nixpkgs/nixos/tests/lemmy.nix
Eric Wolf 318d8cc4c5 nixos/lemmy: limit impurity by secrets
Split `services.lemmy.secretFile` into
multiple options to allow only secrets.
2023-07-28 07:49:27 +00:00

98 lines
4.0 KiB
Nix

import ./make-test-python.nix ({ pkgs, lib, ... }:
let
uiPort = 1234;
backendPort = 5678;
lemmyNodeName = "server";
in
{
name = "lemmy";
meta = with lib.maintainers; { maintainers = [ mightyiam ]; };
nodes = {
client = { };
"${lemmyNodeName}" = {
services.lemmy = {
enable = true;
ui.port = uiPort;
database.createLocally = true;
settings = {
hostname = "http://${lemmyNodeName}";
port = backendPort;
# Without setup, the /feeds/* and /nodeinfo/* API endpoints won't return 200
setup = {
admin_username = "mightyiam";
site_name = "Lemmy FTW";
admin_email = "mightyiam@example.com";
};
};
adminPasswordFile = /etc/lemmy-admin-password.txt;
caddy.enable = true;
};
environment.etc."lemmy-admin-password.txt".text = "ThisIsWhatIUseEverywhereTryIt";
networking.firewall.allowedTCPPorts = [ 80 ];
# pict-rs seems to need more than 1025114112 bytes
virtualisation.memorySize = 2000;
};
};
testScript = ''
server = ${lemmyNodeName}
with subtest("the merged config is secure"):
server.wait_for_unit("lemmy.service")
config_permissions = server.succeed("stat --format %A /run/lemmy/config.hjson").rstrip()
assert config_permissions == "-rw-------", f"merged config permissions {config_permissions} are insecure"
directory_permissions = server.succeed("stat --format %A /run/lemmy").rstrip()
assert directory_permissions[5] == directory_permissions[8] == "-", "merged config can be replaced"
with subtest("the backend starts and responds"):
server.wait_for_open_port(${toString backendPort})
server.succeed("curl --fail localhost:${toString backendPort}/api/v3/site")
with subtest("the UI starts and responds"):
server.wait_for_unit("lemmy-ui.service")
server.wait_for_open_port(${toString uiPort})
server.succeed("curl --fail localhost:${toString uiPort}")
with subtest("Lemmy-UI responds through the caddy reverse proxy"):
server.wait_for_unit("network-online.target")
server.wait_for_unit("caddy.service")
server.wait_for_open_port(80)
body = server.execute("curl --fail --location ${lemmyNodeName}")[1]
assert "Lemmy" in body, f"String Lemmy not found in response for ${lemmyNodeName}: \n{body}"
with subtest("the server is exposed externally"):
client.wait_for_unit("network-online.target")
client.succeed("curl -v --fail ${lemmyNodeName}")
with subtest("caddy correctly routes backend requests"):
# Make sure we are not hitting frontend
server.execute("systemctl stop lemmy-ui.service")
def assert_http_code(url, expected_http_code, extra_curl_args=""):
_, http_code = server.execute(f'curl --silent -o /dev/null {extra_curl_args} --fail --write-out "%{{http_code}}" {url}')
assert http_code == str(expected_http_code), f"expected http code {expected_http_code}, got {http_code}"
# Caddy responds with HTTP code 502 if it cannot handle the requested path
assert_http_code("${lemmyNodeName}/obviously-wrong-path/", 502)
assert_http_code("${lemmyNodeName}/static/js/client.js", 200)
assert_http_code("${lemmyNodeName}/api/v3/site", 200)
# A 404 confirms that the request goes to the backend
# No path can return 200 until after we upload an image to pict-rs
assert_http_code("${lemmyNodeName}/pictrs/", 404)
assert_http_code("${lemmyNodeName}/feeds/all.xml", 200)
assert_http_code("${lemmyNodeName}/nodeinfo/2.0.json", 200)
assert_http_code("${lemmyNodeName}/some-other-made-up-path/", 404, "-X POST")
assert_http_code("${lemmyNodeName}/some-other-path", 404, "-H 'Accept: application/activity+json'")
assert_http_code("${lemmyNodeName}/some-other-path", 404, "-H 'Accept: application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"'")
'';
})