102 lines
3 KiB
Nix
102 lines
3 KiB
Nix
|
import ./make-test-python.nix ({ pkgs, ... }:
|
||
|
{
|
||
|
name = "systemd-journal-upload";
|
||
|
meta = with pkgs.lib.maintainers; {
|
||
|
maintainers = [ minijackson raitobezarius ];
|
||
|
};
|
||
|
|
||
|
nodes.server = { nodes, ... }: {
|
||
|
services.journald.remote = {
|
||
|
enable = true;
|
||
|
listen = "http";
|
||
|
settings.Remote = {
|
||
|
ServerCertificateFile = "/run/secrets/sever.cert.pem";
|
||
|
ServerKeyFile = "/run/secrets/sever.key.pem";
|
||
|
TrustedCertificateFile = "/run/secrets/ca.cert.pem";
|
||
|
Seal = true;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
networking.firewall.allowedTCPPorts = [ nodes.server.services.journald.remote.port ];
|
||
|
};
|
||
|
|
||
|
nodes.client = { lib, nodes, ... }: {
|
||
|
services.journald.upload = {
|
||
|
enable = true;
|
||
|
settings.Upload = {
|
||
|
URL = "http://server:${toString nodes.server.services.journald.remote.port}";
|
||
|
ServerCertificateFile = "/run/secrets/client.cert.pem";
|
||
|
ServerKeyFile = "/run/secrets/client.key.pem";
|
||
|
TrustedCertificateFile = "/run/secrets/ca.cert.pem";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
# Wait for the PEMs to arrive
|
||
|
systemd.services.systemd-journal-upload.wantedBy = lib.mkForce [];
|
||
|
systemd.paths.systemd-journal-upload = {
|
||
|
wantedBy = [ "default.target" ];
|
||
|
# This file must be copied last
|
||
|
pathConfig.PathExists = [ "/run/secrets/ca.cert.pem" ];
|
||
|
};
|
||
|
};
|
||
|
|
||
|
testScript = ''
|
||
|
import subprocess
|
||
|
import tempfile
|
||
|
|
||
|
tmpdir_o = tempfile.TemporaryDirectory()
|
||
|
tmpdir = tmpdir_o.name
|
||
|
|
||
|
def generate_pems(domain: str):
|
||
|
subprocess.run(
|
||
|
[
|
||
|
"${pkgs.minica}/bin/minica",
|
||
|
"--ca-key=ca.key.pem",
|
||
|
"--ca-cert=ca.cert.pem",
|
||
|
f"--domains={domain}",
|
||
|
],
|
||
|
cwd=str(tmpdir),
|
||
|
)
|
||
|
|
||
|
with subtest("Creating keys and certificates"):
|
||
|
generate_pems("server")
|
||
|
generate_pems("client")
|
||
|
|
||
|
server.wait_for_unit("multi-user.target")
|
||
|
client.wait_for_unit("multi-user.target")
|
||
|
|
||
|
def copy_pems(machine: Machine, domain: str):
|
||
|
machine.succeed("mkdir /run/secrets")
|
||
|
machine.copy_from_host(
|
||
|
source=f"{tmpdir}/{domain}/cert.pem",
|
||
|
target=f"/run/secrets/{domain}.cert.pem",
|
||
|
)
|
||
|
machine.copy_from_host(
|
||
|
source=f"{tmpdir}/{domain}/key.pem",
|
||
|
target=f"/run/secrets/{domain}.key.pem",
|
||
|
)
|
||
|
# Should be last
|
||
|
machine.copy_from_host(
|
||
|
source=f"{tmpdir}/ca.cert.pem",
|
||
|
target="/run/secrets/ca.cert.pem",
|
||
|
)
|
||
|
|
||
|
with subtest("Copying keys and certificates"):
|
||
|
copy_pems(server, "server")
|
||
|
copy_pems(client, "client")
|
||
|
|
||
|
client.wait_for_unit("systemd-journal-upload.service")
|
||
|
# The journal upload should have started the remote service, triggered by
|
||
|
# the .socket unit
|
||
|
server.wait_for_unit("systemd-journal-remote.service")
|
||
|
|
||
|
identifier = "nixos-test"
|
||
|
message = "Hello from NixOS test infrastructure"
|
||
|
|
||
|
client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
|
||
|
server.wait_until_succeeds(
|
||
|
f"journalctl --file /var/log/journal/remote/remote-*.journal --identifier={identifier} | grep -F '{message}'"
|
||
|
)
|
||
|
'';
|
||
|
})
|