feat: deploy nginx using system manager

And use docker to run tests

Author: jfroche

flake.lock

@@ -31,6 +31,10 @@
       url = "github:cachix/git-hooks.nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    system-manager = {
+      url = "github:numtide/system-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -53,6 +57,7 @@
         nix/nixpkgs.nix
         nix/packages
         nix/overlays
+        nix/systemModules
       ];
     });
 }

flake.nix

@@ -0,0 +1,14 @@
+{
+  flake-parts-lib,
+  withSystem,
+  self,
+  ...
+}:
+{
+  imports = [ ./tests ];
+  flake = {
+    systemModules = {
+      nginx = flake-parts-lib.importApply ./nginx.nix { inherit withSystem self; };
+    };
+  };
+}

nix/systemModules/default.nix

@@ -0,0 +1,25 @@
+{ ... }:
+{ config, ... }:
+{
+  config = {
+    system-manager.preActivationAssertions = {
+      waitForSystemd = {
+        enable = true;
+        script = ''
+          TIMEOUT=20
+          while ! systemctl is-system-running --quiet; do
+            if [ $TIMEOUT -le 0 ]; then
+              echo "Systemd did not start in time."
+              exit 1
+            fi
+            sleep 0.1;
+            echo "Waiting for systemd to start..."
+            TIMEOUT=$((TIMEOUT - 1))
+          done
+        '';
+      };
+    };
+
+    services.nginx.enable = true;
+  };
+}

nix/systemModules/nginx.nix

@@ -0,0 +1,109 @@
+import pytest
+import shutil
+import subprocess
+import testinfra
+import time
+from rich.console import Console
+
+console = Console()
+
+
+def pytest_addoption(parser):
+    parser.addoption(
+        "--image-name",
+        action="store",
+        help="Docker image and tag to use for testing",
+    )
+    parser.addoption(
+        "--image-path",
+        action="store",
+        help="Compressed Docker image to load for testing",
+    )
+
+    parser.addoption(
+        "--force-docker",
+        action="store_true",
+        help="Force using Docker instead of Podman for testing",
+    )
+
+
+@pytest.fixture(scope="session")
+def host(request):
+    force_docker = request.config.getoption("--force-docker")
+    image_name = request.config.getoption("--image-name")
+    image_path = request.config.getoption("--image-path")
+    if not force_docker and shutil.which("podman"):
+        console.log("Using Podman for testing")
+        with console.status("Loading image..."):
+            subprocess.check_output(["podman", "load", "-q", "-i", image_path])
+        podman_id = (
+            subprocess.check_output(
+                [
+                    "podman",
+                    "run",
+                    "--cap-add",
+                    "SYS_ADMIN",
+                    "-d",
+                    image_name,
+                ]
+            )
+            .decode()
+            .strip()
+        )
+        yield testinfra.get_host("podman://" + podman_id)
+        with console.status("Cleaning up..."):
+            subprocess.check_call(
+                ["podman", "rm", "-f", podman_id], stdout=subprocess.DEVNULL
+            )
+    else:
+        console.log("Using Docker for testing")
+        with console.status("Loading image..."):
+            subprocess.check_output(["docker", "load", "-q", "-i", image_path])
+        docker_id = (
+            subprocess.check_output(
+                [
+                    "docker",
+                    "run",
+                    "--privileged",
+                    "--cap-add",
+                    "SYS_ADMIN",
+                    "--security-opt",
+                    "seccomp=unconfined",
+                    "--cgroup-parent=docker.slice",
+                    "--cgroupns",
+                    "private",
+                    "-d",
+                    image_name,
+                ]
+            )
+            .decode()
+            .strip()
+        )
+        yield testinfra.get_host("docker://" + docker_id)
+        with console.status("Cleaning up..."):
+            subprocess.check_call(
+                ["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL
+            )
+
+
+def wait_for_target(host, target, timeout=60):
+    start_time = time.time()
+    while time.time() - start_time < timeout:
+        result = host.run(f"systemctl is-active {target}")
+        if result.rc == 0:
+            return True
+        time.sleep(1)
+    return False
+
+
+@pytest.fixture(scope="session", autouse=True)
+def activate_system_manager(host):
+    with console.status("Waiting systemd to be ready..."):
+        assert wait_for_target(host, "multi-user.target")
+    result = host.run("activate")
+    console.log(result.stdout)
+    console.log(result.stderr)
+    if result.failed:
+        raise pytest.fail(
+            "System manager activation failed with return code {}".format(result.rc)
+        )

nix/systemModules/tests/conftest.py

@@ -0,0 +1,10 @@
+{ self, ... }:
+{
+  perSystem =
+    { lib, pkgs, ... }:
+    {
+      packages = lib.optionalAttrs (pkgs.stdenv.hostPlatform.isLinux) {
+        check-system-manager-nginx = (import ./nginx.nix { inherit self pkgs; });
+      };
+    };
+}

nix/systemModules/tests/default.nix

@@ -0,0 +1,97 @@
+{ self, pkgs }:
+let
+  lib = pkgs.lib;
+  toplevel = self.inputs.system-manager.lib.makeSystemConfig {
+    modules = [
+      self.systemModules.nginx
+      ({
+        nixpkgs.hostPlatform = pkgs.system;
+      })
+    ];
+  };
+  ubuntu-cloudimg =
+    let
+      cloudImg = builtins.fetchurl {
+        url = "http://cloud-images-archive.ubuntu.com/releases/noble/release-20250430/ubuntu-24.04-server-cloudimg-amd64-root.tar.xz";
+        sha256 = "sha256:0rfi3qqs0sqarixfic7pzjpx7d4vldv2d98c5zjv7b90mirznvf9";
+      };
+    in
+    pkgs.runCommand "ubuntu-cloudimg" { nativeBuildInputs = [ pkgs.xz ]; } ''
+      mkdir -p $out
+      tar --exclude='dev/*' \
+          --exclude='etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service' \
+          --exclude='etc/systemd/system/multi-user.target.wants/systemd-resolved.service' \
+          --exclude='usr/lib/systemd/system/tpm-udev.service' \
+          --exclude='usr/lib/systemd/system/systemd-remount-fs.service' \
+          --exclude='usr/lib/systemd/system/systemd-resolved.service' \
+          --exclude='usr/lib/systemd/system/proc-sys-fs-binfmt_misc.automount' \
+          --exclude='usr/lib/systemd/system/sys-kernel-*' \
+          --exclude='var/lib/apt/lists/*' \
+          -xJf ${cloudImg} -C $out
+      rm $out/bin $out/lib $out/lib64 $out/sbin
+      mkdir -p $out/run/systemd && echo 'docker' > $out/run/systemd/container
+      mkdir $out/var/lib/apt/lists/partial
+    '';
+
+  dockerImageUbuntu = pkgs.dockerTools.buildImage {
+    name = "ubuntu-cloudimg";
+    tag = "0.1";
+    created = "now";
+    extraCommands = ''
+      ln -s usr/bin
+      ln -s usr/lib
+      ln -s usr/lib64
+      ln -s usr/sbin
+    '';
+    copyToRoot = pkgs.buildEnv {
+      name = "image-root";
+      pathsToLink = [ "/" ];
+      paths = [ ubuntu-cloudimg ];
+    };
+    config.Cmd = [ "/lib/systemd/systemd" ];
+  };
+
+  dockerImageUbuntuWithTools =
+    let
+      tools = [ toplevel ];
+    in
+    pkgs.dockerTools.buildLayeredImage {
+      name = "ubuntu-cloudimg-with-tools";
+      tag = "0.1";
+      created = "now";
+      maxLayers = 30;
+      fromImage = dockerImageUbuntu;
+      compressor = "zstd";
+      config = {
+        Env = [
+          "PATH=${lib.makeBinPath tools}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ];
+        Cmd = [ "/lib/systemd/systemd" ];
+      };
+    };
+in
+pkgs.writeShellApplication {
+  name = "nginx-test";
+  passthru = {
+    inherit toplevel dockerImageUbuntuWithTools;
+  };
+  runtimeInputs = with pkgs; [
+    (python3.withPackages (
+      ps: with ps; [
+        requests
+        pytest
+        pytest-testinfra
+        rich
+      ]
+    ))
+  ];
+  text = ''
+    export DOCKER_IMAGE=${dockerImageUbuntuWithTools.imageName}:${dockerImageUbuntuWithTools.imageTag}
+    TEST_DIR=${./.}
+    pytest -p no:cacheprovider -s -v "$@" $TEST_DIR --image-name=$DOCKER_IMAGE --image-path=${dockerImageUbuntuWithTools}
+  '';
+  meta = with pkgs.lib; {
+    description = "Test nginx deployment with system-manager";
+    platforms = platforms.linux;
+  };
+}

nix/systemModules/tests/nginx.nix

@@ -0,0 +1,3 @@
+def test_nginx_service(host):
+    assert host.service("nginx.service").is_valid
+    assert host.service("nginx.service").is_running