Add nix support for suid/sgid testing

2025-12-04 10:54:32 +09:00
parent 4c21d083df
commit b0ae6e563d
5 changed files with 264 additions and 92 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -35,15 +35,29 @@
    in f system pkgs toolchain);
  in {
    apps = let
-      mkApp = program: { type = "app"; program = toString program; };
+      mkApp = program: description: {
+        type = "app";
+        program = toString program;
+        meta = {
+          inherit description;
+        };
+      };
+      mkVm = name: mkApp "${self.nixosConfigurations.${name}.config.system.build.vm}/bin/run-nixos-vm";
    in forAllSystems (system: pkgs: _: {
-      muscl = mkApp (lib.getExe self.packages.${system}.muscl);
+      muscl = mkApp (lib.getExe self.packages.${system}.muscl) "Run muscl without any setup";
      coverage = mkApp (pkgs.writeShellScript "muscl-coverage" ''
        ${lib.getExe pkgs.python3} -m http.server -d "${self.packages.${system}.coverage}/html"
-      '');
-      vm = mkApp "${self.nixosConfigurations.vm.config.system.build.vm}/bin/run-nixos-vm";
+      '') "Serve code coverage report at http://localhost:8000";
+
+      vm = mkVm "vm" "Start a NixOS VM with muscl installed";
+      vm-suid = mkVm "vm-suid" "Start a NixOS VM with muscl as SUID/SGID installed";
    });

+    nixosConfigurations = {
+      vm = import ./nix/nixos-configurations/vm.nix { inherit self nixpkgs; };
+      vm-suid = import ./nix/nixos-configurations/vm-suid.nix { inherit self nixpkgs; };
+    };
+
    devShell = forAllSystems (system: pkgs: toolchain: pkgs.mkShell {
      nativeBuildInputs = with pkgs; [
        toolchain
@@ -66,6 +80,12 @@
      muscl-crane = final: prev: {
        muscl = self.packages.${prev.stdenv.hostPlatform.system}.muscl-crane;
      };
+      muscl-suid = final: prev: {
+        muscl = self.packages.${prev.stdenv.hostPlatform.system}.muscl-suid;
+      };
+      muscl-suid-crane = final: prev: {
+        muscl = self.packages.${prev.stdenv.hostPlatform.system}.muscl-suid-crane;
+      };
    };

    nixosModules = {
@@ -87,83 +107,32 @@
      };
    in {
      default = self.packages.${system}.muscl-crane;
+
      muscl = pkgs.callPackage ./nix/default.nix { inherit cargoToml cargoLock src; };
      muscl-crane = pkgs.callPackage ./nix/default.nix {
        useCrane = true;
        inherit cargoToml cargoLock src craneLib;
      };
+
+      muscl-suid = pkgs.callPackage ./nix/default.nix {
+        suidSgidSupport = true;
+        inherit cargoToml cargoLock src;
+      };
+      muscl-suid-crane = pkgs.callPackage ./nix/default.nix {
+        useCrane = true;
+        suidSgidSupport = true;
+        inherit cargoToml cargoLock src craneLib;
+      };
+
      coverage = pkgs.callPackage ./nix/coverage.nix { inherit cargoToml cargoLock src; };
      filteredSource = pkgs.runCommandLocal "filtered-source" { } ''
        ln -s ${src} $out
      '';
    });

-    nixosConfigurations.vm = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      pkgs = import nixpkgs {
-        system = "x86_64-linux";
-        overlays = [
-          self.overlays.muscl-crane
-        ];
-      };
-      modules = [
-        "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
-        "${nixpkgs}/nixos/tests/common/user-account.nix"
-
-        self.nixosModules.default
-
-        ({ config, pkgs, ... }: {
-          system.stateVersion = config.system.nixos.release;
-          virtualisation.graphics = false;
-
-          users = {
-            groups = {
-              a = { };
-              b = { };
-            };
-            users.alice.extraGroups = [
-              "a"
-              "b"
-              "wheel"
-              "systemd-journal"
-            ];
-            extraUsers.root.password = "root";
-          };
-
-          services.getty.autologinUser = "alice";
-
-          users.motd = ''
-            =================================
-            Welcome to the muscl vm!
-
-            Try running:
-                ${config.services.muscl.package.meta.mainProgram}
-
-            Password for alice is 'foobar'
-            Password for root is 'root'
-
-            To exit, press Ctrl+A, then X
-            =================================
-          '';
-
-          services.mysql = {
-            enable = true;
-            package = pkgs.mariadb;
-          };
-          services.muscl = {
-            enable = true;
-            logLevel = "trace";
-            createLocalDatabaseUser = true;
-          };
-
-          programs.vim = {
-            enable = true;
-            defaultEditor = true;
-          };
-
-          environment.systemPackages = with pkgs; [ jq ];
-        })
-      ];
-    };
+    checks = forAllSystems (system: pkgs: _: {
+      # NOTE: the non-crane build runs tests during checkPhase
+      inherit (self.packages.${system}) muscl muscl-suid;
+    });
  };
 }