when null (confirming the null default) and that `bind_address`, `port`, `data_dir`, `public_url` are all present with defaults. | Task 2: ExecStart string contains `/bin/relay --config /nix/store/...-relay.toml`. Task 4 Step 1: `false` (database_url absent). Task 4 Step 2: `true` (all four non-null keys present). | 12 + | MM-135.AC1.4 | Eval fails when `public_url` is not set | Phase 3 Task 3, Step 1 | `nix eval --impure --accept-flake-config --raw --expr '...'` (nixosSystem with `enable = true` but no `public_url`) | Non-zero exit code. Error references `services.ezpds.settings.public_url` as undefined/missing. | 13 + | MM-135.AC1.5 | Eval fails when `package` is not set and bare module (not flake wrapper) is used | Phase 3 Task 3, Step 2 | `nix eval --impure --accept-flake-config --raw --expr '...'` (nixosSystem importing bare `./nix/module.nix` with `public_url` set but no `package`) | Non-zero exit code. Error references `services.ezpds.package` as undefined. | 14 + 15 + ### MM-135.AC2: TOML config generation 16 + 17 + | Criterion | Description | Test Location | Command / Assertion | Expected Result | 18 + |-----------|-------------|---------------|---------------------|-----------------| 19 + | MM-135.AC2.1 | Generated TOML contains `bind_address`, `port`, `data_dir`, and `public_url` when all are set | Phase 3 Task 4, Step 2 | `nix eval --impure --accept-flake-config --expr '... builtins.all (k: builtins.elem k keys) [ "bind_address" "port" "data_dir" "public_url" ]'` | `true` | 20 + | MM-135.AC2.2 | When `database_url` is null, the generated TOML does not contain a `database_url` key | Phase 3 Task 4, Step 1 | `nix eval --impure --accept-flake-config --expr '... lib.hasAttr "database_url" settingsToml'` (with `database_url = null`) | `false` | 21 + | MM-135.AC2.3 | When `database_url` is set, the generated TOML contains the key | Phase 3 Task 4, Step 3 | `nix eval --impure --accept-flake-config --expr '... lib.hasAttr "database_url" settingsToml'` (with `database_url = "sqlite:///var/lib/ezpds/custom.db"`) | `true` | 22 + | MM-135.AC2.4 | `ExecStart` uses `--config <path>` pointing to generated TOML | Phase 3 Task 2, Step 1 | `nix eval --impure --accept-flake-config --raw --expr '... sys.config.systemd.services.ezpds.serviceConfig.ExecStart'` | String matching `/nix/store/...-relay-0.1.0/bin/relay --config /nix/store/...-relay.toml` | 23 + 24 + ### MM-135.AC3: `configFile` escape hatch 25 + 26 + | Criterion | Description | Test Location | Command / Assertion | Expected Result | 27 + |-----------|-------------|---------------|---------------------|-----------------| 28 + | MM-135.AC3.1 | When `configFile` is set, `ExecStart` uses that path instead of generated TOML | Phase 3 Task 5, Step 1 | `nix eval --impure --accept-flake-config --raw --expr '...'` (with `configFile = "/run/secrets/relay.toml"`) | String ends with `--config /run/secrets/relay.toml` (not a `/nix/store/...` path) | 29 + | MM-135.AC3.2 | When `configFile` is set, changes to `settings.*` do not affect `ExecStart` | Phase 3 Task 5, Step 2 | `nix eval --impure --accept-flake-config --raw --expr '...'` (evaluates two configs with different `public_url` values but same `configFile`, compares ExecStart strings) | `PASS: settings changes do not affect ExecStart` | 30 + 31 + ### MM-135.AC4: User/group and state directory 32 + 33 + | Criterion | Description | Test Location | Command / Assertion | Expected Result | 34 + |-----------|-------------|---------------|---------------------|-----------------| 35 + | MM-135.AC4.1 | `users.users.ezpds` is a system user with `group = "ezpds"` and `isSystemUser = true` | Phase 3 Task 2, Step 2 | `nix eval --impure --accept-flake-config --json --expr '... { isSystemUser = u.isSystemUser; group = u.group; }'` | `{"group":"ezpds","isSystemUser":true}` | 36 + | MM-135.AC4.2 | `users.groups.ezpds` is defined | Phase 1 Task 1 (code review) | Structural: `nix/module.nix` contains `users.groups.ezpds = { };` in the `config` block | Group definition present in source. See Human Verification section for eval-level confirmation. | 37 + | MM-135.AC4.3 | `systemd.services.ezpds.serviceConfig.StateDirectory = "ezpds"` | Phase 1 Task 1 (code review) | Structural: `nix/module.nix` contains `StateDirectory = "ezpds";` in `serviceConfig` | StateDirectory present in source. See Human Verification section for eval-level confirmation. | 38 + 39 + ### MM-135.AC5: `nixosModules.default` flake output 40 + 41 + | Criterion | Description | Test Location | Command / Assertion | Expected Result | 42 + |-----------|-------------|---------------|---------------------|-----------------| 43 + | MM-135.AC5.1 | `nix flake show` lists `nixosModules.default` | Phase 2 Task 1 Step 2 + Phase 3 Task 1 Steps 2-3 | `nix flake show --accept-flake-config` and `nix eval .#nixosModules --apply builtins.attrNames --accept-flake-config` | Output includes `nixosModules` / `default: NixOS module`. Attribute names return `[ "default" ]`. | 44 + | MM-135.AC5.2 | When imported via `nixosModules.default`, `services.ezpds.package` defaults to the flake's relay build | Phase 3 Task 2, Step 1 | `nix eval --impure --accept-flake-config --raw --expr '...'` (minimal config via `nixosModules.default` without setting `package`) | ExecStart contains a Nix store path to the relay binary (package was auto-injected). | 45 + | MM-135.AC5.3 | Bare `nix/module.nix` is importable directly if `package` is set | Phase 3 Task 3, Step 2 (inverse) | The bare-module test (Step 2) fails only because `package` is missing. This confirms the bare module is syntactically importable — the failure is about the missing required option, not an import failure. | Non-zero exit referencing `services.ezpds.package`, not a syntax or import error. | 46 + 47 + ### MM-135.AC6: Scope boundaries 48 + 49 + | Criterion | Description | Test Location | Command / Assertion | Expected Result | 50 + |-----------|-------------|---------------|---------------------|-----------------| 51 + | MM-135.AC6.1 | Module defines no options for `[blobs]`, `[oauth]`, or `[iroh]` sections | Phase 1 Task 1 (code review) | Structural: verify that `nix/module.nix` source contains no `blobs`, `oauth`, or `iroh` option declarations | No such options exist in the file. See Human Verification section. | 52 + 53 + --- 54 + 55 + ## Human Verification 56 + 57 + ### Criteria requiring manual verification 58 + 59 + | Criterion | Reason | Verification Approach | 60 + |-----------|--------|-----------------------| 61 + | MM-135.AC2.1 (full TOML content) | Phase 3 Task 4 tests the `filterAttrs` logic in isolation, not the actual generated TOML file. Reading the generated TOML requires IFD (Import from Derivation), which requires a Linux builder. | **On Linux / CI:** Run the IFD-based command from Phase 3 Task 4 "On Linux" block: extract the `--config` path from ExecStart and `builtins.readFile` it, then confirm `bind_address`, `port`, `data_dir`, and `public_url` keys are present. | 62 + | MM-135.AC4.2 (group eval) | Phase 3 tests verify the user but do not explicitly eval `users.groups.ezpds`. | **Manual eval:** `nix eval --impure --accept-flake-config --json --expr '... builtins.hasAttr "ezpds" sys.config.users.groups'` where `sys` is a minimal nixosSystem with the module enabled. Expected: `true`. | 63 + | MM-135.AC4.3 (StateDirectory eval) | Phase 3 tests verify ExecStart but do not explicitly eval `StateDirectory`. | **Manual eval:** `nix eval --impure --accept-flake-config --raw --expr '... sys.config.systemd.services.ezpds.serviceConfig.StateDirectory'`. Expected: `"ezpds"`. | 64 + | MM-135.AC6.1 (no stub sections) | Negative criterion — automated tests verify what exists, not what is absent. | **Code review:** `grep -E 'blobs\|oauth\|iroh' nix/module.nix` must produce zero matches. | 65 + | MM-135.AC5.3 (bare module success path) | Phase 3 Task 3 Step 2 proves the bare module is importable by showing the failure is a missing required option, not an import error. But no test demonstrates a successful eval with `package` set explicitly. | **Manual eval:** Run the bare-module eval with `services.ezpds.package = pkgs.hello` (any derivation as stand-in) and `public_url` set. Confirm eval succeeds and ExecStart contains the provided package path. | 66 + | Runtime behavior | All tests are eval-time (Nix expression evaluation). No test confirms the relay binary actually starts under systemd with the generated config. | **NixOS VM or deployment:** Use `nixos-rebuild build-vm` or deploy to a NixOS test system. Run `systemctl status ezpds` and verify the service starts, runs as `ezpds:ezpds`, and writes to `/var/lib/ezpds`. | 67 + | Systemd hardening | Directives (`ProtectSystem = "strict"`, `PrivateTmp`, `NoNewPrivileges`, `StateDirectoryMode = "0750"`) are set in source but not eval-tested. | **Code review + runtime:** Inspect `nix/module.nix` for the hardening directives. On a live NixOS system, run `systemd-analyze security ezpds` to verify the security score. | 68 + 69 + --- 70 + 71 + ## Notes 72 + 73 + 1. **macOS vs Linux limitation:** All Phase 3 smoke tests evaluate for `system = "x86_64-linux"` on a macOS host. This works for pure Nix option evaluation but cannot build derivations or read generated file contents (IFD). Full TOML content verification (AC2.1 complete) requires a Linux builder. 74 + 75 + 2. **Phase 3 Task 4 test fidelity:** The TOML key inclusion/exclusion tests duplicate the `lib.filterAttrs` logic inline rather than evaluating through the module. If the module's `settingsToml` binding diverged from the tested pattern, these tests would not catch the regression. This is a known limitation documented in Phase 3 Task 4. 76 + 77 + 3. **`nix flake check` coverage:** Validates overall flake structure (outputs schema, module syntax) but does not evaluate NixOS configurations. The individual `nix eval` smoke tests in Phase 3 Tasks 2-5 provide the deeper option-resolution coverage. 78 + 79 + 4. **`configFile` type deviation:** The implementation uses `lib.types.nullOr lib.types.str` for `configFile` (not `path` as in the design table). This is intentional — `path` type coerces values into Nix store paths, defeating the escape hatch. Tests in Phase 3 Task 5 validate the `str` behavior by confirming the literal path appears in ExecStart.