{ nixos-lib, pkgsUnstable, nixpkgs-unstable, pkgs, extraModules, nixLib, ... }: let sshKeys = import ./ssh_keys.nix {inherit pkgs;}; gitServerDomain = "server"; gitoliteAdminConfSnippet = pkgs.writeText "gitolite-admin-conf-snippet" '' repo CREATOR/[a-zA-Z0-9].* C = @all RW+ = CREATOR RW = WRITERS R = READERS option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage ''; expectedGitoliteConf = pkgs.writeText "expected-gitolite-conf" '' repo gitolite-admin RW+ = gitolite-admin repo testing RW+ = @all repo CREATOR/[a-zA-Z0-9].* C = @all RW+ = CREATOR RW = WRITERS R = READERS option user-configs = cgit\.owner cgit\.desc cgit\.section cgit\.homepage ''; expectedHtmlReadme = pkgs.writeText "expectedHtmlReadme" ''

Alice's Repo

''; expectedMdReadme = pkgs.writeText "expectedMdReadme" '' # Alice's Repo ''; in nixos-lib.runTest { hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs name = "git-server"; node = { specialArgs = {inherit pkgsUnstable nixpkgs-unstable nixLib;}; # Use the nixpkgs as constructed by the `nixpkgs.*` options pkgs = null; }; nodes = { server = {config, ...}: { imports = extraModules ++ [ ../../../../modules ]; vhack = { persist.enable = true; openssh.enable = true; nginx = { enable = true; selfsign = true; }; git-server = { enable = true; domain = gitServerDomain; gitolite.adminPubkey = sshKeys.admin.pub; }; }; }; client = {...}: { environment.systemPackages = [pkgs.git]; programs.ssh.extraConfig = '' Host * UserKnownHostsFile /dev/null StrictHostKeyChecking no # there's nobody around that can input password PreferredAuthentications publickey ''; users.users.alice = {isNormalUser = true;}; users.users.bob = {isNormalUser = true;}; }; }; testScript = {nodes, ...}: /* python */ '' start_all() with subtest("can setup ssh keys on client"): client.succeed( "mkdir -p ~root/.ssh", "cp ${sshKeys.admin.priv} ~root/.ssh/id_ed25519", "chmod 600 ~root/.ssh/id_ed25519", ) client.succeed( "sudo -u alice mkdir -p ~alice/.ssh", "sudo -u alice cp ${sshKeys.alice.priv} ~alice/.ssh/id_ed25519", "sudo -u alice chmod 600 ~alice/.ssh/id_ed25519", ) client.succeed( "sudo -u bob mkdir -p ~bob/.ssh", "sudo -u bob cp ${sshKeys.bob.priv} ~bob/.ssh/id_ed25519", "sudo -u bob chmod 600 ~bob/.ssh/id_ed25519", ) with subtest("gitolite server starts"): server.wait_for_unit("gitolite-init.service") server.wait_for_unit("sshd.service") client.succeed("ssh -n git@server info") with subtest("admin can clone and configure gitolite-admin.git"): client.succeed("${pkgs.writeShellScript "setup-gitolite-admin.git" '' set -xe git clone git@server:gitolite-admin.git git config --global user.name 'System Administrator' git config --global user.email root\@domain.example cp ${sshKeys.alice.pub} gitolite-admin/keydir/alice.pub cp ${sshKeys.bob.pub} gitolite-admin/keydir/bob.pub (cd gitolite-admin && git switch -c master && git branch -D main) (cd gitolite-admin && git add . && git commit -m 'Add keys for alice, bob' && git push -u origin master) cat ${gitoliteAdminConfSnippet} >> gitolite-admin/conf/gitolite.conf (cd gitolite-admin && git add . && git commit -m 'Add support for wild repos' && git push) (cd gitolite-admin && git push -d origin main) ''}") server.succeed("${pkgs.writeShellScript "verify gitolite-admin.conf" '' set -xe testFile=~git/.gitolite/conf/gitolite.conf.test cp ~git/.gitolite/conf/gitolite.conf "$testFile" # Normalize the white space sed -i 's/\t/ /g' "$testFile" sed -i 's/\s\+/ /g' "$testFile" diff "$testFile" ${expectedGitoliteConf} ''}") with subtest("non-admins cannot clone gitolite-admin.git"): client.fail("sudo -i -u alice git clone git@server:gitolite-admin.git") client.fail("sudo -i -u bob git clone git@server:gitolite-admin.git") with subtest("non-admins can clone testing.git"): client.succeed("sudo -i -u alice git clone git@server:testing.git") client.succeed("sudo -i -u bob git clone git@server:testing.git") with subtest("alice can create a repo"): client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-create-repo" '' set -xe mkdir alice-repo && cd alice-repo; git init --initial-branch main echo "# Alice's Repo" > README.md git add README.md git -c user.name=Alice -c user.email=alice@domain.example commit -m 'Add readme' git remote add origin git@server:alice/alice-project.git git push --set-upstream origin main ''}") with subtest("alice can clone alice-project.git"): client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-clone-repo" '' set -xe git clone git@server:alice/alice-project.git diff --side-by-side ${expectedMdReadme} ./alice-project/README.md ''}") with subtest("bob cannot clone alice-project.git"): client.fail("sudo -i -u bob git clone git@server:alice/alice-project.git") with subtest("Alice can make her repo public"): client.succeed( "sudo -u alice ssh git@server perms alice/alice-project + READERS @all", "sudo -u alice ssh git@server desc alice/alice-project 'My nice project.'" ) with subtest("Bob can see alice config on cgit"): client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-clone-repo" '' set -xe cd ~bob # Disable ssl verification, as the certs are self-signed git -c http.sslVerify=false clone https://server/alice/alice-project.git ''}") with subtest("Alice can change settings in her repo"): client.succeed("sudo -u alice ${pkgs.writeShellScript "alice-change-settings" '' set -xe echo 'Hi! You want to work with alice' | ssh git@server motd alice/alice-project set ssh git@server config alice/alice-project --add 'cgit.owner' 'alice' ssh git@server config alice/alice-project --add 'cgit.section' 'alice' ssh git@server config alice/alice-project --add 'cgit.homepage' 'alice' owner="$(ssh git@server config alice/alice-project --get-all 'cgit.owner')" [ "$owner" = "alice" ] || { echo "owner should be alice but is '$owner'!" exit 1 } ''}") # He can't see the readme (FIXME: find out why this does not work. <2024-08-13> ) # with subtest("Bob can see alice's README"): # client.succeed("sudo -u bob ${pkgs.writeShellScript "bob-alice-readme" '' # set -xe # # curl --insecure --silent --fail --show-error 'https://server/alice/alice-project/about' > readme.html # cat readme.html # diff --side-by-side ${expectedHtmlReadme} readme.html # ''}") ''; }