514bfa6674
The test fails when the `Target`'s parent directories don't exist. For the purpose of this test though, we can just download it to the root directory for simplicity.
66 lines
1.7 KiB
Nix
66 lines
1.7 KiB
Nix
# Tests downloading a signed update aritfact from a server to a target machine.
|
|
# This test does not rely on the `systemd.timer` units provided by the
|
|
# `systemd-sysupdate` module but triggers the `systemd-sysupdate` service
|
|
# manually to make the test more robust.
|
|
|
|
{ lib, pkgs, ... }:
|
|
|
|
let
|
|
gpgKeyring = import ./common/gpg-keyring.nix { inherit pkgs; };
|
|
in
|
|
{
|
|
name = "systemd-sysupdate";
|
|
|
|
meta.maintainers = with lib.maintainers; [ nikstur ];
|
|
|
|
nodes = {
|
|
server = { pkgs, ... }: {
|
|
networking.firewall.enable = false;
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts."server" = {
|
|
root = pkgs.runCommand "sysupdate-artifacts" { buildInputs = [ pkgs.gnupg ]; } ''
|
|
mkdir -p $out
|
|
cd $out
|
|
|
|
echo "nixos" > nixos_1.txt
|
|
sha256sum nixos_1.txt > SHA256SUMS
|
|
|
|
export GNUPGHOME="$(mktemp -d)"
|
|
cp -R ${gpgKeyring}/* $GNUPGHOME
|
|
|
|
gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
target = {
|
|
systemd.sysupdate = {
|
|
enable = true;
|
|
transfers = {
|
|
"text-file" = {
|
|
Source = {
|
|
Type = "url-file";
|
|
Path = "http://server/";
|
|
MatchPattern = "nixos_@v.txt";
|
|
};
|
|
Target = {
|
|
Path = "/";
|
|
MatchPattern = [ "nixos_@v.txt" ];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
environment.etc."systemd/import-pubring.gpg".source = "${gpgKeyring}/pubkey.gpg";
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
server.wait_for_unit("nginx.service")
|
|
|
|
target.succeed("systemctl start systemd-sysupdate")
|
|
assert "nixos" in target.wait_until_succeeds("cat /nixos_1.txt", timeout=5)
|
|
'';
|
|
}
|