Test envoy deployment with system manager

We verify that the envoy service can be deployed using the
system manager.
We also verify that system manager deployment can be triggered from Ansible.

Author: jfroche

ansible/tasks/setup-nix.yml

@@ -0,0 +1,11 @@
+---
+- name: Check if nix is installed
+  ansible.builtin.command: which nix
+  register: nix_installed
+  failed_when: nix_installed.rc != 0
+  ignore_errors: true
+
+- name: Install nix
+  ansible.builtin.shell: curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm --extra-conf 'substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com' --extra-conf 'trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY='
+  when: nix_installed.rc != 0
+  become: true

ansible/tasks/setup-system-manager.yml

@@ -0,0 +1,7 @@
+---
+- name: Deploy system manager
+  ansible.builtin.shell: |
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+    cd /tmp
+    nix run /flake#system-manager -- switch --flake /flake
+  become: true

ansible/tests/conftest.py

@@ -1,12 +1,77 @@
+import pytest
+import subprocess
+import testinfra
+from rich.console import Console
+
+console = Console()
+
+
 def pytest_addoption(parser):
     parser.addoption(
-        "--ansible-dir",
+        "--flake-dir",
         action="store",
-        help="Directory containing Ansible playbooks and roles",
+        help="Directory containing the current flake",
     )
 
     parser.addoption(
         "--docker-image",
         action="store",
         help="Docker image and tag to use for testing",
     )
+
+
+@pytest.fixture(scope="module")
+def host(request):
+    flake_dir = request.config.getoption("--flake-dir")
+    docker_id = (
+        subprocess.check_output(
+            [
+                "docker",
+                "run",
+                "--privileged",
+                "--cap-add",
+                "SYS_ADMIN",
+                "--security-opt",
+                "seccomp=unconfined",
+                "--cgroup-parent=docker.slice",
+                "--cgroupns",
+                "private",
+                "-v",
+                f"{flake_dir}:/flake",
+                "-d",
+                "ubuntu-cloudimg-with-tools:0.1",
+            ]
+        )
+        .decode()
+        .strip()
+    )
+    yield testinfra.get_host("docker://" + docker_id)
+    subprocess.check_call(["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL)
+
+
+@pytest.fixture(scope="module")
+def run_ansible_playbook(host):
+    def _run_playbook(playbook_name, verbose=False):
+        cmd = [
+            "ANSIBLE_HOST_KEY_CHECKING=False",
+            "ansible-playbook",
+            "--connection=local",
+        ]
+        if verbose:
+            cmd.append("-vvv")
+        cmd.extend([
+            "-i",
+            "localhost,",
+            "--extra-vars",
+            "@/flake/ansible/vars.yml",
+            f"/flake/ansible/tests/{playbook_name}",
+        ])
+        result = host.run(" ".join(cmd))
+        if result.failed:
+            console.log(result.stdout)
+            console.log(result.stderr)
+            import pdb; pdb.set_trace()
+            raise pytest.fail(
+                f"Ansible playbook {playbook_name} failed with return code {result.rc}"
+            )
+    return _run_playbook

ansible/tests/nix.yaml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  tasks:
+  - import_tasks: ../tasks/setup-nix.yml
+  - import_tasks: ../tasks/setup-system-manager.yml

ansible/tests/test_nginx.py

@@ -1,59 +1,9 @@
 import pytest
-import subprocess
-import testinfra
-from rich.console import Console
 
-console = Console()
 
-
-@pytest.fixture(scope="session")
-def host(request):
-    ansible_dir = request.config.getoption("--ansible-dir")
-    docker_id = (
-        subprocess.check_output(
-            [
-                "docker",
-                "run",
-                "--privileged",
-                "--cap-add",
-                "SYS_ADMIN",
-                "--security-opt",
-                "seccomp=unconfined",
-                "--cgroup-parent=docker.slice",
-                "--cgroupns",
-                "private",
-                "-v",
-                f"{ansible_dir}/:/ansible/",
-                "-d",
-                "ubuntu-cloudimg-with-tools:0.1",
-            ]
-        )
-        .decode()
-        .strip()
-    )
-    yield testinfra.get_host("docker://" + docker_id)
-    subprocess.check_call(["docker", "rm", "-f", docker_id], stdout=subprocess.DEVNULL)
-
-
-@pytest.fixture(scope="session", autouse=True)
-def run_ansible(host):
-    cmd = [
-        "ANSIBLE_HOST_KEY_CHECKING=False",
-        "ansible-playbook",
-        "--connection=local",
-        "-i",
-        "localhost,",
-        "--extra-vars",
-        "@/ansible/vars.yml",
-        "/ansible/tests/nginx.yaml",
-    ]
-    result = host.run(" ".join(cmd))
-    if result.failed:
-        console.log(result.stdout)
-        console.log(result.stderr)
-        raise pytest.fail(
-            "Ansible playbook nginx.yaml failed with return code {}".format(result.rc)
-        )
+@pytest.fixture(scope="module", autouse=True)
+def run_ansible(run_ansible_playbook):
+    run_ansible_playbook("nginx.yaml")
 
 
 def test_nginx_service(host):

ansible/tests/test_nix.py

@@ -0,0 +1,13 @@
+import pytest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def run_ansible(run_ansible_playbook):
+    run_ansible_playbook("nix.yaml", verbose=True)
+
+
+def test_nix_service(host):
+    assert host.service("nix-daemon.service").is_running
+
+def test_envoy_service(host):
+    assert host.service("envoy.service").is_running

flake.nix

@@ -59,6 +59,7 @@
         nix/packages
         nix/overlays
         nix/systemModules
+        nix/systemConfigs.nix
       ];
     });
 }

nix/packages/ansible-test.nix

@@ -1,48 +1,9 @@
 {
   pkgs,
   lib,
+  docker-image-ubuntu,
 }:
 let
-  ubuntu-cloudimg =
-    let
-      cloudImg = builtins.fetchurl {
-        url = "http://cloud-images-archive.ubuntu.com/releases/noble/release-20250430/ubuntu-24.04-server-cloudimg-amd64-root.tar.xz";
-        sha256 = "sha256:0rfi3qqs0sqarixfic7pzjpx7d4vldv2d98c5zjv7b90mirznvf9";
-      };
-    in
-    pkgs.runCommand "ubuntu-cloudimg" { nativeBuildInputs = [ pkgs.xz ]; } ''
-      mkdir -p $out
-      tar --exclude='dev/*' \
-          --exclude='etc/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service' \
-          --exclude='etc/systemd/system/multi-user.target.wants/systemd-resolved.service' \
-          --exclude='usr/lib/systemd/system/tpm-udev.service' \
-          --exclude='usr/lib/systemd/system/systemd-remount-fs.service' \
-          --exclude='usr/lib/systemd/system/systemd-resolved.service' \
-          --exclude='var/lib/apt/lists/*' \
-          -xJf ${cloudImg} -C $out
-      rm $out/bin $out/lib $out/lib64 $out/sbin
-      mkdir -p $out/run/systemd && echo 'docker' > $out/run/systemd/container
-      mkdir $out/var/lib/apt/lists/partial
-    '';
-
-  dockerImageUbuntu = pkgs.dockerTools.buildImage {
-    name = "ubuntu-cloudimg";
-    tag = "0.1";
-    created = "now";
-    extraCommands = ''
-      ln -s usr/bin
-      ln -s usr/lib
-      ln -s usr/lib64
-      ln -s usr/sbin
-    '';
-    copyToRoot = pkgs.buildEnv {
-      name = "image-root";
-      pathsToLink = [ "/" ];
-      paths = [ ubuntu-cloudimg ];
-    };
-    config.Cmd = [ "/lib/systemd/systemd" ];
-  };
-
   dockerImageUbuntuWithTools =
     let
       tools = [ pkgs.ansible ];
@@ -52,7 +13,8 @@ let
       tag = "0.1";
       created = "now";
       maxLayers = 30;
-      fromImage = dockerImageUbuntu;
+      fromImage = docker-image-ubuntu;
+      compressor = "zstd";
       config = {
         Env = [
           "PATH=${lib.makeBinPath tools}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -69,19 +31,18 @@ pkgs.writeShellApplication {
         requests
         pytest
         pytest-testinfra
+        pytest-xdist
         rich
       ]
     ))
   ];
   text = ''
     echo "Running Ansible tests..."
     export DOCKER_IMAGE=${dockerImageUbuntuWithTools.imageName}:${dockerImageUbuntuWithTools.imageTag}
-    if ! docker image inspect $DOCKER_IMAGE > /dev/null; then
-      echo "Loading Docker image..."
-      docker load < ${dockerImageUbuntuWithTools}
-    fi
-    ANSIBLE_DIR=${../../ansible}
-    pytest -p no:cacheprovider -s -v "$@" $ANSIBLE_DIR/tests --ansible-dir=$ANSIBLE_DIR --docker-image=$DOCKER_IMAGE
+    echo "Loading Docker image..."
+    docker load < ${dockerImageUbuntuWithTools}
+    FLAKE_DIR=${../..}
+    pytest -x -p no:cacheprovider -s -v "$@" $FLAKE_DIR/ansible/tests --flake-dir=$FLAKE_DIR --docker-image=$DOCKER_IMAGE
   '';
   meta = with pkgs.lib; {
     description = "Ansible test runner";

nix/packages/default.nix

@@ -31,7 +31,9 @@
       packages = (
         {
           build-test-ami = pkgs.callPackage ./build-test-ami.nix { };
-          ansible-test = pkgs.callPackage ./ansible-test.nix { };
+          ansible-test = pkgs.callPackage ./ansible-test.nix {
+            inherit (self'.packages) docker-image-ubuntu;
+          };
           cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { };
           dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; };
           docker-image-ubuntu = pkgs.callPackage ./docker-ubuntu.nix { };
@@ -61,6 +63,7 @@
             name = "start-postgres-server";
           };
           sync-exts-versions = pkgs.callPackage ./sync-exts-versions.nix { inherit (inputs') nix-editor; };
+          system-manager = inputs'.system-manager.packages.default;
           trigger-nix-build = pkgs.callPackage ./trigger-nix-build.nix { };
           update-readme = pkgs.callPackage ./update-readme.nix { };
           inherit (pkgs.callPackage ./wal-g.nix { }) wal-g-2 wal-g-3;

nix/packages/envoy-bin.nix

@@ -16,7 +16,7 @@ let
     .${system} or throwSystem;
   hash =
     {
-      aarch64-linux = "";
+      aarch64-linux = "sha256-65MOMqtVVWQ+CdEdSQ45LQp5DFqA6wsOussQRr27EU0=";
       x86_64-linux = "sha256-JjlWPOm8CbHua9RzF2C1lsjtHkdM3YPMnfk2RRbhQ2c=";
     }
     .${system} or throwSystem;