mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-30 02:42:59 +00:00
65a471717c
This changes * the plausible HTTP web server to be listening on localhost only, explicitly. This makes Plausible have an explicit safe default configuration, like all other networked services in NixOS. For background discussion, see: https://github.com/NixOS/nixpkgs/issues/130244 As per my upstream Plausible contribution (https://github.com/plausible/analytics/pull/1190) Plausible >= 1.5 also defaults to listening to localhost only; nevertheless, this default should be stated explicitly in nixpkgs for easier review and independence from upstream changes, and a NixOS user must be able to configure the `listenAddress`, as there are valid use cases for that. Also, disable * the Erlang Beam VM inter-node RPC port * the Erlang EPMD port because Plausible does not use them (see added comment). This is done by setting `RELEASE_DISTRIBUTION=none`. Thus, this commit also removes the NixOS setting `releaseCookiePath`, because it now has no effect.
53 lines
1.6 KiB
Nix
53 lines
1.6 KiB
Nix
import ./make-test-python.nix ({ pkgs, lib, ... }: {
|
|
name = "plausible";
|
|
meta = with lib.maintainers; {
|
|
maintainers = [ ];
|
|
};
|
|
|
|
nodes.machine = { pkgs, ... }: {
|
|
virtualisation.memorySize = 4096;
|
|
services.plausible = {
|
|
enable = true;
|
|
adminUser = {
|
|
email = "admin@example.org";
|
|
passwordFile = "${pkgs.writeText "pwd" "foobar"}";
|
|
activate = true;
|
|
};
|
|
server = {
|
|
baseUrl = "http://localhost:8000";
|
|
secretKeybaseFile = "${pkgs.writeText "dont-try-this-at-home" "nannannannannannannannannannannannannannannannannannannan_batman!"}";
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
machine.wait_for_unit("plausible.service")
|
|
machine.wait_for_open_port(8000)
|
|
|
|
# Ensure that the software does not make not make the machine
|
|
# listen on any public interfaces by default.
|
|
machine.fail("ss -tlpn 'src = 0.0.0.0 or src = [::]' | grep LISTEN")
|
|
|
|
machine.succeed("curl -f localhost:8000 >&2")
|
|
|
|
machine.succeed("curl -f localhost:8000/js/script.js >&2")
|
|
|
|
csrf_token = machine.succeed(
|
|
"curl -c /tmp/cookies localhost:8000/login | grep '_csrf_token' | sed -E 's,.*value=\"(.*)\".*,\\1,g'"
|
|
)
|
|
|
|
machine.succeed(
|
|
f"curl -b /tmp/cookies -f -X POST localhost:8000/login -F email=admin@example.org -F password=foobar -F _csrf_token={csrf_token.strip()} -D headers"
|
|
)
|
|
|
|
# By ensuring that the user is redirected to the dashboard after login, we
|
|
# also make sure that the automatic verification of the module works.
|
|
machine.succeed(
|
|
"[[ $(grep 'location: ' headers | cut -d: -f2- | xargs echo) == /sites* ]]"
|
|
)
|
|
|
|
machine.shutdown()
|
|
'';
|
|
})
|