From 799b572ef1ce4c6ed8efa806b9b542ae8d9cfe6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 17 Nov 2024 15:08:13 +0100 Subject: [PATCH] move checks out of pkgs --- .../nixos-test.nix | 56 ++++++++++--------- flake.nix | 8 ++- pkgs/sops-install-secrets/default.nix | 5 -- 3 files changed, 34 insertions(+), 35 deletions(-) rename {pkgs/sops-install-secrets => checks}/nixos-test.nix (92%) diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/checks/nixos-test.nix similarity index 92% rename from pkgs/sops-install-secrets/nixos-test.nix rename to checks/nixos-test.nix index 4fcbfeb..f6409f5 100644 --- a/pkgs/sops-install-secrets/nixos-test.nix +++ b/checks/nixos-test.nix @@ -1,5 +1,7 @@ { lib, testers }: let + testAssets = ../pkgs/sops-install-secrets/test-assets; + userPasswordTest = name: extraConfig: testers.runNixOSTest { @@ -8,12 +10,12 @@ let { config, lib, ... }: { imports = [ - ../../modules/sops + ../modules/sops extraConfig ]; sops = { age.keyFile = "/run/age-keys.txt"; - defaultSopsFile = ./test-assets/secrets.yaml; + defaultSopsFile = testAssets + "/secrets.yaml"; secrets.test_key.neededForUsers = true; secrets."nested/test/file".owner = "example-user"; }; @@ -58,16 +60,16 @@ in nodes.server = { ... }: { - imports = [ ../../modules/sops ]; + imports = [ ../modules/sops ]; services.openssh.enable = true; services.openssh.hostKeys = [ { type = "rsa"; bits = 4096; - path = ./test-assets/ssh-key; + path = testAssets + "/ssh-key"; } ]; - sops.defaultSopsFile = ./test-assets/secrets.yaml; + sops.defaultSopsFile = testAssets + "/secrets.yaml"; sops.secrets.test_key = { }; }; @@ -82,17 +84,17 @@ in nodes.machine = { lib, ... }: { - imports = [ ../../modules/sops ]; + imports = [ ../modules/sops ]; sops = { age.keyFile = "/run/age-keys.txt"; - defaultSopsFile = ./test-assets/secrets.yaml; + defaultSopsFile = testAssets + "/secrets.yaml"; secrets.test_key = { }; keepGenerations = lib.mkDefault 0; }; # must run before sops sets up keys boot.initrd.postDeviceCommands = '' - cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt + cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt chmod -R 700 /run/age-keys.txt ''; @@ -128,10 +130,10 @@ in nodes.machine = { config, ... }: { - imports = [ ../../modules/sops ]; + imports = [ ../modules/sops ]; sops = { age.keyFile = "/run/age-keys.txt"; - defaultSopsFile = ./test-assets/secrets.yaml; + defaultSopsFile = testAssets + "/secrets.yaml"; secrets = { test_key = { }; @@ -166,7 +168,7 @@ in # must run before sops sets up keys boot.initrd.postDeviceCommands = '' - cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt + cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt chmod -R 700 /run/age-keys.txt ''; }; @@ -196,17 +198,17 @@ in age-ssh-keys = testers.runNixOSTest { name = "sops-age-ssh-keys"; nodes.machine = { - imports = [ ../../modules/sops ]; + imports = [ ../modules/sops ]; services.openssh.enable = true; services.openssh.hostKeys = [ { type = "ed25519"; - path = ./test-assets/ssh-ed25519-key; + path = testAssets + "/ssh-ed25519-key"; } ]; sops = { - defaultSopsFile = ./test-assets/secrets.yaml; + defaultSopsFile = testAssets + "/secrets.yaml"; secrets.test_key = { }; # Generate a key and append it to make sure it appending doesn't break anything age = { @@ -227,7 +229,7 @@ in nodes.server = { lib, config, ... }: { - imports = [ ../../modules/sops ]; + imports = [ ../modules/sops ]; users.users.someuser = { isSystemUser = true; @@ -235,7 +237,7 @@ in }; sops.gnupg.home = "/run/gpghome"; - sops.defaultSopsFile = ./test-assets/secrets.yaml; + sops.defaultSopsFile = testAssets + "/secrets.yaml"; sops.secrets.test_key.owner = config.users.users.someuser.name; sops.secrets."nested/test/file".owner = config.users.users.someuser.name; sops.secrets.existing-file = { @@ -244,7 +246,7 @@ in }; # must run before sops system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] '' - cp -r ${./test-assets/gnupghome} /run/gpghome + cp -r ${testAssets + "/gnupghome"} /run/gpghome chmod -R 700 /run/gpghome touch /run/existing-file @@ -254,7 +256,7 @@ in #environment.variables = { # GNUPGHOME = "/run/gpghome"; # SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg"; - # SOPSFILE = "${./test-assets/secrets.yaml}"; + # SOPSFILE = "${testAssets + "/secrets.yaml"}"; #}; }; testScript = '' @@ -282,10 +284,10 @@ in nodes.machine = { config, ... }: { - imports = [ ../../modules/sops ]; + imports = [ ../modules/sops ]; sops = { age.keyFile = "/run/age-keys.txt"; - defaultSopsFile = ./test-assets/secrets.yaml; + defaultSopsFile = testAssets + "/secrets.yaml"; secrets.test_key = { }; # Verify that things work even with `neededForUsers` secrets. See @@ -295,7 +297,7 @@ in # must run before sops sets up keys boot.initrd.postDeviceCommands = '' - cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt + cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt chmod -R 700 /run/age-keys.txt ''; @@ -361,11 +363,11 @@ in nodes.machine = { config, ... }: { - imports = [ ../../modules/sops ]; + imports = [ ../modules/sops ]; sops = { age.keyFile = "/run/age-keys.txt"; - defaultSopsFile = ./test-assets/secrets.yaml; + defaultSopsFile = testAssets + "/secrets.yaml"; secrets.test_key = { restartUnits = [ "restart-unit.service" @@ -390,7 +392,7 @@ in # must run before sops sets up keys boot.initrd.postDeviceCommands = '' - cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt + cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt chmod -R 700 /run/age-keys.txt ''; @@ -551,7 +553,7 @@ in user-passwords = userPasswordTest "sops-user-passwords" { # must run before sops sets up keys boot.initrd.postDeviceCommands = '' - cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt + cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt chmod -R 700 /run/age-keys.txt ''; }; @@ -568,7 +570,7 @@ in # must run before sops sets up keys systemd.services."sops-install-secrets-for-users".preStart = '' - printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt + printf '${builtins.readFile (testAssets + "/age-keys.txt")}' > /run/age-keys.txt chmod -R 700 /run/age-keys.txt ''; } @@ -586,7 +588,7 @@ in # must run before sops sets up keys systemd.services."sops-install-secrets-for-users".preStart = '' - printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt + printf '${builtins.readFile testAssets + "/age-keys.txt"}' > /run/age-keys.txt chmod -R 700 /run/age-keys.txt ''; } diff --git a/flake.nix b/flake.nix index 8fb6170..72b306b 100644 --- a/flake.nix +++ b/flake.nix @@ -80,11 +80,14 @@ checks = eachSystem ( { pkgs, system, ... }: let - tests = self.packages.${system}.sops-install-secrets.tests; packages-stable = import ./default.nix { pkgs = privateInputs.nixpkgs-stable.legacyPackages.${system}; }; - tests-stable = packages-stable.sops-install-secrets.tests; + dropOverride = attrs: nixpkgs.lib.removeAttrs attrs [ "override" ]; + tests = dropOverride (pkgs.callPackage ./checks/nixos-test.nix { }); + tests-stable = dropOverride ( + privateInputs.nixpkgs-stable.legacyPackages.${system}.callPackage ./checks/nixos-test.nix { } + ); suffix-version = version: attrs: nixpkgs.lib.mapAttrs' (name: value: nixpkgs.lib.nameValuePair (name + version) value) attrs; @@ -105,7 +108,6 @@ darwinConfigurations.sops-arm64 = privateInputs.nix-darwin.lib.darwinSystem { modules = [ ./checks/darwin.nix - #{ nixpkgs.pkgs = nixpkgs.legacyPackages.aarch64-darwin; } { nixpkgs.hostPlatform = "aarch64-darwin"; } ]; }; diff --git a/pkgs/sops-install-secrets/default.nix b/pkgs/sops-install-secrets/default.nix index 52025b0..66289ce 100644 --- a/pkgs/sops-install-secrets/default.nix +++ b/pkgs/sops-install-secrets/default.nix @@ -4,7 +4,6 @@ stdenv, vendorHash, go, - callPackages, }: buildGoModule { pname = "sops-install-secrets"; @@ -21,10 +20,6 @@ buildGoModule { # requires root privileges for tests doCheck = false; - passthru = { - tests = lib.optionalAttrs stdenv.isLinux (callPackages ./nixos-test.nix { }); - }; - outputs = [ "out" ] ++ lib.lists.optionals (stdenv.isLinux) [ "unittest" ]; postInstall =