Improve test VM workflow.

.github/workflows/test.yaml

@@ -0,0 +1,14 @@
+on:
+  pull_request:
+  push:
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: nix build -L
+      - run: nix flake check -L

README.md

@@ -2,16 +2,11 @@
 
 ## Preliminaries
 
-You need Nix installed on your local dev machine, with flakes enabled. If you
-don't have Nix installed, you can use SSH onto the server and use it to run the
-commands. Obviously this doesn't work for initial provisioning.
+You need Nix installed on your local machine. You can use the
+[DeterminateSystems installer](https://github.com/DeterminateSystems/nix-installer) for this:
 
-TODO: maybe create some users on the server so we don't have to operate as root
-for everything.
-
-You can enable flakes by creating a `~/.config/nix/nix.conf` file:
-```
-experimental-features = nix-command flakes
+```sh
+curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 ```
 
 ## How do I deploy to the server?
@@ -70,28 +65,48 @@ nix run .#start-vm
 This starts a local VM running in QEMU. Handy to check everything works as
 expected before deploying.
 
-It will forward port 443 of the VM onto port 8443, meaning you may visit
-https://localhost:8443/ once the VM has started.
+When starting, this command will obtain a Vault token and inject it into the VM
+to be used for fetch GitHub client ID and secrets. If needed, you may be
+prompted for your GitHub personal access token.
 
-Nginx is configured using a self-signed certificate, which will cause some
-browser warnings.
+Port 443 of the VM is exposed as port 8443, meaning you may visit
+https://localhost:8443/ once the VM has started. nginx is configured using a
+self-signed certificate, which will cause some browser warnings.
 
-Packit is configured to use basic authentication, but no users exist by default.
-In the VM console, run the following:
+Packit is configured to use GitHub authentication. If needed, after logging in,
+you may grant yourself more permissions on a particular Packit instance through
+the VM console.
 
 ```
-create-basic-user <instance> "admin@localhost.com" password
-grant-role <instance> "admin@localhost.com" ADMIN
+grant-role <instance> <github username> ADMIN
 ```
 
 ## How do I run the integration tests?
 
 ```sh
-nix flake check
+nix flake check -L
 ```
 
-This doesn't test that much yet, just that the Packit API eventually comes up.
-We should at least try to interact with the API a little.
+Depending on your host system and how Nix was installed on it, this may fail
+with a "qemu-kvm: failed to initialize kvm: Permission denied" error. This
+typically means that `/dev/kvm` and is not writable by the Nix build users.
+
+This can be fixed by changing the devices ACLs (Access Control Lists) to make it writable by all
+members of the nixbld group:
+
+```sh
+sudo setfacl -m g:nixbld:rw /dev/kvm
+```
+
+The above command will probably not persist across reboots. For that to work,
+create a udev rule using the following commands:
+
+```sh
+sudo tee /etc/udev/rules.d/50-nixbld-kvm.rules <<EOF
+KERNEL=="kvm", RUN+="/bin/setfacl -m g:nixbld:rw $env{DEVNAME}"
+EOF
+sudo udevadm control --reload-rules && sudo udevadm trigger
+```
 
 ## How do I add new SSH keys?
 

configuration.nix

@@ -11,6 +11,10 @@
     inputs.disko.nixosModules.disko
   ];
 
+  virtualisation.vmVariant = {
+    imports = [ ./vm.nix ];
+  };
+
   boot.loader.grub = {
     # no need to set devices, disko will add all devices that have a EF02 partition to the list already
     # devices = [ ];

flake.nix

@@ -9,6 +9,7 @@
         overlays = [ self.overlays.default ];
         config.allowUnfreePredicate = pkg: builtins.elem (nixpkgs.lib.getName pkg) [
           "vault"
+          "vault-bin"
         ];
       };
     in
@@ -29,22 +30,12 @@
         ];
       };
 
-      nixosConfigurations.vm = nixpkgs.lib.nixosSystem {
-        system = "x86_64-linux";
-        specialArgs = { inherit inputs; };
-        modules = [
-          ./configuration.nix
-          ./tests/setup.nix
-          { nixpkgs = pkgsArgs; }
-        ];
-      };
-
       packages.x86_64-linux =
         let pkgs = import nixpkgs ({ system = "x86_64-linux"; } // pkgsArgs);
         in {
           inherit (pkgs) outpack_server packit-app packit-api packit;
 
-          default = self.nixosConfigurations."wpia-packit".config.system.build.toplevel;
+          default = self.nixosConfigurations.wpia-packit.config.system.build.toplevel;
 
           deploy = pkgs.writeShellApplication {
             name = "deploy-wpia-packit";
@@ -79,12 +70,28 @@
           };
 
           update = pkgs.writers.writePython3Bin "update" { } ./scripts/update.py;
-          start-vm = self.nixosConfigurations."vm".config.system.build.vm;
+
+          start-vm = pkgs.writeShellApplication {
+            name = "start-vm";
+            runtimeInputs = [ pkgs.vault-bin ];
+            text = ''
+              export VAULT_ADDR=https://vault.dide.ic.ac.uk:8200
+              VAULT_TOKEN=$(vault print token)
+              if [[ -z $VAULT_TOKEN ]]; then
+                echo "Logging in to $VAULT_ADDR"
+                VAULT_TOKEN=$(vault login -method=github -field=token)
+              fi
+
+              exec ${nixpkgs.lib.getExe self.nixosConfigurations.wpia-packit.config.system.build.vm} \
+                -fw_cfg name=opt/vault-token,string="$VAULT_TOKEN" "$@"
+            '';
+
+          };
         };
 
-      checks.x86_64-linux.boots =
+      checks.x86_64-linux.default =
         let pkgs = import nixpkgs ({ system = "x86_64-linux"; } // pkgsArgs);
-        in pkgs.callPackage ./tests/boot.nix { inherit inputs; };
+        in pkgs.callPackage ./tests { inherit inputs; };
 
       devShells.x86_64-linux.default =
         let pkgs = import nixpkgs ({ system = "x86_64-linux"; } // pkgsArgs);

packages/packit/packit-api.nix

@@ -34,6 +34,7 @@ let
     nativeBuildInputs = [ perl ];
     installPhase = ''
       find $GRADLE_USER_HOME/caches/modules-2 -type f -regex '.*\.\(jar\|pom\|module\)' \
+         | LC_ALL=C sort \
          | perl -pe 's#(.*/([^/]+)/([^/]+)/([^/]+)/[0-9a-f]{30,40}/([^/\s]+))$# ($x = $2) =~ tr|\.|/|; "install -Dm444 $1 \$out/$x/$3/$4/$5" #e' \
          | sh
       rm -rf $out/tmp

packages/packit/sources.json

@@ -7,4 +7,4 @@
   },
   "gradleDepsHash": "sha256-HTpu1hMNol+Shi2P1GdBnO1oLlqqEWTezdmy4I9ijKY=",
   "npmDepsHash": "sha256-o//+q3trkCnKpSAWEHPZOeiMYxzKOvrGDgEv63BsnxI="
-}
+}

scripts/fetch-secrets.sh

@@ -1,8 +1,7 @@
 #!/usr/bin/env bash
 set -eu
 
-VAULT_ADDR=https://vault.dide.ic.ac.uk:8200
-export VAULT_ADDR
+export VAULT_ADDR="https://vault.dide.ic.ac.uk:8200"
 
 VAULT_TOKEN=$(vault login -method=github -token-only)
 export VAULT_TOKEN

scripts/fetch-vm-secrets.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -eu
+
+export VAULT_ADDR="https://vault.dide.ic.ac.uk:8200"
+
+VAULT_TOKEN=$(cat /sys/firmware/qemu_fw_cfg/by_name/opt/vault-token/raw)
+export VAULT_TOKEN
+
+PACKIT_GITHUB_CLIENT_ID=$(vault kv get -mount=secret -field=id packit/githubauth/auth/githubclient)
+PACKIT_GITHUB_CLIENT_SECRET=$(vault kv get -mount=secret -field=secret packit/githubauth/auth/githubclient)
+
+cat > /var/secrets/github-oauth <<EOF
+PACKIT_GITHUB_CLIENT_ID=$PACKIT_GITHUB_CLIENT_ID
+PACKIT_GITHUB_CLIENT_SECRET=$PACKIT_GITHUB_CLIENT_SECRET
+EOF

tests/default.nix

@@ -0,0 +1,32 @@
+{ pkgs, inputs }:
+pkgs.testers.runNixOSTest {
+  name = "boot";
+  node.specialArgs = {
+    inherit inputs;
+  };
+  nodes.machine = { lib, config, ... }: {
+    imports = [
+      ../configuration.nix
+
+      # The `virtualisation.vmVariant` setting we use to import VM-specific
+      # settings doesn't work for the test VMs, so re-import the vm module here.
+      # https://github.com/NixOS/nixpkgs/pull/339511#issuecomment-2328611982
+      ../vm.nix
+    ];
+
+    services.packit-api.instances =
+      let
+        f = name: lib.nameValuePair name {
+          authentication.method = lib.mkForce "basic";
+        };
+      in
+      lib.listToAttrs (map f config.services.multi-packit.instances);
+
+    # It's suprisingly easy to run qemu without hardware acceleration and not
+    # notice it, which makes the VM so slow the tests tend to fail. This forces
+    # KVM acceleration and will fail to start if missing.
+    virtualisation.qemu.options = [ "-machine" "accel=kvm" ];
+  };
+
+  testScript = builtins.readFile ./script.py;
+}

tests/script.py

@@ -0,0 +1,25 @@
+import json
+from shlex import quote
+
+machine.wait_for_unit("multi-user.target")
+
+api_url = "https://localhost/reside/packit/api"
+response = machine.wait_until_succeeds(f"curl -sfk {api_url}/auth/config")
+data = json.loads(response)
+assert data == {
+  "enableAuth": True,
+  "enableBasicLogin": True,
+  "enableGithubLogin": False,
+}
+
+machine.succeed(
+  "create-basic-user reside admin@localhost.com password",
+  "grant-role reside admin@localhost.com ADMIN")
+
+payload = json.dumps({ "email": "admin@localhost.com", "password": "password"})
+response = machine.succeed(f"curl -sfk --json {quote(payload)} {api_url}/auth/login/basic")
+token = json.loads(response)["token"]
+
+response = machine.succeed(f"curl -sfk --oauth2-bearer {quote(token)} {api_url}/outpack/")
+data = json.loads(response)
+assert data["status"] == "success"

tools.nix

@@ -2,7 +2,7 @@
 let
   fetch-secrets = pkgs.writeShellApplication {
     name = "fetch-secrets";
-    runtimeInputs = [ pkgs.vault ];
+    runtimeInputs = [ pkgs.vault-bin ];
     text = builtins.readFile ./scripts/fetch-secrets.sh;
   };