Compare commits

..

2 commits

Author SHA1 Message Date
Raphael Borun Das Gupta
a76519ac01 qois.cloud: add basic test (WIP)
Some checks failed
CI / build (push) Failing after 19m20s
CI / deploy (docs-ops.qo.is) (push) Has been skipped
CI / deploy (system-physical) (push) Has been skipped
CI / deploy (system-vm) (push) Has been skipped
2025-06-21 10:26:17 +02:00
Raphael Borun Das Gupta
b295ae9396 qois.cloud: make adminpassFile an option 2025-06-14 21:04:26 +02:00
18 changed files with 144 additions and 65 deletions

View file

@ -45,17 +45,3 @@ jobs:
lfs: false lfs: false
- name: "Deploy profile" - name: "Deploy profile"
run: "auto-deploy ${{ matrix.profile }}" run: "auto-deploy ${{ matrix.profile }}"
deploy-ci:
needs: deploy
if: success() && github.ref == 'refs/heads/main'
runs-on: nix
env:
SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}"
steps:
- name: Initialize CI
uses: https://git.qo.is/qo.is/actions-nix-init@main
with:
token: ${{ secrets.CI_TOKEN }}
lfs: false
- name: "Deploy profile"
run: "auto-deploy system-ci"

View file

@ -17,7 +17,7 @@
}, },
"lindberg-webapps": { "lindberg-webapps": {
"hostName": "lindberg-webapps", "hostName": "lindberg-webapps",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByESy+XiBT8/PoE8DUB388B5MA6LVcJBgH1ZgYxr9Mg" "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJT99lj5OI+V1PlZl/T2ikBORwMiXjDfWpHYfq/GvUM5"
}, },
"batzberg": { "batzberg": {
"hostName": "batzberg" "hostName": "batzberg"

61
flake.lock generated
View file

@ -23,15 +23,15 @@
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs-nixos-stable"
] ]
}, },
"locked": { "locked": {
"lastModified": 1751854533, "lastModified": 1749200714,
"narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=", "narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "16b74a1e304197248a1bc663280f2548dbfcae3c", "rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -81,11 +81,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1750779888, "lastModified": 1747372754,
"narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -131,18 +131,34 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs-nixos-stable": {
"locked": { "locked": {
"lastModified": 1751741127, "lastModified": 1748995628,
"narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=", "narHash": "sha256-bFufQGSAEYQgjtc4wMrobS5HWN0hDP+ZX+zthYcml9U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "29e290002bfff26af1db6f64d070698019460302", "rev": "8eb3b6a2366a7095939cd22f0dc0e9991313294b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.05", "ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1749143949,
"narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -154,10 +170,10 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1749920008, "lastModified": 1747599024,
"narHash": "sha256-wn3U2q/+OQYErVyoY9kwZP/fXcDG4ewhJkHX7qHzq8g=", "narHash": "sha256-qc94Cyt6uaQCVY2VlCtNxGb7hs3DbLvxuhEnSLFL8T8=",
"rev": "5f8ba2025848dd30539c42ef1f7e6c6f917e70d9", "rev": "bed7588246ec58aacac3d0ff5b191fa6cc9faa98",
"revCount": 19, "revCount": 17,
"type": "git", "type": "git",
"url": "file:./private" "url": "file:./private"
}, },
@ -172,6 +188,7 @@
"disko": "disko", "disko": "disko",
"git-hooks-nix": "git-hooks-nix", "git-hooks-nix": "git-hooks-nix",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-nixos-stable": "nixpkgs-nixos-stable",
"private": "private", "private": "private",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
@ -184,11 +201,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1751606940, "lastModified": 1747603214,
"narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -219,11 +236,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1750931469, "lastModified": 1749194973,
"narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=", "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1", "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -5,7 +5,8 @@
extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="; extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
}; };
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
treefmt-nix = { treefmt-nix = {
url = "github:numtide/treefmt-nix"; url = "github:numtide/treefmt-nix";
@ -23,7 +24,7 @@
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs-nixos-stable";
}; };
private.url = "git+file:./private"; private.url = "git+file:./private";
private.inputs.nixpkgs.follows = "nixpkgs"; private.inputs.nixpkgs.follows = "nixpkgs";
@ -58,7 +59,7 @@
inherit (inputs) inherit (inputs)
deploy-rs deploy-rs
disko disko
nixpkgs nixpkgs-nixos-stable
sops-nix sops-nix
private private
git-hooks-nix git-hooks-nix

View file

@ -16,5 +16,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

View file

@ -23,5 +23,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

View file

@ -1,12 +1,12 @@
{ {
self, self,
pkgs, pkgs,
nixpkgs, nixpkgs-nixos-stable,
... ...
}@inputs: }@inputs:
let let
inherit (pkgs.lib) genAttrs; inherit (pkgs.lib) genAttrs;
inherit (nixpkgs.lib) nixosSystem; inherit (nixpkgs-nixos-stable.lib) nixosSystem;
configs = self.lib.foldersWithNix ./.; configs = self.lib.foldersWithNix ./.;
in in
genAttrs configs ( genAttrs configs (

View file

@ -19,5 +19,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

View file

@ -46,5 +46,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

View file

@ -19,5 +19,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

View file

@ -3,7 +3,7 @@
disko.devices.disk = { disko.devices.disk = {
system = { system = {
type = "disk"; type = "disk";
device = "/dev/vdb"; device = "/dev/vda";
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {

View file

@ -24,5 +24,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "25.05"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

View file

@ -3,6 +3,7 @@
config, config,
lib, lib,
pkgs, pkgs,
options,
... ...
}: }:
@ -30,6 +31,10 @@ with lib;
"nextcloud30" "nextcloud30"
]; ];
}; };
adminpassFile = options.services.nextcloud.config.adminpassFile // {
default = config.sops.secrets."nextcloud/admin".path;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -59,7 +64,7 @@ with lib;
database.createLocally = true; database.createLocally = true;
config = { config = {
adminpassFile = config.sops.secrets."nextcloud/admin".path; inherit (cfg) adminpassFile;
adminuser = "root"; adminuser = "root";
dbtype = "pgsql"; dbtype = "pgsql";
}; };
@ -83,22 +88,16 @@ with lib;
}; };
phpOptions = { phpOptions = {
"opcache.interned_strings_buffer" = "64"; "opcache.interned_strings_buffer" = "23";
"opcache.memory_consumption" = "512";
"opcache.save_comments" = "1";
"opcache.max_accelerated_files" = "50000";
"opcache.fast_shutdown" = "1";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "8M";
}; };
poolSettings = { poolSettings = {
"pm" = "dynamic"; "pm" = "dynamic";
"pm.max_children" = "480"; "pm.max_children" = "256";
"pm.max_requests" = "2000"; "pm.max_requests" = "500";
"pm.max_spare_servers" = "72"; "pm.max_spare_servers" = "16";
"pm.min_spare_servers" = "24"; "pm.min_spare_servers" = "2";
"pm.start_servers" = "48"; "pm.start_servers" = "8";
}; };
configureRedis = true; configureRedis = true;
@ -122,6 +121,12 @@ with lib;
}; };
}; };
services.phpfpm.pools.nextcloud.settings = {
"pm.max_children" = lib.mkForce "256";
"pm.max_spare_servers" = lib.mkForce "16";
"pm.start_servers" = lib.mkForce "8";
};
users.users.nextcloud.extraGroups = [ "postdrop" ]; users.users.nextcloud.extraGroups = [ "postdrop" ];
systemd.services.nextcloud-cron = { systemd.services.nextcloud-cron = {

View file

@ -0,0 +1,36 @@
{
...
}:
{
# Note: This extends the default configuration from ${self}/checks/nixos-modules
nodes.webserver =
{ pkgs, lib, ... }:
let
inherit (pkgs) curl gnugrep;
inherit (lib) mkForce;
cloud-domain = "cloud.example.com";
in
{
qois.cloud = {
enable = true;
domain = cloud-domain;
package = pkgs.nextcloud31;
adminpassFile = "${pkgs.writeText "adminpass" "insecure"}"; # Don't try this at home!
};
qois.postgresql.package = pkgs.postgresql;
sops.secrets = mkForce { };
# Disable TLS services
services.nginx.virtualHosts."${cloud-domain}" = {
forceSSL = mkForce false;
enableACME = mkForce false;
};
# Test environment
environment.systemPackages = [
curl
gnugrep
];
};
}

View file

@ -0,0 +1,34 @@
def test(subtest, webserver):
webserver.wait_for_unit("nginx")
webserver.wait_for_open_port(80)
webserver.wait_for_unit("nextcloud-setup.service")
webserver.wait_for_unit("phpfpm-nextcloud.service")
# Helpers
def curl_variable_test(node, variable, expected, url):
value = node.succeed(
f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'"
)
assert value == expected, (
f"expected {variable} to be '{expected}' but got '{value}'"
)
def expect_http_code(node, code, url):
curl_variable_test(node, "http_code", code, url)
def expect_http_content_contains(node, expectedContentSnippet, url):
content = node.succeed(f"curl --no-location --silent '{url}'")
assert expectedContentSnippet in content, f"""
expected in content:
{expectedContentSnippet}
at {url} but got following content:
{content}
"""
# Tests
with subtest("website is successfully served on cloud.example.com"):
webserver.succeed("grep cloud.example.com /etc/hosts")
expect_http_code(webserver, "200", "http://cloud.example.com")
expect_http_content_contains(
webserver, "Log in to cloud.qoo.is", "http://docs.example.com"
)

View file

@ -1,5 +1,5 @@
# Static Pages # Static Pages
This module enables static nginx sites, with data served from "/var/lib/nginx-$domain/root". This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root".
To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs. To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs.

View file

@ -75,7 +75,7 @@ writeText ".sops.yaml" (
# Secrets for all hosts # Secrets for all hosts
{ {
path_regex = "private/nixos-modules/shared-secrets/default\.sops\.(yaml|json|env|ini)$"; path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
pgp = toCommaList userPgpKeys; pgp = toCommaList userPgpKeys;
age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys); age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
} }

@ -1 +1 @@
Subproject commit 5f8ba2025848dd30539c42ef1f7e6c6f917e70d9 Subproject commit bed7588246ec58aacac3d0ff5b191fa6cc9faa98