WIP: flake.nix: create debian vm test

.gitignore

@@ -9,6 +9,7 @@ result-*
 
 # Nix VM
 *.qcow2
+.nixos-test-history
 
 # Packaging
 !/assets/debian/config.toml

assets/systemd/muscl.socket

@@ -3,7 +3,6 @@ Description=Muscl MySQL admin tool
 
 [Socket]
 ListenStream=/run/muscl/muscl.sock
-RemoveOnStop=true
 Accept=no
 PassCredentials=true
 

flake.lock

@@ -15,6 +15,26 @@
         "type": "github"
       }
     },
+    "nix-vm-test": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1763976673,
+        "narHash": "sha256-QPeI8WR+brwodiy4YNfOnLI7rOHJfFPrGm+xT/HmtT4=",
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "rev": "8611bdd7a49750a880be9ee2ea9f68c53f8c9299",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1768127708,
@@ -34,6 +54,7 @@
     "root": {
       "inputs": {
         "crane": "crane",
+        "nix-vm-test": "nix-vm-test",
         "nixpkgs": "nixpkgs",
         "rust-overlay": "rust-overlay"
       }

flake.nix

@@ -6,9 +6,12 @@
     rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
 
     crane.url = "github:ipetkov/crane";
+
+    nix-vm-test.url = "github:numtide/nix-vm-test";
+    nix-vm-test.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, rust-overlay, crane }:
+  outputs = { self, nixpkgs, rust-overlay, crane, nix-vm-test }:
   let
     inherit (nixpkgs) lib;
 
@@ -95,6 +98,8 @@
       muscl = import ./nix/module.nix;
     };
 
+    # vmlib = forAllSystems(system: _: _: nix-vm-test.lib.${system});
+
     packages = forAllSystems (system: pkgs: _:
       let
       cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
@@ -130,6 +135,8 @@
       filteredSource = pkgs.runCommandLocal "filtered-source" { } ''
         ln -s ${src} $out
       '';
+
+      debianVm = import ./nix/debian-vm-configuration.nix { inherit nix-vm-test nixpkgs system pkgs; };
     });
 
     checks = forAllSystems (system: pkgs: _: {

nix/debian-vm-configuration.nix

@@ -0,0 +1,49 @@
+{ nix-vm-test, nixpkgs, system, pkgs, ... }:
+let
+  image = nix-vm-test.lib.${system}.debian.images."13";
+
+  generic = import "${nix-vm-test}/generic" { inherit pkgs nixpkgs; inherit (pkgs) lib; };
+
+  makeVmTestForImage =
+    image:
+    {
+      testScript,
+      sharedDirs ? {},
+      diskSize ? null,
+      config ? { }
+    }:
+    generic.makeVmTest {
+      inherit
+        system
+        testScript
+        sharedDirs;
+      image = nix-vm-test.lib.${system}.debian.prepareDebianImage {
+        inherit diskSize;
+        hostPkgs = pkgs;
+        originalImage = image;
+      };
+      machineConfigModule = config;
+    };
+
+    vmTest = makeVmTestForImage image {
+       diskSize = "10G";
+       sharedDirs = {
+         debDir = {
+           source = "${./.}";
+           target = "/mnt";
+         };
+       };
+       testScript = ''
+         vm.wait_for_unit("multi-user.target")
+         vm.succeed("apt-get update && apt-get -y install mariadb-server build-essential curl")
+         vm.succeed("curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y")
+         vm.succeed("source /root/.cargo/env && cargo install cargo-deb")
+         vm.succeed("cp -r /mnt /root/src && chmod -R +w /root/src")
+         vm.succeed("source /root/.cargo/env && cd /root/src && ./create-deb.sh")
+       '';
+       config.nodes.vm = {
+         virtualisation.memorySize = 8192;
+         virtualisation.cpus = 4;
+       };
+    };
+in vmTest.driverInteractive

scripts/download-and-upload-debs.sh

@@ -54,13 +54,11 @@ for variant in debian-bookworm debian-trixie ubuntu-jammy ubuntu-noble; do
     DEB_VERSION=$(find "$TMPDIR/muscl-deb-$variant-$GIT_SHA"/*.deb -print0 | xargs -0 -n1 basename | cut -d'_' -f2 | head -n1)
     DEB_ARCH=$(find "$TMPDIR/muscl-deb-$variant-$GIT_SHA"/*.deb -print0 | xargs -0 -n1 basename | cut -d'_' -f3 | cut -d'.' -f1 | head -n1)
 
-    echo "[DELETE] https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/$DEB_NAME/$DEB_VERSION/$DEB_ARCH"
     curl \
       -X DELETE \
       --user "$GITEA_USER:$GITEA_TOKEN" \
       "https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/$DEB_NAME/$DEB_VERSION/$DEB_ARCH"
 
-    echo "[PUT] https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/upload"
     curl \
       -X PUT \
       --user "$GITEA_USER:$GITEA_TOKEN" \

src/bin/muscl.rs

@@ -319,8 +319,7 @@ fn main() -> anyhow::Result<()> {
         #[cfg(not(feature = "suid-sgid-mode"))]
         None,
         args.verbose,
-    )
-    .context("Failed to connect to the server")?;
+    )?;
 
     tokio_run_command(args.command, connection)?;
 

src/core/bootstrap.rs

@@ -1,6 +1,5 @@
 use std::{
     fs,
-    os::unix::fs::FileTypeExt,
     path::{Path, PathBuf},
     sync::Arc,
     time::Duration,
@@ -8,10 +7,7 @@ use std::{
 
 use anyhow::{Context, anyhow};
 use clap_verbosity_flag::{InfoLevel, Verbosity};
-use nix::{
-    libc::{EXIT_SUCCESS, exit},
-    unistd::{AccessFlags, access},
-};
+use nix::libc::{EXIT_SUCCESS, exit};
 use sqlx::mysql::MySqlPoolOptions;
 use std::os::unix::net::UnixStream as StdUnixStream;
 use tokio::{net::UnixStream as TokioUnixStream, sync::RwLock};
@@ -134,28 +130,11 @@ pub fn bootstrap_server_connection_and_drop_privileges(
     }
 }
 
-fn socket_path_is_ok(path: &Path) -> anyhow::Result<()> {
-    fs::metadata(path)
-        .context(format!("Failed to get metadata for {:?}", path))
-        .and_then(|meta| {
-            if !meta.file_type().is_socket() {
-                anyhow::bail!("{:?} is not a unix socket", path);
-            }
-
-            access(path, AccessFlags::R_OK | AccessFlags::W_OK)
-                .with_context(|| format!("Socket at {:?} is not readable/writable", path))?;
-
-            Ok(())
-        })
-}
-
 fn connect_to_external_server(
     server_socket_path: Option<PathBuf>,
 ) -> anyhow::Result<StdUnixStream> {
+    // TODO: ensure this is both readable and writable
     if let Some(socket_path) = server_socket_path {
-        tracing::trace!("Checking socket at {:?}", socket_path);
-        socket_path_is_ok(&socket_path)?;
-
         tracing::debug!("Connecting to socket at {:?}", socket_path);
         return match StdUnixStream::connect(socket_path) {
             Ok(socket) => Ok(socket),
@@ -168,9 +147,6 @@ fn connect_to_external_server(
     }
 
     if fs::metadata(DEFAULT_SOCKET_PATH).is_ok() {
-        tracing::trace!("Checking socket at {:?}", DEFAULT_SOCKET_PATH);
-        socket_path_is_ok(Path::new(DEFAULT_SOCKET_PATH))?;
-
         tracing::debug!("Connecting to default socket at {:?}", DEFAULT_SOCKET_PATH);
         return match StdUnixStream::connect(DEFAULT_SOCKET_PATH) {
             Ok(socket) => Ok(socket),
@@ -182,9 +158,7 @@ fn connect_to_external_server(
         };
     }
 
-    anyhow::bail!(
-        "No socket path provided, and no socket found found at default location {DEFAULT_SOCKET_PATH}"
-    );
+    anyhow::bail!("No socket path provided, and no default socket found");
 }
 
 // TODO: this function is security critical, it should be integration tested

src/server/authorization.rs

@@ -59,10 +59,6 @@ fn parse_group_denylist(denylist_path: &Path, lines: Lines) -> GroupDenylist {
         }
         .trim();
 
-        if trimmed_line.is_empty() {
-            continue;
-        }
-
         let parts: Vec<&str> = trimmed_line.splitn(2, ':').collect();
         if parts.len() != 2 {
             tracing::warn!(