refactor: clean up flake.nix and nixos configurations for improved readability and organization
- Reformatted `flake.nix` for better structure and consistency, including adjustments to package lists and added metadata for applications. - Updated `nixos/gitea-runner.nix` to streamline configuration and improve clarity. - Refined `nixos/tests.nix` by consolidating service definitions and enhancing test scripts for better maintainability and readability.
This commit is contained in:
Danilo Reyes
@@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
# Gitea Actions Runner Configuration
|
||||
@@ -6,36 +6,36 @@
|
||||
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.gitea-actions-runner;
|
||||
|
||||
|
||||
instances = {
|
||||
# Main runner instance for webref project
|
||||
webref-runner = {
|
||||
enable = true;
|
||||
|
||||
|
||||
# Runner name (will appear in Gitea)
|
||||
name = "nixos-runner-webref";
|
||||
|
||||
|
||||
# Gitea instance URL
|
||||
url = "https://your-gitea-instance.com";
|
||||
|
||||
|
||||
# Runner token - Generate this from Gitea:
|
||||
# Settings -> Actions -> Runners -> Create New Runner
|
||||
# Store the token in a file and reference it here
|
||||
tokenFile = "/var/secrets/gitea-runner-token";
|
||||
|
||||
|
||||
# Labels define what jobs this runner can handle
|
||||
# Format: "label:docker_image" or just "label" for host execution
|
||||
labels = [
|
||||
# Native execution with Nix
|
||||
"nix:native"
|
||||
|
||||
|
||||
# Ubuntu-like for compatibility
|
||||
"ubuntu-latest:docker://node:20-bookworm"
|
||||
|
||||
|
||||
# Specific for this project
|
||||
"webref:native"
|
||||
];
|
||||
|
||||
|
||||
# Host packages available to the runner
|
||||
hostPackages = with pkgs; [
|
||||
# Essential tools
|
||||
@@ -44,15 +44,15 @@
|
||||
curl
|
||||
git
|
||||
nix
|
||||
|
||||
|
||||
# Project-specific
|
||||
nodejs
|
||||
python3
|
||||
postgresql
|
||||
|
||||
|
||||
# Binary cache
|
||||
attic-client
|
||||
|
||||
|
||||
# Container runtime (optional)
|
||||
docker
|
||||
docker-compose
|
||||
@@ -75,16 +75,19 @@
|
||||
extraGroups = [ "docker" ];
|
||||
};
|
||||
|
||||
users.groups.gitea-runner = {};
|
||||
users.groups.gitea-runner = { };
|
||||
|
||||
# Allow runner to use Nix
|
||||
nix.settings = {
|
||||
allowed-users = [ "gitea-runner" ];
|
||||
trusted-users = [ "gitea-runner" ];
|
||||
|
||||
|
||||
# Enable flakes for the runner
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
|
||||
experimental-features = [
|
||||
"nix-command"
|
||||
"flakes"
|
||||
];
|
||||
|
||||
# Optimize for CI performance
|
||||
max-jobs = "auto";
|
||||
cores = 0; # Use all available cores
|
||||
@@ -102,11 +105,10 @@
|
||||
# Resource limits (adjust based on your hardware)
|
||||
MemoryMax = "8G";
|
||||
CPUQuota = "400%"; # 4 cores
|
||||
|
||||
|
||||
# Restart policy
|
||||
Restart = "always";
|
||||
RestartSec = "10s";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
248
nixos/tests.nix
248
nixos/tests.nix
@@ -4,189 +4,203 @@
|
||||
# Backend integration tests with PostgreSQL and MinIO
|
||||
backend-integration = pkgs.testers.nixosTest {
|
||||
name = "webref-backend-integration";
|
||||
|
||||
|
||||
nodes = {
|
||||
machine = { config, pkgs, ... }: {
|
||||
# PostgreSQL service
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "webref" ];
|
||||
ensureUsers = [{
|
||||
name = "webref";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 trust
|
||||
host all all ::1/128 trust
|
||||
'';
|
||||
machine =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
# PostgreSQL service
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "webref" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "webref";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 trust
|
||||
host all all ::1/128 trust
|
||||
'';
|
||||
};
|
||||
|
||||
# MinIO service
|
||||
services.minio = {
|
||||
enable = true;
|
||||
rootCredentialsFile = pkgs.writeText "minio-credentials" ''
|
||||
MINIO_ROOT_USER=minioadmin
|
||||
MINIO_ROOT_PASSWORD=minioadmin
|
||||
'';
|
||||
};
|
||||
|
||||
# Install required packages
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
python3Packages.pytest
|
||||
python3Packages.fastapi
|
||||
postgresql
|
||||
curl
|
||||
];
|
||||
|
||||
# Network configuration
|
||||
networking.firewall.enable = false;
|
||||
};
|
||||
|
||||
# MinIO service
|
||||
services.minio = {
|
||||
enable = true;
|
||||
rootCredentialsFile = pkgs.writeText "minio-credentials" ''
|
||||
MINIO_ROOT_USER=minioadmin
|
||||
MINIO_ROOT_PASSWORD=minioadmin
|
||||
'';
|
||||
};
|
||||
|
||||
# Install required packages
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
python3Packages.pytest
|
||||
python3Packages.fastapi
|
||||
postgresql
|
||||
curl
|
||||
];
|
||||
|
||||
# Network configuration
|
||||
networking.firewall.enable = false;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
|
||||
|
||||
# Wait for PostgreSQL
|
||||
machine.wait_for_unit("postgresql.service")
|
||||
machine.wait_for_open_port(5432)
|
||||
|
||||
|
||||
# Wait for MinIO
|
||||
machine.wait_for_unit("minio.service")
|
||||
machine.wait_for_open_port(9000)
|
||||
|
||||
|
||||
# Verify PostgreSQL is working
|
||||
machine.succeed("sudo -u postgres psql -c 'SELECT 1;'")
|
||||
|
||||
|
||||
# Verify MinIO is working
|
||||
machine.succeed("curl -f http://localhost:9000/minio/health/live")
|
||||
|
||||
|
||||
machine.succeed("echo '✅ Backend integration test passed'")
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
# Full stack test with backend + database
|
||||
full-stack = pkgs.testers.nixosTest {
|
||||
name = "webref-full-stack";
|
||||
|
||||
|
||||
nodes = {
|
||||
machine = { config, pkgs, ... }: {
|
||||
# PostgreSQL
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "webref" ];
|
||||
ensureUsers = [{
|
||||
name = "webref";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
machine =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
# PostgreSQL
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "webref" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "webref";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
# MinIO
|
||||
services.minio = {
|
||||
enable = true;
|
||||
rootCredentialsFile = pkgs.writeText "minio-credentials" ''
|
||||
MINIO_ROOT_USER=minioadmin
|
||||
MINIO_ROOT_PASSWORD=minioadmin
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
curl
|
||||
jq
|
||||
];
|
||||
|
||||
networking.firewall.enable = false;
|
||||
};
|
||||
|
||||
# MinIO
|
||||
services.minio = {
|
||||
enable = true;
|
||||
rootCredentialsFile = pkgs.writeText "minio-credentials" ''
|
||||
MINIO_ROOT_USER=minioadmin
|
||||
MINIO_ROOT_PASSWORD=minioadmin
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
curl
|
||||
jq
|
||||
];
|
||||
|
||||
networking.firewall.enable = false;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
|
||||
|
||||
# Wait for services
|
||||
machine.wait_for_unit("postgresql.service")
|
||||
machine.wait_for_unit("minio.service")
|
||||
machine.wait_for_open_port(5432)
|
||||
machine.wait_for_open_port(9000)
|
||||
|
||||
|
||||
# Test database connectivity
|
||||
machine.succeed("sudo -u postgres psql -c 'SELECT version();'")
|
||||
|
||||
|
||||
# Test MinIO API
|
||||
machine.succeed("curl -f http://localhost:9000/minio/health/live")
|
||||
|
||||
|
||||
machine.succeed("echo '✅ Full stack test passed'")
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
# Performance benchmarks
|
||||
performance = pkgs.testers.nixosTest {
|
||||
name = "webref-performance";
|
||||
|
||||
|
||||
nodes = {
|
||||
machine = { config, pkgs, ... }: {
|
||||
services.postgresql.enable = true;
|
||||
services.minio.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
];
|
||||
};
|
||||
machine =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
services.postgresql.enable = true;
|
||||
services.minio.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
machine.wait_for_unit("postgresql.service")
|
||||
|
||||
|
||||
machine.succeed("echo '✅ Performance test passed'")
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
# Security tests
|
||||
security = pkgs.testers.nixosTest {
|
||||
name = "webref-security";
|
||||
|
||||
|
||||
nodes = {
|
||||
machine = { config, pkgs, ... }: {
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "webref" ];
|
||||
ensureUsers = [{
|
||||
name = "webref";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
machine =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "webref" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "webref";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
# Create system user for testing
|
||||
users.users.webref = {
|
||||
isSystemUser = true;
|
||||
group = "webref";
|
||||
};
|
||||
users.groups.webref = { };
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
nmap
|
||||
];
|
||||
};
|
||||
|
||||
# Create system user for testing
|
||||
users.users.webref = {
|
||||
isSystemUser = true;
|
||||
group = "webref";
|
||||
};
|
||||
users.groups.webref = {};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
python3
|
||||
nmap
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
testScript = ''
|
||||
start_all()
|
||||
machine.wait_for_unit("postgresql.service")
|
||||
|
||||
|
||||
# Wait for PostgreSQL setup scripts to complete (database and user creation)
|
||||
import time
|
||||
machine.wait_for_unit("postgresql-setup.service", timeout=30)
|
||||
time.sleep(2) # Give it a moment to finalize
|
||||
|
||||
|
||||
# Verify database role exists
|
||||
machine.succeed("sudo -u postgres psql -c '\\du' | grep webref")
|
||||
|
||||
|
||||
# Verify database is accessible with webref user
|
||||
machine.succeed("sudo -u webref psql webref -c 'SELECT 1;'")
|
||||
|
||||
|
||||
machine.succeed("echo '✅ Security test passed'")
|
||||
'';
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user