nixpkgs/nixos/tests/systemd-journal-gateway.nix

import ./make-test-python.nix (
  { lib, pkgs, ... }:
  {
    name = "systemd-journal-gateway";
    meta = with pkgs.lib.maintainers; {
      maintainers = [
        minijackson
        raitobezarius
      ];
    };

    # Named client for coherence with the systemd-journal-upload test, and for
    # certificate validation
    nodes.client = {
      services.journald.gateway = {
        enable = true;
        cert = "/run/secrets/client/cert.pem";
        key = "/run/secrets/client/key.pem";
        trust = "/run/secrets/ca.cert.pem";
      };
    };

    testScript = ''
      import json
      import subprocess
      import tempfile

      tmpdir_o = tempfile.TemporaryDirectory()
      tmpdir = tmpdir_o.name

      def generate_pems(domain: str):
        subprocess.run(
          [
            "${pkgs.minica}/bin/minica",
            "--ca-key=ca.key.pem",
            "--ca-cert=ca.cert.pem",
            f"--domains={domain}",
          ],
          cwd=str(tmpdir),
        )

      with subtest("Creating keys and certificates"):
        generate_pems("server")
        generate_pems("client")

      client.wait_for_unit("multi-user.target")

      def copy_pem(file: str):
        machine.copy_from_host(source=f"{tmpdir}/{file}", target=f"/run/secrets/{file}")
        machine.succeed(f"chmod 644 /run/secrets/{file}")

      with subtest("Copying keys and certificates"):
        machine.succeed("mkdir -p /run/secrets/{client,server}")
        copy_pem("server/cert.pem")
        copy_pem("server/key.pem")
        copy_pem("client/cert.pem")
        copy_pem("client/key.pem")
        copy_pem("ca.cert.pem")

      client.wait_for_unit("multi-user.target")

      curl = '${pkgs.curl}/bin/curl'
      accept_json = '--header "Accept: application/json"'
      cacert = '--cacert /run/secrets/ca.cert.pem'
      cert = '--cert /run/secrets/server/cert.pem'
      key = '--key /run/secrets/server/key.pem'
      base_url = 'https://client:19531'

      curl_cli = f"{curl} {accept_json} {cacert} {cert} {key} --fail"

      machine_info = client.succeed(f"{curl_cli} {base_url}/machine")
      assert json.loads(machine_info)["hostname"] == "client", "wrong machine name"

      # The HTTP request should have started the gateway service, triggered by
      # the .socket unit
      client.wait_for_unit("systemd-journal-gatewayd.service")

      identifier = "nixos-test"
      message = "Hello from NixOS test infrastructure"

      client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")

      # max-time is a workaround against a bug in systemd-journal-gatewayd where
      # if TLS is enabled, the connection is never closed. Since it will timeout,
      # we ignore the return code.
      entries = client.succeed(
          f"{curl_cli} --max-time 5 {base_url}/entries?SYSLOG_IDENTIFIER={identifier} || true"
      )

      # Number of entries should be only 1
      added_entry = json.loads(entries)
      assert added_entry["SYSLOG_IDENTIFIER"] == identifier and added_entry["MESSAGE"] == message, "journal entry does not correspond"
    '';
  }
)