dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/harmonia: adjust module and test to upstream

Browse Source
This commit is contained in:
Ilan Joselevich 2023-05-10 19:41:25 +03:00
parent 5d02fb0a6c
commit 7ecf20b490
No known key found for this signature in database
3 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nixos/modules/services/networking/harmonia.nix
View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.harmonia;
format = pkgs.formats.toml { };
in
{
@ -12,21 +11,23 @@ in
signKeyPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = lib.mdDoc "Path to the signing key to use for signing the cache";
description = lib.mdDoc "Path to the signing key that will be used for signing the cache";
};
package = lib.mkPackageOptionMD pkgs "harmonia" { };
settings = lib.mkOption {
inherit (format) type;
description = lib.mdDoc "Settings to merge with the default configuration";
default = { };
description = lib.mdDoc ''
Settings to merge with the default configuration.
For the list of the default configuration, see <https://github.com/nix-community/harmonia/tree/master#configuration>.
'';
};
};
};
config = lib.mkIf cfg.enable {
services.harmonia.settings.bind = lib.mkDefault "[::]:5000";
systemd.services.harmonia = {
description = "harmonia binary cache service";
@ -45,17 +46,14 @@ in
serviceConfig = {
ExecStart = lib.getExe cfg.package;
User = "harmonia";
Group = "harmonia";
DynamicUser = true;
PrivateUsers = true;
DeviceAllow = [ "" ];
UMask = "0066";
RuntimeDirectory = "harmonia";
LoadCredential = lib.optional (cfg.signKeyPath != null) "sign-key:${cfg.signKeyPath}";
LoadCredential = lib.mkIf (cfg.signKeyPath != null) [ "sign-key:${cfg.signKeyPath}" ];
SystemCallFilter = [
"@system-service"
"~@privileged"
@ -74,7 +72,6 @@ in
ProtectProc = "invisible";
RestrictNamespaces = true;
SystemCallArchitectures = "native";
PrivateNetwork = false;
PrivateTmp = true;
PrivateDevices = true;
@ -84,7 +81,6 @@ in
ProtectHome = true;
LockPersonality = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
LimitNOFILE = 65536;
};
};

2
nixos/tests/all-tests.nix
View File

@ -297,7 +297,7 @@ in {
haste-server = handleTest ./haste-server.nix {};
haproxy = handleTest ./haproxy.nix {};
hardened = handleTest ./hardened.nix {};
harmonia = handleTest ./harmonia.nix {};
harmonia = runTest ./harmonia.nix;
headscale = handleTest ./headscale.nix {};
healthchecks = handleTest ./web-apps/healthchecks.nix {};
hbase2 = handleTest ./hbase.nix { package=pkgs.hbase2; };

22
nixos/tests/harmonia.nix
View File

@ -1,19 +1,20 @@
import ./make-test-python.nix ({ pkgs, ... }:
{ pkgs, lib, ... }:
{
name = "harmonia";
nodes = {
harmonia = {
services.harmonia = {
enable = true;
signKeyPath = pkgs.writeText "cache-key"
"cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg==";
signKeyPath = pkgs.writeText "cache-key" "cache.example.com-1:9FhO0w+7HjZrhvmzT1VlAZw4OSAlFGTgC24Seg3tmPl4gZBdwZClzTTHr9cVzJpwsRSYLTu7hEAQe3ljy92CWg==";
};
networking.firewall.allowedTCPPorts = [ 5000 ];
system.extraDependencies = [ pkgs.hello ];
system.extraDependencies = [ pkgs.emptyFile ];
};
client01 = { lib, ... }: {
client01 = {
nix.settings = {
substituters = lib.mkForce [ "http://harmonia:5000" ];
trusted-public-keys = lib.mkForce [ "cache.example.com-1:eIGQXcGQpc00x6/XFcyacLEUmC07u4RAEHt5Y8vdglo=" ];
@ -21,13 +22,14 @@ import ./make-test-python.nix ({ pkgs, ... }:
};
};
testScript = ''
testScript = { nodes, ... }: ''
start_all()
client01.wait_until_succeeds("curl -f http://harmonia:5000/version")
client01.succeed("curl -f http://harmonia:5000/nix-cache-info")
harmonia.wait_for_unit("harmonia.service")
client01.wait_until_succeeds("curl -f http://harmonia:5000/nix-cache-info")
client01.succeed("curl -f http://harmonia:5000/version | grep '${nodes.harmonia.services.harmonia.package.version}' >&2")
client01.succeed("cat /etc/nix/nix.conf >&2")
client01.wait_until_succeeds("nix-store --realise ${pkgs.hello} --store /root/other-store")
client01.succeed("nix-store --realise ${pkgs.emptyFile} --store /root/other-store")
'';
})
}