c1631b0a39
This is better for privacy and to avoid leaking netrc credentials in a MITM attack, but also the assumption that we check the hash no longer holds in some cases (in particular for impure derivations). Partially reverts5db358d4d7
. (cherry picked from commit c04bc17a5a0fdcb725a11ef6541f94730112e7b6) (cherry picked from commit f2f47fa725fc87bfb536de171a2ea81f2789c9fb) (cherry picked from commit 7b39cd631e0d3c3d238015c6f450c59bbc9cbc5b) Upstream-PR: https://github.com/NixOS/nix/pull/11585 Change-Id:Ia973420f6098113da05a594d48394ce1fe41fbb9
163 lines
5.4 KiB
Nix
163 lines
5.4 KiB
Nix
{ lib, nixpkgs, nixpkgsFor }:
|
|
|
|
let
|
|
|
|
nixos-lib = import (nixpkgs + "/nixos/lib") { };
|
|
|
|
# https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
|
|
runNixOSTestFor = system: test:
|
|
(nixos-lib.runTest {
|
|
imports = [ test ];
|
|
hostPkgs = nixpkgsFor.${system}.native;
|
|
defaults = {
|
|
nixpkgs.pkgs = nixpkgsFor.${system}.native;
|
|
nix.checkAllErrors = false;
|
|
};
|
|
_module.args.nixpkgs = nixpkgs;
|
|
_module.args.system = system;
|
|
})
|
|
// {
|
|
# allow running tests against older nix versions via `nix eval --apply`
|
|
# Example:
|
|
# nix build "$(nix eval --raw --impure .#hydraJobs.tests.fetch-git --apply 't: (t.forNix "2.19.2").drvPath')^*"
|
|
forNix = nixVersion: runNixOSTestFor system {
|
|
imports = [test];
|
|
defaults.nixpkgs.overlays = [(curr: prev: {
|
|
nix = (builtins.getFlake "nix/${nixVersion}").packages.${system}.nix;
|
|
})];
|
|
};
|
|
};
|
|
|
|
# Checks that a NixOS configuration does not contain any references to our
|
|
# locally defined Nix version.
|
|
checkOverrideNixVersion = { pkgs, lib, ... }: {
|
|
# pkgs.nix: The new Nix in this repo
|
|
# We disallow it, to make sure we don't accidentally use it.
|
|
system.forbiddenDependenciesRegexes = [ (lib.strings.escapeRegex "nix-${pkgs.nix.version}") ];
|
|
};
|
|
in
|
|
|
|
{
|
|
authorization = runNixOSTestFor "x86_64-linux" ./authorization.nix;
|
|
|
|
remoteBuilds = runNixOSTestFor "x86_64-linux" ./remote-builds.nix;
|
|
|
|
# Test our Nix as a client against remotes that are older
|
|
|
|
remoteBuilds_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
|
name = "remoteBuilds_remote_2_3";
|
|
imports = [ ./remote-builds.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
};
|
|
|
|
remoteBuilds_remote_2_18 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_remote_2_18";
|
|
imports = [ ./remote-builds.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
};
|
|
});
|
|
|
|
# Test our Nix as a builder for clients that are older
|
|
|
|
remoteBuilds_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_local_2_3";
|
|
imports = [ ./remote-builds.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
});
|
|
|
|
remoteBuilds_local_2_18 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuilds_local_2_18";
|
|
imports = [ ./remote-builds.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
};
|
|
});
|
|
|
|
# End remoteBuilds tests
|
|
|
|
remoteBuildsSshNg = runNixOSTestFor "x86_64-linux" ./remote-builds-ssh-ng.nix;
|
|
|
|
# Test our Nix as a client against remotes that are older
|
|
|
|
remoteBuildsSshNg_remote_2_3 = runNixOSTestFor "x86_64-linux" {
|
|
name = "remoteBuildsSshNg_remote_2_3";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
};
|
|
|
|
remoteBuildsSshNg_remote_2_18 = runNixOSTestFor "x86_64-linux" {
|
|
name = "remoteBuildsSshNg_remote_2_18";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
builders.config = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_18;
|
|
};
|
|
};
|
|
|
|
# Test our Nix as a builder for clients that are older
|
|
|
|
# FIXME: these tests don't work yet
|
|
/*
|
|
remoteBuildsSshNg_local_2_3 = runNixOSTestFor "x86_64-linux" ({ lib, pkgs, ... }: {
|
|
name = "remoteBuildsSshNg_local_2_3";
|
|
imports = [ ./remote-builds-ssh-ng.nix ];
|
|
nodes.client = { lib, pkgs, ... }: {
|
|
imports = [ checkOverrideNixVersion ];
|
|
nix.package = lib.mkForce pkgs.nixVersions.nix_2_3;
|
|
};
|
|
});
|
|
|
|
# TODO: (nixpkgs update) remoteBuildsSshNg_local_2_18 = ...
|
|
*/
|
|
|
|
nix-copy-closure = runNixOSTestFor "x86_64-linux" ./nix-copy-closure.nix;
|
|
|
|
nix-copy = runNixOSTestFor "x86_64-linux" ./nix-copy.nix;
|
|
|
|
nix-upgrade-nix = runNixOSTestFor "x86_64-linux" ./nix-upgrade-nix.nix;
|
|
|
|
nssPreload = runNixOSTestFor "x86_64-linux" ./nss-preload.nix;
|
|
|
|
githubFlakes = runNixOSTestFor "x86_64-linux" ./github-flakes.nix;
|
|
|
|
sourcehutFlakes = runNixOSTestFor "x86_64-linux" ./sourcehut-flakes.nix;
|
|
|
|
tarballFlakes = runNixOSTestFor "x86_64-linux" ./tarball-flakes.nix;
|
|
|
|
containers = runNixOSTestFor "x86_64-linux" ./containers/containers.nix;
|
|
|
|
setuid = lib.genAttrs
|
|
["i686-linux" "x86_64-linux"]
|
|
(system: runNixOSTestFor system ./setuid/setuid.nix);
|
|
|
|
ca-fd-leak = runNixOSTestFor "x86_64-linux" ./ca-fd-leak;
|
|
|
|
fetch-git = runNixOSTestFor "x86_64-linux" ./fetch-git;
|
|
|
|
symlinkResolvconf = runNixOSTestFor "x86_64-linux" ./symlink-resolvconf.nix;
|
|
|
|
noNewPrivilegesInSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/sandbox.nix;
|
|
|
|
noNewPrivilegesOutsideSandbox = runNixOSTestFor "x86_64-linux" ./no-new-privileges/no-sandbox.nix;
|
|
|
|
broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
|
|
|
|
coredumps = runNixOSTestFor "x86_64-linux" ./coredumps;
|
|
|
|
io_uring = runNixOSTestFor "x86_64-linux" ./io_uring;
|
|
|
|
fetchurl = runNixOSTestFor "x86_64-linux" ./fetchurl.nix;
|
|
}
|