WIP: flake.nix: create debian vm test

2026-01-12 16:32:54 +09:00
11 changed files with 129 additions and 84 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ result-*

 # Nix VM
 *.qcow2
+.nixos-test-history

 # Packaging
 !/assets/debian/config.toml
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -62,7 +62,7 @@ version = "1.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
 dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -73,7 +73,7 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
 dependencies = [
 "anstyle",
 "once_cell_polyfill",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -251,7 +251,7 @@ dependencies = [
 "semver",
 "serde",
 "serde_json",
- "thiserror 2.0.18",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -292,9 +292,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "4.5.56"
+version = "4.5.54"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75ca66430e33a14957acc24c5077b503e7d374151b2b4b3a10c83b4ceb4be0e"
+checksum = "c6e6ff9dcd79cff5cd969a17a545d79e84ab086e444102a591e288a8aa3ce394"
 dependencies = [
 "clap_builder",
 "clap_derive",
@@ -313,9 +313,9 @@ dependencies = [

 [[package]]
 name = "clap_builder"
-version = "4.5.56"
+version = "4.5.54"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "793207c7fa6300a0608d1080b858e5fdbe713cdc1c8db9fb17777d8a13e63df0"
+checksum = "fa42cf4d2b7a41bc8f663a7cab4031ebafa1bf3875705bfaf8466dc60ab52c00"
 dependencies = [
 "anstream",
 "anstyle",
@@ -337,9 +337,9 @@ dependencies = [

 [[package]]
 name = "clap_derive"
-version = "4.5.55"
+version = "4.5.49"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a92793da1a46a5f2a02a6f4c46c6496b28c43638adea8306fcb0caa1634f24e5"
+checksum = "2a0b5487afeab2deb2ff4e03a807ad1a03ac532ff5a2cee5d86884440c7f7671"
 dependencies = [
 "heck",
 "proc-macro2",
@@ -1188,7 +1188,7 @@ checksum = "49fefd6652c57d68aaa32544a4c0e642929725bdc1fd929367cdeb673ab81088"
 dependencies = [
 "enumflags2",
 "libc",
- "thiserror 2.0.18",
+ "thiserror 2.0.17",
 ]

 [[package]]
@@ -1328,7 +1328,7 @@ dependencies = [

 [[package]]
 name = "muscl"
-version = "1.0.0"
+version = "0.1.0"
 dependencies = [
 "anyhow",
 "async-bincode",
@@ -1357,7 +1357,7 @@ dependencies = [
 "serde",
 "serde_json",
 "sqlx",
- "thiserror 2.0.18",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-serde",
 "tokio-stream",
@@ -1371,9 +1371,9 @@ dependencies = [

 [[package]]
 name = "nix"
-version = "0.31.1"
+version = "0.30.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "225e7cfe711e0ba79a68baeddb2982723e4235247aefce1482f2f16c27865b66"
+checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
 dependencies = [
 "bitflags",
 "cfg-if",
@@ -1398,7 +1398,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -2095,7 +2095,7 @@ dependencies = [
 "serde_json",
 "sha2",
 "smallvec",
- "thiserror 2.0.18",
+ "thiserror 2.0.17",
 "tokio",
 "tokio-stream",
 "tracing",
@@ -2178,7 +2178,7 @@ dependencies = [
 "smallvec",
 "sqlx-core",
 "stringprep",
- "thiserror 2.0.18",
+ "thiserror 2.0.17",
 "tracing",
 "whoami",
 ]
@@ -2215,7 +2215,7 @@ dependencies = [
 "smallvec",
 "sqlx-core",
 "stringprep",
- "thiserror 2.0.18",
+ "thiserror 2.0.17",
 "tracing",
 "whoami",
 ]
@@ -2239,7 +2239,7 @@ dependencies = [
 "serde",
 "serde_urlencoded",
 "sqlx-core",
- "thiserror 2.0.18",
+ "thiserror 2.0.17",
 "tracing",
 "url",
 ]
@@ -2330,11 +2330,11 @@ dependencies = [

 [[package]]
 name = "thiserror"
-version = "2.0.18"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 dependencies = [
- "thiserror-impl 2.0.18",
+ "thiserror-impl 2.0.17",
 ]

 [[package]]
@@ -2350,9 +2350,9 @@ dependencies = [

 [[package]]
 name = "thiserror-impl"
-version = "2.0.18"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2663,9 +2663,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"

 [[package]]
 name = "uuid"
-version = "1.20.0"
+version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f"
+checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a"
 dependencies = [
 "getrandom 0.3.4",
 "js-sys",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,11 +1,12 @@
 [package]
 name = "muscl"
-version = "1.0.0"
+version = "0.1.0"
 edition = "2024"
 resolver = "2"
 license = "BSD-3-Clause"
 authors = [
-  "Programvareverkstedet <projects@pvv.ntnu.no>",
+  "oysteikt@pvv.ntnu.no",
+  "felixalb@pvv.ntnu.no",
 ]
 homepage = "https://git.pvv.ntnu.no/Projects/muscl"
 repository = "https://git.pvv.ntnu.no/Projects/muscl"
@@ -21,7 +22,7 @@ autolib = false
 anyhow = "1.0.100"
 async-bincode = "0.8.0"
 bincode = "2.0.1"
-clap = { version = "4.5.56", features = ["cargo", "derive"] }
+clap = { version = "4.5.54", features = ["cargo", "derive"] }
 clap-verbosity-flag = { version = "3.0.4", features = [ "tracing" ] }
 clap_complete = { version = "4.5.65", features = ["unstable-dynamic"] }
 color-print = "0.3.7"
@@ -32,14 +33,14 @@ futures-util = "0.3.31"
 humansize = "2.1.3"
 indoc = "2.0.7"
 itertools = "0.14.0"
-nix = { version = "0.31.1", features = ["fs", "process", "socket", "user"] }
+nix = { version = "0.30.1", features = ["fs", "process", "socket", "user"] }
 num_cpus = "1.17.0"
 prettytable = "0.10.0"
 rand = "0.9.2"
 serde = "1.0.228"
 serde_json = { version = "1.0.149", features = ["preserve_order"] }
 sqlx = { version = "0.8.6", features = ["runtime-tokio", "mysql", "tls-rustls"] }
-thiserror = "2.0.18"
+thiserror = "2.0.17"
 tokio = { version = "1.49.0", features = ["rt-multi-thread", "macros", "signal"] }
 tokio-serde = { version = "0.9.0", features = ["bincode"] }
 tokio-stream = "0.1.18"
@@ -47,7 +48,7 @@ tokio-util = { version = "0.7.18", features = ["codec", "rt"] }
 toml = "0.9.11"
 tracing = { version = "0.1.44", features = ["log"] }
 tracing-subscriber = "0.3.22"
-uuid = { version = "1.20.0", features = ["v4"] }
+uuid = { version = "1.19.0", features = ["v4"] }

 [target.'cfg(target_os = "linux")'.dependencies]
 landlock = "0.4.4"
--- a/assets/systemd/muscl.socket
+++ b/assets/systemd/muscl.socket
@@ -3,7 +3,6 @@ Description=Muscl MySQL admin tool

 [Socket]
 ListenStream=/run/muscl/muscl.sock
-RemoveOnStop=true
 Accept=no
 PassCredentials=true

--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "crane": {
      "locked": {
-        "lastModified": 1769737823,
-        "narHash": "sha256-DrBaNpZ+sJ4stXm+0nBX7zqZT9t9P22zbk6m5YhQxS4=",
+        "lastModified": 1767744144,
+        "narHash": "sha256-9/9ntI0D+HbN4G0TrK3KmHbTvwgswz7p8IEJsWyef8Q=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "b2f45c3830aa96b7456a4c4bc327d04d7a43e1ba",
+        "rev": "2fb033290bf6b23f226d4c8b32f7f7a16b043d7e",
        "type": "github"
      },
      "original": {
@@ -15,13 +15,33 @@
        "type": "github"
      }
    },
+    "nix-vm-test": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1763976673,
+        "narHash": "sha256-QPeI8WR+brwodiy4YNfOnLI7rOHJfFPrGm+xT/HmtT4=",
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "rev": "8611bdd7a49750a880be9ee2ea9f68c53f8c9299",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1769461804,
-        "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
+        "lastModified": 1768127708,
+        "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+        "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
        "type": "github"
      },
      "original": {
@@ -34,6 +54,7 @@
    "root": {
      "inputs": {
        "crane": "crane",
+        "nix-vm-test": "nix-vm-test",
        "nixpkgs": "nixpkgs",
        "rust-overlay": "rust-overlay"
      }
@@ -45,11 +66,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769828398,
-        "narHash": "sha256-zmnvRUm15QrlKH0V1BZoiT3U+Q+tr+P5Osi8qgtL9fY=",
+        "lastModified": 1768186348,
+        "narHash": "sha256-nkpIe3zkpeoFuOl8xBpexulECsHLQ9Ljg1gW3bPCjSI=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "a1d32c90c8a4ea43e9586b7e5894c179d5747425",
+        "rev": "af69e497567a5945a64057717bc9b17c8478097e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -6,9 +6,12 @@
    rust-overlay.inputs.nixpkgs.follows = "nixpkgs";

    crane.url = "github:ipetkov/crane";
+
+    nix-vm-test.url = "github:numtide/nix-vm-test";
+    nix-vm-test.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, rust-overlay, crane }:
+  outputs = { self, nixpkgs, rust-overlay, crane, nix-vm-test }:
  let
    inherit (nixpkgs) lib;

@@ -95,6 +98,8 @@
      muscl = import ./nix/module.nix;
    };

+    # vmlib = forAllSystems(system: _: _: nix-vm-test.lib.${system});
+
    packages = forAllSystems (system: pkgs: _:
      let
      cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
@@ -130,6 +135,8 @@
      filteredSource = pkgs.runCommandLocal "filtered-source" { } ''
        ln -s ${src} $out
      '';
+
+      debianVm = import ./nix/debian-vm-configuration.nix { inherit nix-vm-test nixpkgs system pkgs; };
    });

    checks = forAllSystems (system: pkgs: _: {
--- a/nix/debian-vm-configuration.nix
+++ b/nix/debian-vm-configuration.nix
@@ -0,0 +1,49 @@
+{ nix-vm-test, nixpkgs, system, pkgs, ... }:
+let
+  image = nix-vm-test.lib.${system}.debian.images."13";
+
+  generic = import "${nix-vm-test}/generic" { inherit pkgs nixpkgs; inherit (pkgs) lib; };
+
+  makeVmTestForImage =
+    image:
+    {
+      testScript,
+      sharedDirs ? {},
+      diskSize ? null,
+      config ? { }
+    }:
+    generic.makeVmTest {
+      inherit
+        system
+        testScript
+        sharedDirs;
+      image = nix-vm-test.lib.${system}.debian.prepareDebianImage {
+        inherit diskSize;
+        hostPkgs = pkgs;
+        originalImage = image;
+      };
+      machineConfigModule = config;
+    };
+
+    vmTest = makeVmTestForImage image {
+       diskSize = "10G";
+       sharedDirs = {
+         debDir = {
+           source = "${./.}";
+           target = "/mnt";
+         };
+       };
+       testScript = ''
+         vm.wait_for_unit("multi-user.target")
+         vm.succeed("apt-get update && apt-get -y install mariadb-server build-essential curl")
+         vm.succeed("curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y")
+         vm.succeed("source /root/.cargo/env && cargo install cargo-deb")
+         vm.succeed("cp -r /mnt /root/src && chmod -R +w /root/src")
+         vm.succeed("source /root/.cargo/env && cd /root/src && ./create-deb.sh")
+       '';
+       config.nodes.vm = {
+         virtualisation.memorySize = 8192;
+         virtualisation.cpus = 4;
+       };
+    };
+in vmTest.driverInteractive
--- a/scripts/download-and-upload-debs.sh
+++ b/scripts/download-and-upload-debs.sh
@@ -54,13 +54,11 @@ for variant in debian-bookworm debian-trixie ubuntu-jammy ubuntu-noble; do
    DEB_VERSION=$(find "$TMPDIR/muscl-deb-$variant-$GIT_SHA"/*.deb -print0 | xargs -0 -n1 basename | cut -d'_' -f2 | head -n1)
    DEB_ARCH=$(find "$TMPDIR/muscl-deb-$variant-$GIT_SHA"/*.deb -print0 | xargs -0 -n1 basename | cut -d'_' -f3 | cut -d'.' -f1 | head -n1)

-    # echo "[DELETE] https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/$DEB_NAME/$DEB_VERSION/$DEB_ARCH"
-    # curl \
-    #   -X DELETE \
-    #   --user "$GITEA_USER:$GITEA_TOKEN" \
-    #   "https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/$DEB_NAME/$DEB_VERSION/$DEB_ARCH"
+    curl \
+      -X DELETE \
+      --user "$GITEA_USER:$GITEA_TOKEN" \
+      "https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/$DEB_NAME/$DEB_VERSION/$DEB_ARCH"

-    echo "[PUT] https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/upload"
    curl \
      -X PUT \
      --user "$GITEA_USER:$GITEA_TOKEN" \
--- a/src/bin/muscl.rs
+++ b/src/bin/muscl.rs
@@ -319,8 +319,7 @@ fn main() -> anyhow::Result<()> {
        #[cfg(not(feature = "suid-sgid-mode"))]
        None,
        args.verbose,
-    )
-    .context("Failed to connect to the server")?;
+    )?;

    tokio_run_command(args.command, connection)?;

--- a/src/core/bootstrap.rs
+++ b/src/core/bootstrap.rs
@@ -1,6 +1,5 @@
 use std::{
    fs,
-    os::unix::fs::FileTypeExt,
    path::{Path, PathBuf},
    sync::Arc,
    time::Duration,
@@ -8,10 +7,7 @@ use std::{

 use anyhow::{Context, anyhow};
 use clap_verbosity_flag::{InfoLevel, Verbosity};
-use nix::{
-    libc::{EXIT_SUCCESS, exit},
-    unistd::{AccessFlags, access},
-};
+use nix::libc::{EXIT_SUCCESS, exit};
 use sqlx::mysql::MySqlPoolOptions;
 use std::os::unix::net::UnixStream as StdUnixStream;
 use tokio::{net::UnixStream as TokioUnixStream, sync::RwLock};
@@ -134,28 +130,11 @@ pub fn bootstrap_server_connection_and_drop_privileges(
    }
 }

-fn socket_path_is_ok(path: &Path) -> anyhow::Result<()> {
-    fs::metadata(path)
-        .context(format!("Failed to get metadata for {:?}", path))
-        .and_then(|meta| {
-            if !meta.file_type().is_socket() {
-                anyhow::bail!("{:?} is not a unix socket", path);
-            }
-
-            access(path, AccessFlags::R_OK | AccessFlags::W_OK)
-                .with_context(|| format!("Socket at {:?} is not readable/writable", path))?;
-
-            Ok(())
-        })
-}
-
 fn connect_to_external_server(
    server_socket_path: Option<PathBuf>,
 ) -> anyhow::Result<StdUnixStream> {
+    // TODO: ensure this is both readable and writable
    if let Some(socket_path) = server_socket_path {
-        tracing::trace!("Checking socket at {:?}", socket_path);
-        socket_path_is_ok(&socket_path)?;
-
        tracing::debug!("Connecting to socket at {:?}", socket_path);
        return match StdUnixStream::connect(socket_path) {
            Ok(socket) => Ok(socket),
@@ -168,9 +147,6 @@ fn connect_to_external_server(
    }

    if fs::metadata(DEFAULT_SOCKET_PATH).is_ok() {
-        tracing::trace!("Checking socket at {:?}", DEFAULT_SOCKET_PATH);
-        socket_path_is_ok(Path::new(DEFAULT_SOCKET_PATH))?;
-
        tracing::debug!("Connecting to default socket at {:?}", DEFAULT_SOCKET_PATH);
        return match StdUnixStream::connect(DEFAULT_SOCKET_PATH) {
            Ok(socket) => Ok(socket),
@@ -182,9 +158,7 @@ fn connect_to_external_server(
        };
    }

-    anyhow::bail!(
-        "No socket path provided, and no socket found found at default location {DEFAULT_SOCKET_PATH}"
-    );
+    anyhow::bail!("No socket path provided, and no default socket found");
 }

 // TODO: this function is security critical, it should be integration tested
--- a/src/server/authorization.rs
+++ b/src/server/authorization.rs
@@ -59,10 +59,6 @@ fn parse_group_denylist(denylist_path: &Path, lines: Lines) -> GroupDenylist {
        }
        .trim();

-        if trimmed_line.is_empty() {
-            continue;
-        }
-
        let parts: Vec<&str> = trimmed_line.splitn(2, ':').collect();
        if parts.len() != 2 {
            tracing::warn!(