selfhostblocks/test/common.nix

{ lib }:
let
  baseImports = pkgs: [
    (pkgs.path + "/nixos/modules/profiles/headless.nix")
    (pkgs.path + "/nixos/modules/profiles/qemu-guest.nix")
  ];
in
{
  accessScript = {
    subdomain
    , domain
    , hasSSL
    , waitForServices ? s: []
    , waitForPorts ? p: []
    , waitForUnixSocket ? u: []
    , extraScript ? {...}: ""
    , redirectSSO ? false
  }: { nodes, ... }:
    let
      fqdn = "${subdomain}.${domain}";
      proto_fqdn = if hasSSL args then "https://${fqdn}" else "http://${fqdn}";

      args = {
        node.name = "server";
        node.config = nodes.server;
        inherit proto_fqdn;
      };
    in
    ''
    import json
    import os
    import pathlib

    start_all()
    ''
    + lib.strings.concatMapStrings (s: ''server.wait_for_unit("${s}")'' + "\n") (
      waitForServices args
      ++ (lib.optionals redirectSSO [ "authelia-auth.${domain}.service" ])
    )
    + lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (
      waitForPorts args
      # TODO: when the SSO block exists, replace this hardcoded port.
      ++ (lib.optionals redirectSSO [ 9091 /* nodes.server.services.authelia.instances."auth.${domain}".settings.server.port */ ] )
    )
    + lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)
    + ''
    if ${if hasSSL args then "True" else "False"}:
        server.copy_from_vm("/etc/ssl/certs/ca-certificates.crt")
        client.succeed("rm -r /etc/ssl/certs")
        client.copy_from_host(str(pathlib.Path(os.environ.get("out", os.getcwd())) / "ca-certificates.crt"), "/etc/ssl/certs/ca-certificates.crt")

    def curl(target, format, endpoint, data="", extra=""):
        cmd = ("curl --show-error --location"
              + " --cookie-jar cookie.txt"
              + " --cookie cookie.txt"
              + " --connect-to ${fqdn}:443:server:443"
              + " --connect-to ${fqdn}:80:server:80"
              # Client must be able to resolve talking to auth server
              + " --connect-to auth.${domain}:443:server:443"
              + (f" --data '{data}'" if data != "" else "")
              + (f" --silent --output /dev/null --write-out '{format}'" if format != "" else "")
              + (f" {extra}" if extra != "" else "")
              + f" {endpoint}")
        print(cmd)
        _, r = target.execute(cmd)
        # print(r)
        return json.loads(r)

    def unline_with(j, s):
        return j.join((x.strip() for x in s.split("\n")))

    ''
    + (if (! redirectSSO) then ''
    with subtest("access"):
        response = curl(client, """{"code":%{response_code}}""", "${proto_fqdn}")

        if response['code'] != 200:
            raise Exception(f"Code is {response['code']}")
    '' else ''
    with subtest("unauthenticated access is not granted"):
        response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}")

        if response['code'] != 200:
            raise Exception(f"Code is {response['code']}")
        if response['auth_host'] != "auth.${domain}":
            raise Exception(f"auth host should be auth.${domain} but is {response['auth_host']}")
        if response['auth_query'] != "rd=${proto_fqdn}/":
            raise Exception(f"auth query should be rd=${proto_fqdn}/ but is {response['auth_query']}")
    ''
    )
    + (let
      script = extraScript args;
      indent = i: str: lib.concatMapStringsSep "\n" (x: (lib.strings.replicate i " ") + x) (lib.splitString "\n" script);
    in
      lib.optionalString (script != "") ''
        with subtest("extraScript"):
        ${indent 4 script}
      '');

  inherit baseImports;

  base = pkgs: additionalModules: {
    imports =
      ( baseImports pkgs )
      ++ [
        # TODO: replace postgresql.nix and authelia.nix by the sso contract
        ../modules/blocks/postgresql.nix
        ../modules/blocks/authelia.nix
        ../modules/blocks/nginx.nix
        ../modules/blocks/hardcodedsecret.nix
      ]
      ++ additionalModules;

    # Nginx port.
    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };

  certs = domain: { config, ... }: {
    imports = [
      ../modules/blocks/ssl.nix
    ];

    shb.certs = {
      cas.selfsigned.myca = {
        name = "My CA";
      };
      certs.selfsigned = {
        n = {
          ca = config.shb.certs.cas.selfsigned.myca;
          domain = "*.${domain}";
          group = "nginx";
        };
      };
    };

    systemd.services.nginx.after = [ config.shb.certs.certs.selfsigned.n.systemdService ];
    systemd.services.nginx.requires = [ config.shb.certs.certs.selfsigned.n.systemdService ];
  };

  ldap = domain: pkgs: { config, ... }: {
    imports = [
      ../modules/blocks/ldap.nix
    ];

    networking.hosts = {
      "127.0.0.1" = [ "ldap.${domain}" ];
    };

    shb.hardcodedsecret.ldapUserPassword = config.shb.ldap.ldapUserPassword.request // {
      content = "ldapUserPassword";
    };
    shb.hardcodedsecret.jwtSecret = config.shb.ldap.ldapUserPassword.request // {
      content = "jwtSecrets";
    };

    shb.ldap = {
      enable = true;
      inherit domain;
      subdomain = "ldap";
      ldapPort = 3890;
      webUIListenPort = 17170;
      dcdomain = "dc=example,dc=com";
      ldapUserPassword.result.path = config.shb.hardcodedsecret.ldapUserPassword.path;
      jwtSecret.result.path = config.shb.hardcodedsecret.jwtSecret.path;
    };
  };

  sso = domain: pkgs: ssl: { config, ... }: {
    imports = [
      ../modules/blocks/authelia.nix
    ];

    networking.hosts = {
      "127.0.0.1" = [ "auth.${domain}" ];
    };

    shb.authelia = {
      enable = true;
      inherit domain;
      subdomain = "auth";
      ssl = config.shb.certs.certs.selfsigned.n;

      ldapHostname = "127.0.0.1";
      ldapPort = config.shb.ldap.ldapPort;
      dcdomain = config.shb.ldap.dcdomain;

      secrets = {
        jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;
        ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;
        sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;
        storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;
        identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;
        identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;
      };
    };

    shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {
      content = "jwtSecret";
    };
    shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {
      content = "ldapUserPassword";
    };
    shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {
      content = "sessionSecret";
    };
    shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {
      content = "storageEncryptionKey";
    };
    shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {
      content = "identityProvidersOIDCHMACSecret";
    };
    shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {
      source = (pkgs.runCommand "gen-private-key" {} ''
        mkdir $out
        ${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
      '') + "/private.pem";
    };
  };

}
switch jellyfin to new secrets contract This rabbit hole of a task lead me to: - Introduce a hardcoded secret module that is a secret provider for tests. - Update LDAP and SSO modules to use the secret contract. - Refactor the replaceSecrets library function to correctly fail when a secret file could not be read. 2024-10-13 21:43:49 +02:00			`{ lib }:`
add backup contract 2024-08-20 07:09:10 +02:00			`let`
			`baseImports = pkgs: [`
			`(pkgs.path + "/nixos/modules/profiles/headless.nix")`
			`(pkgs.path + "/nixos/modules/profiles/qemu-guest.nix")`
			`];`
			`in`
refactor common test script 2024-07-12 13:01:26 +02:00			`{`
			`accessScript = {`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`subdomain`
			`, domain`
refactor common test script 2024-07-12 13:01:26 +02:00			`, hasSSL`
			`, waitForServices ? s: []`
			`, waitForPorts ? p: []`
			`, waitForUnixSocket ? u: []`
			`, extraScript ? {...}: ""`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`, redirectSSO ? false`
refactor common test script 2024-07-12 13:01:26 +02:00			`}: { nodes, ... }:`
			`let`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`fqdn = "${subdomain}.${domain}";`
refactor common test script 2024-07-12 13:01:26 +02:00			`proto_fqdn = if hasSSL args then "https://${fqdn}" else "http://${fqdn}";`

			`args = {`
			`node.name = "server";`
			`node.config = nodes.server;`
			`inherit proto_fqdn;`
			`};`
			`in`
			`''`
			`import json`
			`import os`
			`import pathlib`

			`start_all()`
			`''`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`+ lib.strings.concatMapStrings (s: ''server.wait_for_unit("${s}")'' + "\n") (`
			`waitForServices args`
			`++ (lib.optionals redirectSSO [ "authelia-auth.${domain}.service" ])`
			`)`
			`+ lib.strings.concatMapStrings (p: ''server.wait_for_open_port(${toString p})'' + "\n") (`
			`waitForPorts args`
flake.lock: Update (#244) Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. ``` Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9ca3f649614213b2aaf5f1e16ec06952fe4c2632?narHash=sha256-7EXDb5WBw%2Bd004Agt%2BJHC/Oyh/KTUglOaQ4MNjBbo5w%3D' (2024-05-27) → 'github:nixos/nixpkgs/71e91c409d1e654808b2621f28a327acfdad8dc2?narHash=sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w%3D' (2024-08-28) ``` ### Running GitHub Actions on this PR GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action. To run GitHub Actions workflows on this PR, run: ```sh git branch -D update_flake_lock_action git fetch origin git checkout update_flake_lock_action git commit --amend --no-edit git push origin update_flake_lock_action --force ``` --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> 2024-08-31 09:57:21 +02:00			`# TODO: when the SSO block exists, replace this hardcoded port.`
			`++ (lib.optionals redirectSSO [ 9091 /* nodes.server.services.authelia.instances."auth.${domain}".settings.server.port */ ] )`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`)`
refactor common test script 2024-07-12 13:01:26 +02:00			`+ lib.strings.concatMapStrings (u: ''server.wait_for_open_unix_socket("${u}")'' + "\n") (waitForUnixSocket args)`
			`+ ''`
			`if ${if hasSSL args then "True" else "False"}:`
			`server.copy_from_vm("/etc/ssl/certs/ca-certificates.crt")`
			`client.succeed("rm -r /etc/ssl/certs")`
			`client.copy_from_host(str(pathlib.Path(os.environ.get("out", os.getcwd())) / "ca-certificates.crt"), "/etc/ssl/certs/ca-certificates.crt")`

refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`def curl(target, format, endpoint, data="", extra=""):`
print curl command in tests 2024-08-13 16:11:45 +02:00			`cmd = ("curl --show-error --location"`
			`+ " --cookie-jar cookie.txt"`
			`+ " --cookie cookie.txt"`
			`+ " --connect-to ${fqdn}:443:server:443"`
			`+ " --connect-to ${fqdn}:80:server:80"`
			`# Client must be able to resolve talking to auth server`
			`+ " --connect-to auth.${domain}:443:server:443"`
			`+ (f" --data '{data}'" if data != "" else "")`
			`+ (f" --silent --output /dev/null --write-out '{format}'" if format != "" else "")`
			`+ (f" {extra}" if extra != "" else "")`
			`+ f" {endpoint}")`
			`print(cmd)`
			`_, r = target.execute(cmd)`
			`# print(r)`
			`return json.loads(r)`
refactor common test script 2024-07-12 13:01:26 +02:00
do not assume any formatting in curl function for tests 2024-08-15 02:38:12 +02:00			`def unline_with(j, s):`
			`return j.join((x.strip() for x in s.split("\n")))`

refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`''`
			`+ (if (! redirectSSO) then ''`
refactor common test script 2024-07-12 13:01:26 +02:00			`with subtest("access"):`
			`response = curl(client, """{"code":%{response_code}}""", "${proto_fqdn}")`

			`if response['code'] != 200:`
			`raise Exception(f"Code is {response['code']}")`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`'' else ''`
			`with subtest("unauthenticated access is not granted"):`
			`response = curl(client, """{"code":%{response_code},"auth_host":"%{urle.host}","auth_query":"%{urle.query}","all":%{json}}""", "${proto_fqdn}")`

			`if response['code'] != 200:`
			`raise Exception(f"Code is {response['code']}")`
			`if response['auth_host'] != "auth.${domain}":`
			`raise Exception(f"auth host should be auth.${domain} but is {response['auth_host']}")`
			`if response['auth_query'] != "rd=${proto_fqdn}/":`
			`raise Exception(f"auth query should be rd=${proto_fqdn}/ but is {response['auth_query']}")`
refactor common test script 2024-07-12 13:01:26 +02:00			`''`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`)`
make extraScript appear as its own subtest 2024-08-13 16:11:03 +02:00			`+ (let`
			`script = extraScript args;`
do not assume any formatting in curl function for tests 2024-08-15 02:38:12 +02:00			`indent = i: str: lib.concatMapStringsSep "\n" (x: (lib.strings.replicate i " ") + x) (lib.splitString "\n" script);`
make extraScript appear as its own subtest 2024-08-13 16:11:03 +02:00			`in`
			`lib.optionalString (script != "") ''`
			`with subtest("extraScript"):`
			`${indent 4 script}`
			`'');`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00
add backup contract 2024-08-20 07:09:10 +02:00			`inherit baseImports;`

refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`base = pkgs: additionalModules: {`
add backup contract 2024-08-20 07:09:10 +02:00			`imports =`
			`( baseImports pkgs )`
			`++ [`
			`# TODO: replace postgresql.nix and authelia.nix by the sso contract`
			`../modules/blocks/postgresql.nix`
			`../modules/blocks/authelia.nix`
			`../modules/blocks/nginx.nix`
switch jellyfin to new secrets contract This rabbit hole of a task lead me to: - Introduce a hardcoded secret module that is a secret provider for tests. - Update LDAP and SSO modules to use the secret contract. - Refactor the replaceSecrets library function to correctly fail when a secret file could not be read. 2024-10-13 21:43:49 +02:00			`../modules/blocks/hardcodedsecret.nix`
add backup contract 2024-08-20 07:09:10 +02:00			`]`
			`++ additionalModules;`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00
			`# Nginx port.`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`};`

			`certs = domain: { config, ... }: {`
			`imports = [`
			`../modules/blocks/ssl.nix`
			`];`

			`shb.certs = {`
			`cas.selfsigned.myca = {`
			`name = "My CA";`
			`};`
			`certs.selfsigned = {`
			`n = {`
			`ca = config.shb.certs.cas.selfsigned.myca;`
			`domain = "*.${domain}";`
			`group = "nginx";`
			`};`
			`};`
			`};`

			`systemd.services.nginx.after = [ config.shb.certs.certs.selfsigned.n.systemdService ];`
			`systemd.services.nginx.requires = [ config.shb.certs.certs.selfsigned.n.systemdService ];`
			`};`

switch jellyfin to new secrets contract This rabbit hole of a task lead me to: - Introduce a hardcoded secret module that is a secret provider for tests. - Update LDAP and SSO modules to use the secret contract. - Refactor the replaceSecrets library function to correctly fail when a secret file could not be read. 2024-10-13 21:43:49 +02:00			`ldap = domain: pkgs: { config, ... }: {`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`imports = [`
			`../modules/blocks/ldap.nix`
			`];`

			`networking.hosts = {`
			`"127.0.0.1" = [ "ldap.${domain}" ];`
			`};`

switch jellyfin to new secrets contract This rabbit hole of a task lead me to: - Introduce a hardcoded secret module that is a secret provider for tests. - Update LDAP and SSO modules to use the secret contract. - Refactor the replaceSecrets library function to correctly fail when a secret file could not be read. 2024-10-13 21:43:49 +02:00			`shb.hardcodedsecret.ldapUserPassword = config.shb.ldap.ldapUserPassword.request // {`
			`content = "ldapUserPassword";`
			`};`
			`shb.hardcodedsecret.jwtSecret = config.shb.ldap.ldapUserPassword.request // {`
			`content = "jwtSecrets";`
			`};`

refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`shb.ldap = {`
			`enable = true;`
			`inherit domain;`
			`subdomain = "ldap";`
			`ldapPort = 3890;`
			`webUIListenPort = 17170;`
			`dcdomain = "dc=example,dc=com";`
switch jellyfin to new secrets contract This rabbit hole of a task lead me to: - Introduce a hardcoded secret module that is a secret provider for tests. - Update LDAP and SSO modules to use the secret contract. - Refactor the replaceSecrets library function to correctly fail when a secret file could not be read. 2024-10-13 21:43:49 +02:00			`ldapUserPassword.result.path = config.shb.hardcodedsecret.ldapUserPassword.path;`
			`jwtSecret.result.path = config.shb.hardcodedsecret.jwtSecret.path;`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`};`
			`};`

			`sso = domain: pkgs: ssl: { config, ... }: {`
			`imports = [`
			`../modules/blocks/authelia.nix`
			`];`

			`networking.hosts = {`
			`"127.0.0.1" = [ "auth.${domain}" ];`
			`};`

			`shb.authelia = {`
			`enable = true;`
			`inherit domain;`
			`subdomain = "auth";`
			`ssl = config.shb.certs.certs.selfsigned.n;`

Wait actively on ldap being ready (#286) Looks like this is needed in the end, other we get into some flaky situations 2024-09-01 08:36:53 +02:00			`ldapHostname = "127.0.0.1";`
			`ldapPort = config.shb.ldap.ldapPort;`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`dcdomain = config.shb.ldap.dcdomain;`

			`secrets = {`
switch authelia to new secrets contract 2024-10-13 23:23:08 +02:00			`jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;`
			`ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;`
			`sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;`
			`storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;`
			`identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;`
			`identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`};`
			`};`
switch authelia to new secrets contract 2024-10-13 23:23:08 +02:00
			`shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {`
			`content = "jwtSecret";`
			`};`
			`shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {`
			`content = "ldapUserPassword";`
			`};`
			`shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {`
			`content = "sessionSecret";`
			`};`
			`shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {`
			`content = "storageEncryptionKey";`
			`};`
			`shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {`
			`content = "identityProvidersOIDCHMACSecret";`
			`};`
			`shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {`
			`source = (pkgs.runCommand "gen-private-key" {} ''`
			`mkdir $out`
			`${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096`
			`'') + "/private.pem";`
			`};`
refactor tests to use common blocks 2024-07-16 10:38:26 +02:00			`};`

refactor common test script 2024-07-12 13:01:26 +02:00			`}`