Merge remote-tracking branch 'upstream/master' into ca-drv-exotic

tests/flakes.sh

@@ -5,11 +5,6 @@ if [[ -z $(type -p git) ]]; then
     exit 99
 fi
 
-if [[ -z $(type -p hg) ]]; then
-    echo "Mercurial not installed; skipping flake tests"
-    exit 99
-fi
-
 clearStore
 rm -rf $TEST_HOME/.cache $TEST_HOME/.config
 
@@ -266,6 +261,8 @@ cat > $flake3Dir/flake.nix <<EOF
       mkDerivation {
         inherit system;
         name = "fnord";
+        dummy = builtins.readFile (builtins.path { name = "source"; path = ./.; filter = path: type: baseNameOf path == "config.nix"; } + "/config.nix");
+        dummy2 = builtins.readFile (builtins.path { name = "source"; path = inputs.flake1; filter = path: type: baseNameOf path == "simple.nix"; } + "/simple.nix");
         buildCommand = ''
           cat \${inputs.nonFlake}/README.md > \$out
         '';
@@ -579,45 +576,52 @@ nix build -o $TEST_ROOT/result git+file://$flakeGitBare
 
 # Test Mercurial flakes.
 rm -rf $flake5Dir
-hg init $flake5Dir
+mkdir $flake5Dir
 
 cat > $flake5Dir/flake.nix <<EOF
 {
   outputs = { self, flake1 }: {
     defaultPackage.$system = flake1.defaultPackage.$system;
-
     expr = assert builtins.pathExists ./flake.lock; 123;
   };
 }
 EOF
 
-hg add $flake5Dir/flake.nix
-hg commit --config ui.username=foobar@example.org $flake5Dir -m 'Initial commit'
+if [[ -n $(type -p hg) ]]; then
+    hg init $flake5Dir
 
-nix build -o $TEST_ROOT/result hg+file://$flake5Dir
-[[ -e $TEST_ROOT/result/hello ]]
+    hg add $flake5Dir/flake.nix
+    hg commit --config ui.username=foobar@example.org $flake5Dir -m 'Initial commit'
 
-(! nix flake metadata --json hg+file://$flake5Dir | jq -e -r .revision)
+    nix build -o $TEST_ROOT/result hg+file://$flake5Dir
+    [[ -e $TEST_ROOT/result/hello ]]
 
-nix eval hg+file://$flake5Dir#expr
+    (! nix flake metadata --json hg+file://$flake5Dir | jq -e -r .revision)
 
-nix eval hg+file://$flake5Dir#expr
+    nix eval hg+file://$flake5Dir#expr
 
-(! nix eval hg+file://$flake5Dir#expr --no-allow-dirty)
+    nix eval hg+file://$flake5Dir#expr
 
-(! nix flake metadata --json hg+file://$flake5Dir | jq -e -r .revision)
+    (! nix eval hg+file://$flake5Dir#expr --no-allow-dirty)
 
-hg commit --config ui.username=foobar@example.org $flake5Dir -m 'Add lock file'
+    (! nix flake metadata --json hg+file://$flake5Dir | jq -e -r .revision)
 
-nix flake metadata --json hg+file://$flake5Dir --refresh | jq -e -r .revision
-nix flake metadata --json hg+file://$flake5Dir
-[[ $(nix flake metadata --json hg+file://$flake5Dir | jq -e -r .revCount) = 1 ]]
+    hg commit --config ui.username=foobar@example.org $flake5Dir -m 'Add lock file'
 
-nix build -o $TEST_ROOT/result hg+file://$flake5Dir --no-registries --no-allow-dirty
-nix build -o $TEST_ROOT/result hg+file://$flake5Dir --no-use-registries --no-allow-dirty
+    nix flake metadata --json hg+file://$flake5Dir --refresh | jq -e -r .revision
+    nix flake metadata --json hg+file://$flake5Dir
+    [[ $(nix flake metadata --json hg+file://$flake5Dir | jq -e -r .revCount) = 1 ]]
 
-# Test tarball flakes
-tar cfz $TEST_ROOT/flake.tar.gz -C $TEST_ROOT --exclude .hg flake5
+    nix build -o $TEST_ROOT/result hg+file://$flake5Dir --no-registries --no-allow-dirty
+    nix build -o $TEST_ROOT/result hg+file://$flake5Dir --no-use-registries --no-allow-dirty
+fi
+
+# Test path flakes.
+rm -rf $flake5Dir/.hg $flake5Dir/flake.lock
+nix flake lock path://$flake5Dir
+
+# Test tarball flakes.
+tar cfz $TEST_ROOT/flake.tar.gz -C $TEST_ROOT flake5
 
 nix build -o $TEST_ROOT/result file://$TEST_ROOT/flake.tar.gz
 
@@ -632,8 +636,8 @@ nix build -o $TEST_ROOT/result "file://$TEST_ROOT/flake.tar.gz?narHash=sha256-qQ
 
 # Test --override-input.
 git -C $flake3Dir reset --hard
-nix flake lock $flake3Dir --override-input flake2/flake1 flake5 -vvvvv
-[[ $(jq .nodes.flake1_2.locked.url $flake3Dir/flake.lock) =~ flake5 ]]
+nix flake lock $flake3Dir --override-input flake2/flake1 file://$TEST_ROOT/flake.tar.gz -vvvvv
+[[ $(jq .nodes.flake1_2.locked.url $flake3Dir/flake.lock) =~ flake.tar.gz ]]
 
 nix flake lock $flake3Dir --override-input flake2/flake1 flake1
 [[ $(jq -r .nodes.flake1_2.locked.rev $flake3Dir/flake.lock) =~ $hash2 ]]

tests/nss-preload.nix

@@ -0,0 +1,123 @@
+{ nixpkgs, system, overlay }:
+
+with import (nixpkgs + "/nixos/lib/testing-python.nix") {
+  inherit system;
+  extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
+};
+
+makeTest (
+
+rec {
+  name = "nss-preload";
+
+  nodes = {
+    http_dns = { lib, pkgs, config, ... }: {
+      networking.firewall.enable = false;
+      networking.interfaces.eth1.ipv6.addresses = lib.mkForce [
+        { address = "fd21::1"; prefixLength = 64; }
+      ];
+      networking.interfaces.eth1.ipv4.addresses = lib.mkForce [
+        { address = "192.168.0.1"; prefixLength = 24; }
+      ];
+
+      services.unbound = {
+        enable = true;
+        enableRootTrustAnchor = false;
+        settings = {
+          server = {
+            interface = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ];
+            access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ];
+            local-data = [
+              ''"example.com. IN A 192.168.0.1"''
+              ''"example.com. IN AAAA fd21::1"''
+              ''"tarballs.nixos.org. IN A 192.168.0.1"''
+              ''"tarballs.nixos.org. IN AAAA fd21::1"''
+            ];
+          };
+        };
+      };
+
+      services.nginx = {
+        enable = true;
+        virtualHosts."example.com" = {
+          root = pkgs.runCommand "testdir" {} ''
+            mkdir "$out"
+            echo hello world > "$out/index.html"
+          '';
+        };
+      };
+    };
+
+    # client consumes a remote resolver
+    client = { lib, nodes, pkgs, ... }: {
+      networking.useDHCP = false;
+      networking.nameservers = [
+        (lib.head nodes.http_dns.config.networking.interfaces.eth1.ipv6.addresses).address
+        (lib.head nodes.http_dns.config.networking.interfaces.eth1.ipv4.addresses).address
+      ];
+      networking.interfaces.eth1.ipv6.addresses = [
+        { address = "fd21::10"; prefixLength = 64; }
+      ];
+      networking.interfaces.eth1.ipv4.addresses = [
+        { address = "192.168.0.10"; prefixLength = 24; }
+      ];
+
+      nix.sandboxPaths = lib.mkForce [];
+      nix.binaryCaches = lib.mkForce [];
+      nix.useSandbox = lib.mkForce true;
+    };
+  };
+
+  nix-fetch = pkgs.writeText "fetch.nix" ''
+    derivation {
+        # This derivation is an copy from what is available over at
+        # nix.git:corepkgs/fetchurl.nix
+        builder = "builtin:fetchurl";
+
+        # We're going to fetch data from the http_dns instance created before
+        # we expect the content to be the same as the content available there.
+        # ```
+        # $ nix-hash --type sha256 --to-base32 $(echo "hello world" | sha256sum | cut -d " " -f 1)
+        # 0ix4jahrkll5zg01wandq78jw3ab30q4nscph67rniqg5x7r0j59
+        # ```
+        outputHash = "0ix4jahrkll5zg01wandq78jw3ab30q4nscph67rniqg5x7r0j59";
+        outputHashAlgo = "sha256";
+        outputHashMode = "flat";
+
+        name = "example.com";
+        url = "http://example.com";
+
+        unpack = false;
+        executable = false;
+
+        system = "builtin";
+
+        preferLocalBuild = true;
+
+        impureEnvVars = [
+            "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy"
+        ];
+
+        urls = [ "http://example.com" ];
+      }
+  '';
+
+  testScript = { nodes, ... }: ''
+    http_dns.wait_for_unit("nginx")
+    http_dns.wait_for_open_port(80)
+    http_dns.wait_for_unit("unbound")
+    http_dns.wait_for_open_port(53)
+
+    client.start()
+    client.wait_for_unit('multi-user.target')
+
+    with subtest("can fetch data from a remote server outside sandbox"):
+        client.succeed("nix --version >&2")
+        client.succeed("curl -vvv http://example.com/index.html >&2")
+
+    with subtest("nix-build can lookup dns and fetch data"):
+        client.succeed("""
+          nix-build ${nix-fetch} >&2
+          """)
+  '';
+})