2022-09-01 13:55:30 +01:00
|
|
|
import ./make-test-python.nix ({ pkgs, ... }:
|
|
|
|
{
|
|
|
|
name = "systemd-journal-upload";
|
|
|
|
meta = with pkgs.lib.maintainers; {
|
2024-01-05 21:34:36 +00:00
|
|
|
maintainers = [ minijackson raitobezarius ];
|
2022-09-01 13:55:30 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
nodes.server = { nodes, ... }: {
|
|
|
|
services.journald.remote = {
|
|
|
|
enable = true;
|
|
|
|
listen = "http";
|
|
|
|
settings.Remote = {
|
|
|
|
ServerCertificateFile = "/run/secrets/sever.cert.pem";
|
|
|
|
ServerKeyFile = "/run/secrets/sever.key.pem";
|
|
|
|
TrustedCertificateFile = "/run/secrets/ca.cert.pem";
|
|
|
|
Seal = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [ nodes.server.services.journald.remote.port ];
|
|
|
|
};
|
|
|
|
|
|
|
|
nodes.client = { lib, nodes, ... }: {
|
|
|
|
services.journald.upload = {
|
|
|
|
enable = true;
|
|
|
|
settings.Upload = {
|
|
|
|
URL = "http://server:${toString nodes.server.services.journald.remote.port}";
|
|
|
|
ServerCertificateFile = "/run/secrets/client.cert.pem";
|
|
|
|
ServerKeyFile = "/run/secrets/client.key.pem";
|
|
|
|
TrustedCertificateFile = "/run/secrets/ca.cert.pem";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Wait for the PEMs to arrive
|
|
|
|
systemd.services.systemd-journal-upload.wantedBy = lib.mkForce [];
|
|
|
|
systemd.paths.systemd-journal-upload = {
|
|
|
|
wantedBy = [ "default.target" ];
|
|
|
|
# This file must be copied last
|
|
|
|
pathConfig.PathExists = [ "/run/secrets/ca.cert.pem" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
import subprocess
|
|
|
|
import tempfile
|
|
|
|
|
|
|
|
tmpdir_o = tempfile.TemporaryDirectory()
|
|
|
|
tmpdir = tmpdir_o.name
|
|
|
|
|
|
|
|
def generate_pems(domain: str):
|
|
|
|
subprocess.run(
|
|
|
|
[
|
|
|
|
"${pkgs.minica}/bin/minica",
|
|
|
|
"--ca-key=ca.key.pem",
|
|
|
|
"--ca-cert=ca.cert.pem",
|
|
|
|
f"--domains={domain}",
|
|
|
|
],
|
|
|
|
cwd=str(tmpdir),
|
|
|
|
)
|
|
|
|
|
|
|
|
with subtest("Creating keys and certificates"):
|
|
|
|
generate_pems("server")
|
|
|
|
generate_pems("client")
|
|
|
|
|
|
|
|
server.wait_for_unit("multi-user.target")
|
|
|
|
client.wait_for_unit("multi-user.target")
|
|
|
|
|
|
|
|
def copy_pems(machine: Machine, domain: str):
|
|
|
|
machine.succeed("mkdir /run/secrets")
|
|
|
|
machine.copy_from_host(
|
|
|
|
source=f"{tmpdir}/{domain}/cert.pem",
|
|
|
|
target=f"/run/secrets/{domain}.cert.pem",
|
|
|
|
)
|
|
|
|
machine.copy_from_host(
|
|
|
|
source=f"{tmpdir}/{domain}/key.pem",
|
|
|
|
target=f"/run/secrets/{domain}.key.pem",
|
|
|
|
)
|
|
|
|
# Should be last
|
|
|
|
machine.copy_from_host(
|
|
|
|
source=f"{tmpdir}/ca.cert.pem",
|
|
|
|
target="/run/secrets/ca.cert.pem",
|
|
|
|
)
|
|
|
|
|
|
|
|
with subtest("Copying keys and certificates"):
|
|
|
|
copy_pems(server, "server")
|
|
|
|
copy_pems(client, "client")
|
|
|
|
|
|
|
|
client.wait_for_unit("systemd-journal-upload.service")
|
|
|
|
# The journal upload should have started the remote service, triggered by
|
|
|
|
# the .socket unit
|
|
|
|
server.wait_for_unit("systemd-journal-remote.service")
|
|
|
|
|
|
|
|
identifier = "nixos-test"
|
|
|
|
message = "Hello from NixOS test infrastructure"
|
|
|
|
|
|
|
|
client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
|
|
|
|
server.wait_until_succeeds(
|
|
|
|
f"journalctl --file /var/log/journal/remote/remote-*.journal --identifier={identifier} | grep -F '{message}'"
|
|
|
|
)
|
|
|
|
'';
|
|
|
|
})
|