vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / miniflux.nix
blob2adf9010051cba1d3e18a15c875ae6a61fedb8ca
1 import ./make-test-python.nix ({ pkgs, lib, ... }:
3 let
4   port = 3142;
5   username = "alice";
6   password = "correcthorsebatterystaple";
7   defaultPort = 8080;
8   defaultUsername = "admin";
9   defaultPassword = "password";
10   adminCredentialsFile = pkgs.writeText "admin-credentials" ''
11             ADMIN_USERNAME=${defaultUsername}
12             ADMIN_PASSWORD=${defaultPassword}
13           '';
14   customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
15             ADMIN_USERNAME=${username}
16             ADMIN_PASSWORD=${password}
17           '';
18   postgresPassword = "correcthorsebatterystaple";
19   postgresPasswordFile = pkgs.writeText "pgpass" ''
20     *:*:*:*:${postgresPassword}
21   '';
25   name = "miniflux";
26   meta.maintainers = [ ];
28   nodes = {
29     default =
30       { ... }:
31       {
32         security.apparmor.enable = true;
33         services.miniflux = {
34           enable = true;
35           inherit adminCredentialsFile;
36         };
37       };
39     withoutSudo =
40       { ... }:
41       {
42         security.apparmor.enable = true;
43         services.miniflux = {
44           enable = true;
45           inherit adminCredentialsFile;
46         };
47         security.sudo.enable = false;
48       };
50     customized =
51       { ... }:
52       {
53         security.apparmor.enable = true;
54         services.miniflux = {
55           enable = true;
56           config = {
57             CLEANUP_FREQUENCY = "48";
58             LISTEN_ADDR = "localhost:${toString port}";
59           };
60           adminCredentialsFile = customAdminCredentialsFile;
61         };
62       };
64     postgresTcp = { config, pkgs, lib, ... }: {
65       services.postgresql = {
66         enable = true;
67         initialScript = pkgs.writeText "init-postgres" ''
68           CREATE USER miniflux WITH PASSWORD '${postgresPassword}';
69           CREATE DATABASE miniflux WITH OWNER miniflux;
70         '';
71         enableTCPIP = true;
72         authentication = ''
73           host sameuser miniflux samenet scram-sha-256
74         '';
75       };
76       systemd.services.postgresql.postStart = lib.mkAfter ''
77         $PSQL -tAd miniflux -c 'CREATE EXTENSION hstore;'
78       '';
79       networking.firewall.allowedTCPPorts = [ config.services.postgresql.settings.port ];
80     };
81     externalDb = { ... }: {
82       security.apparmor.enable = true;
83       services.miniflux = {
84         enable = true;
85         createDatabaseLocally = false;
86         inherit adminCredentialsFile;
87         config = {
88           DATABASE_URL = "user=miniflux host=postgresTcp dbname=miniflux sslmode=disable";
89           PGPASSFILE = "/run/miniflux/pgpass";
90         };
91       };
92       systemd.services.miniflux.preStart = ''
93         cp ${postgresPasswordFile} /run/miniflux/pgpass
94         chmod 600 /run/miniflux/pgpass
95       '';
96     };
97   };
98   testScript = ''
99     def runTest(machine, port, user):
100       machine.wait_for_unit("miniflux.service")
101       machine.wait_for_open_port(port)
102       machine.succeed(f"curl --fail 'http://localhost:{port}/healthcheck' | grep OK")
103       machine.succeed(
104           f"curl 'http://localhost:{port}/v1/me' -u '{user}' -H Content-Type:application/json | grep '\"is_admin\":true'"
105       )
106       machine.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
108     default.start()
109     withoutSudo.start()
110     customized.start()
111     postgresTcp.start()
113     runTest(default, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
114     runTest(withoutSudo, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
115     runTest(customized, ${toString port}, "${username}:${password}")
117     postgresTcp.wait_for_unit("postgresql.service")
118     externalDb.start()
119     runTest(externalDb, ${toString defaultPort}, "${defaultUsername}:${defaultPassword}")
120   '';