forked from Fediversity/Fediversity
109 lines
3.1 KiB
Nix
109 lines
3.1 KiB
Nix
{
|
|
inputs,
|
|
config,
|
|
lib,
|
|
modulesPath,
|
|
...
|
|
}:
|
|
|
|
let
|
|
testCerts = import "${inputs.nixpkgs}/nixos/tests/common/acme/server/snakeoil-certs.nix";
|
|
inherit (lib) mkIf mkMerge;
|
|
|
|
in
|
|
{
|
|
_class = "nixos";
|
|
|
|
imports = [
|
|
(modulesPath + "/profiles/qemu-guest.nix")
|
|
(modulesPath + "/../lib/testing/nixos-test-base.nix")
|
|
./sharedOptions.nix
|
|
../../../infra/common/nixos/users.nix
|
|
];
|
|
|
|
config = mkMerge [
|
|
{
|
|
## Test framework disables switching by default. That might be OK by itself,
|
|
## but we also use this config for getting the dependencies in
|
|
## `deployer.system.extraDependencies`.
|
|
system.switch.enable = true;
|
|
|
|
nix = {
|
|
# short-cut network time-outs
|
|
settings.download-attempts = 1;
|
|
## Not used; save a large copy operation
|
|
channel.enable = false;
|
|
registry = lib.mkForce { };
|
|
settings = {
|
|
download-attempts = 1;
|
|
};
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings.PermitRootLogin = "yes";
|
|
};
|
|
|
|
networking = {
|
|
firewall.enable = false;
|
|
enableIPv6 = false;
|
|
};
|
|
|
|
services.getty.autologinUser = lib.mkForce "root";
|
|
|
|
## Test VMs don't have a bootloader by default.
|
|
# boot.loader = {
|
|
# # GRUB enabled: installation of GRUB on /dev/disk/by-id/virtio-root failed: No such file or directory
|
|
# grub.enable = false;
|
|
# # systemd boot enabled: '/boot' is not a mounted partition. Is the path configured correctly?
|
|
# systemd-boot.enable = true;
|
|
# efi.canTouchEfiVariables = true;
|
|
# };
|
|
# # same issue as no bootloader
|
|
# boot.loader.generic-extlinux-compatible.enable = false;
|
|
# builds but won't boot back up
|
|
boot.loader.grub.forceInstall = true;
|
|
# # builds but won't boot back up
|
|
# # to be used with --no-bootloader, which i could only find for flakes
|
|
# boot.loader.grub.enable = false;
|
|
|
|
users.mutableUsers = false;
|
|
users.users.root = {
|
|
password = "password";
|
|
hashedPassword = null;
|
|
hashedPasswordFile = null;
|
|
openssh.authorizedKeys.keys =
|
|
let
|
|
keys = import ../../../keys;
|
|
in
|
|
lib.attrValues keys.contributors
|
|
++ [
|
|
# allow our panel vm access to the test machines
|
|
keys.panel
|
|
# allow continuous deployment access
|
|
keys.cd
|
|
];
|
|
};
|
|
}
|
|
|
|
(mkIf config.enableAcme {
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "test@test.com";
|
|
defaults.server = "https://acme.test/dir";
|
|
};
|
|
|
|
security.pki.certificateFiles = [
|
|
## NOTE: This certificate is the one used by the Pebble HTTPS server.
|
|
## This is NOT the root CA of the Pebble server. We do add it here so
|
|
## that Pebble clients can talk to its API, but this will not allow
|
|
## those machines to verify generated certificates.
|
|
testCerts.ca.cert
|
|
];
|
|
|
|
## FIXME: it is a bit sad that all this logistics is necessary. look into
|
|
## better DNS stuff
|
|
networking.extraHosts = "${config.acmeNodeIP} acme.test";
|
|
})
|
|
];
|
|
}
|