qois.cloud: add basic test (WIP)

qois.cloud: make adminpassFile an option
2025-06-21 10:26:17 +02:00 · 2025-06-14 21:04:26 +02:00
18 changed files with 144 additions and 65 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -45,17 +45,3 @@ jobs:
          lfs: false
      - name: "Deploy profile"
        run: "auto-deploy ${{ matrix.profile }}"
  deploy-ci:
    needs: deploy
    if: success() && github.ref == 'refs/heads/main'
    runs-on: nix
    env:
      SSH_DEPLOY_KEY: "${{ secrets.SSH_DEPLOY_KEY }}"
    steps:
      - name: Initialize CI
        uses: https://git.qo.is/qo.is/actions-nix-init@main
        with:
          token: ${{ secrets.CI_TOKEN }}
          lfs: false
      - name: "Deploy profile"
        run: "auto-deploy system-ci"
--- a/defaults/meta/hosts.json
+++ b/defaults/meta/hosts.json
@ -17,7 +17,7 @@
  },
  "lindberg-webapps": {
    "hostName": "lindberg-webapps",
-    "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIByESy+XiBT8/PoE8DUB388B5MA6LVcJBgH1ZgYxr9Mg"
+    "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJT99lj5OI+V1PlZl/T2ikBORwMiXjDfWpHYfq/GvUM5"
  },
  "batzberg": {
    "hostName": "batzberg"
--- a/flake.lock
+++ b/flake.lock
@ -23,15 +23,15 @@
    "disko": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-nixos-stable"
        ]
      },
      "locked": {
-        "lastModified": 1751854533,
+        "lastModified": 1749200714,
-        "narHash": "sha256-U/OQFplExOR1jazZY4KkaQkJqOl59xlh21HP9mI79Vc=",
+        "narHash": "sha256-W8KiJIrVwmf43JOPbbTu5lzq+cmdtRqaNbOsZigjioY=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "16b74a1e304197248a1bc663280f2548dbfcae3c",
+        "rev": "17d08c65c241b1d65b3ddf79e3fac1ddc870b0f6",
        "type": "github"
      },
      "original": {
@ -81,11 +81,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750779888,
+        "lastModified": 1747372754,
-        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
        "type": "github"
      },
      "original": {
@ -131,18 +131,34 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs-nixos-stable": {
      "locked": {
-        "lastModified": 1751741127,
+        "lastModified": 1748995628,
-        "narHash": "sha256-t75Shs76NgxjZSgvvZZ9qOmz5zuBE8buUaYD28BMTxg=",
+        "narHash": "sha256-bFufQGSAEYQgjtc4wMrobS5HWN0hDP+ZX+zthYcml9U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "29e290002bfff26af1db6f64d070698019460302",
+        "rev": "8eb3b6a2366a7095939cd22f0dc0e9991313294b",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1749143949,
        "narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -154,10 +170,10 @@
        ]
      },
      "locked": {
-        "lastModified": 1749920008,
+        "lastModified": 1747599024,
-        "narHash": "sha256-wn3U2q/+OQYErVyoY9kwZP/fXcDG4ewhJkHX7qHzq8g=",
+        "narHash": "sha256-qc94Cyt6uaQCVY2VlCtNxGb7hs3DbLvxuhEnSLFL8T8=",
-        "rev": "5f8ba2025848dd30539c42ef1f7e6c6f917e70d9",
+        "rev": "bed7588246ec58aacac3d0ff5b191fa6cc9faa98",
-        "revCount": 19,
+        "revCount": 17,
        "type": "git",
        "url": "file:./private"
      },
@ -172,6 +188,7 @@
        "disko": "disko",
        "git-hooks-nix": "git-hooks-nix",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-nixos-stable": "nixpkgs-nixos-stable",
        "private": "private",
        "sops-nix": "sops-nix",
        "treefmt-nix": "treefmt-nix"
@ -184,11 +201,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1751606940,
+        "lastModified": 1747603214,
-        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
+        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
+        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
        "type": "github"
      },
      "original": {
@ -219,11 +236,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750931469,
+        "lastModified": 1749194973,
-        "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
+        "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
+        "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -5,7 +5,8 @@
    extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
  };
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
    treefmt-nix = {
      url = "github:numtide/treefmt-nix";
@ -23,7 +24,7 @@
    deploy-rs.url = "github:serokell/deploy-rs";
    disko = {
      url = "github:nix-community/disko";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs-nixos-stable";
    };
    private.url = "git+file:./private";
    private.inputs.nixpkgs.follows = "nixpkgs";
@ -58,7 +59,7 @@
        inherit (inputs)
          deploy-rs
          disko
-          nixpkgs
+          nixpkgs-nixos-stable
          sops-nix
          private
          git-hooks-nix
--- a/nixos-configurations/calanda/default.nix
+++ b/nixos-configurations/calanda/default.nix
@ -16,5 +16,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/nixos-configurations/cyprianspitz/default.nix
+++ b/nixos-configurations/cyprianspitz/default.nix
@ -23,5 +23,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/nixos-configurations/default.nix
+++ b/nixos-configurations/default.nix
@ -1,12 +1,12 @@
 {
  self,
  pkgs,
-  nixpkgs,
+  nixpkgs-nixos-stable,
  ...
 }@inputs:
 let
  inherit (pkgs.lib) genAttrs;
-  inherit (nixpkgs.lib) nixosSystem;
+  inherit (nixpkgs-nixos-stable.lib) nixosSystem;
  configs = self.lib.foldersWithNix ./.;
 in
 genAttrs configs (
--- a/nixos-configurations/lindberg-build/default.nix
+++ b/nixos-configurations/lindberg-build/default.nix
@ -19,5 +19,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/nixos-configurations/lindberg-nextcloud/default.nix
+++ b/nixos-configurations/lindberg-nextcloud/default.nix
@ -46,5 +46,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/nixos-configurations/lindberg-webapps/default.nix
+++ b/nixos-configurations/lindberg-webapps/default.nix
@ -19,5 +19,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/nixos-configurations/lindberg-webapps/disko-config.nix
+++ b/nixos-configurations/lindberg-webapps/disko-config.nix
@ -3,7 +3,7 @@
  disko.devices.disk = {
    system = {
      type = "disk";
-      device = "/dev/vdb";
+      device = "/dev/vda";
      content = {
        type = "gpt";
        partitions = {
--- a/nixos-configurations/lindberg/default.nix
+++ b/nixos-configurations/lindberg/default.nix
@ -24,5 +24,5 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.05"; # Did you read the comment?
+  system.stateVersion = "24.11"; # Did you read the comment?
 }
--- a/nixos-modules/cloud/default.nix
+++ b/nixos-modules/cloud/default.nix
@ -3,6 +3,7 @@
  config,
  lib,
  pkgs,
  options,
  ...
 }:
@ -30,6 +31,10 @@ with lib;
        "nextcloud30"
      ];
    };
    adminpassFile = options.services.nextcloud.config.adminpassFile // {
      default = config.sops.secrets."nextcloud/admin".path;
    };
  };
  config = mkIf cfg.enable {
@ -59,7 +64,7 @@ with lib;
      database.createLocally = true;
      config = {
-        adminpassFile = config.sops.secrets."nextcloud/admin".path;
+        inherit (cfg) adminpassFile;
        adminuser = "root";
        dbtype = "pgsql";
      };
@ -83,22 +88,16 @@ with lib;
      };
      phpOptions = {
-        "opcache.interned_strings_buffer" = "64";
+        "opcache.interned_strings_buffer" = "23";
        "opcache.memory_consumption" = "512";
        "opcache.save_comments" = "1";
        "opcache.max_accelerated_files" = "50000";
        "opcache.fast_shutdown" = "1";
        "opcache.jit" = "1255";
        "opcache.jit_buffer_size" = "8M";
      };
      poolSettings = {
        "pm" = "dynamic";
-        "pm.max_children" = "480";
+        "pm.max_children" = "256";
-        "pm.max_requests" = "2000";
+        "pm.max_requests" = "500";
-        "pm.max_spare_servers" = "72";
+        "pm.max_spare_servers" = "16";
-        "pm.min_spare_servers" = "24";
+        "pm.min_spare_servers" = "2";
-        "pm.start_servers" = "48";
+        "pm.start_servers" = "8";
      };
      configureRedis = true;
@ -122,6 +121,12 @@ with lib;
      };
    };
    services.phpfpm.pools.nextcloud.settings = {
      "pm.max_children" = lib.mkForce "256";
      "pm.max_spare_servers" = lib.mkForce "16";
      "pm.start_servers" = lib.mkForce "8";
    };
    users.users.nextcloud.extraGroups = [ "postdrop" ];
    systemd.services.nextcloud-cron = {
--- a/nixos-modules/cloud/test.nix
+++ b/nixos-modules/cloud/test.nix
@ -0,0 +1,36 @@
 {
  ...
 }:
 {
  # Note: This extends the default configuration from ${self}/checks/nixos-modules
  nodes.webserver =
    { pkgs, lib, ... }:
    let
      inherit (pkgs) curl gnugrep;
      inherit (lib) mkForce;
      cloud-domain = "cloud.example.com";
    in
    {
      qois.cloud = {
        enable = true;
        domain = cloud-domain;
        package = pkgs.nextcloud31;
        adminpassFile = "${pkgs.writeText "adminpass" "insecure"}"; # Don't try this at home!
      };
      qois.postgresql.package = pkgs.postgresql;
      sops.secrets = mkForce { };
      # Disable TLS services
      services.nginx.virtualHosts."${cloud-domain}" = {
        forceSSL = mkForce false;
        enableACME = mkForce false;
      };
      # Test environment
      environment.systemPackages = [
        curl
        gnugrep
      ];
    };
 }
--- a/nixos-modules/cloud/test.py
+++ b/nixos-modules/cloud/test.py
@ -0,0 +1,34 @@
 def test(subtest, webserver):
    webserver.wait_for_unit("nginx")
    webserver.wait_for_open_port(80)
    webserver.wait_for_unit("nextcloud-setup.service")
    webserver.wait_for_unit("phpfpm-nextcloud.service")
    # Helpers
    def curl_variable_test(node, variable, expected, url):
        value = node.succeed(
            f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'"
        )
        assert value == expected, (
            f"expected {variable} to be '{expected}' but got '{value}'"
        )
    def expect_http_code(node, code, url):
        curl_variable_test(node, "http_code", code, url)
    def expect_http_content_contains(node, expectedContentSnippet, url):
        content = node.succeed(f"curl --no-location --silent '{url}'")
        assert expectedContentSnippet in content, f"""
                expected in content:
                  {expectedContentSnippet}
                at {url} but got following content:
                  {content}
            """
    # Tests
    with subtest("website is successfully served on cloud.example.com"):
        webserver.succeed("grep cloud.example.com /etc/hosts")
        expect_http_code(webserver, "200", "http://cloud.example.com")
        expect_http_content_contains(
            webserver, "Log in to cloud.qoo.is", "http://docs.example.com"
        )
--- a/nixos-modules/static-page/README.md
+++ b/nixos-modules/static-page/README.md
@ -1,5 +1,5 @@
 # Static Pages
-This module enables static nginx sites, with data served from "/var/lib/nginx-$domain/root".
+This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root".
 To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs.
--- a/packages/sops-config/default.nix
+++ b/packages/sops-config/default.nix
@ -75,7 +75,7 @@ writeText ".sops.yaml" (
        # Secrets for all hosts
        {
-          path_regex = "private/nixos-modules/shared-secrets/default\.sops\.(yaml|json|env|ini)$";
+          path_regex = "private/nixos-configurations/secrets\.sops\.(yaml|json|env|ini)$";
          pgp = toCommaList userPgpKeys;
          age = toCommaList (userAgeKeys ++ builtins.attrValues serverAgeKeys);
        }
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 5f8ba2025848dd30539c42ef1f7e6c6f917e70d9
+Subproject commit bed7588246ec58aacac3d0ff5b191fa6cc9faa98
Author	SHA1	Message	Date
Raphael Borun Das Gupta	a76519ac01	qois.cloud: add basic test (WIP) Some checks failed CI / build (push) Failing after 19m20s Details CI / deploy (docs-ops.qo.is) (push) Has been skipped Details CI / deploy (system-physical) (push) Has been skipped Details CI / deploy (system-vm) (push) Has been skipped Details	2025-06-21 10:26:17 +02:00
Raphael Borun Das Gupta	b295ae9396	qois.cloud: make adminpassFile an option	2025-06-14 21:04:26 +02:00
		`@ -1 +1 @@`
			`Subproject commit 5f8ba2025848dd30539c42ef1f7e6c6f917e70d9`				`Subproject commit bed7588246ec58aacac3d0ff5b191fa6cc9faa98`