chore(tests): Make the services in the integration tests only start once they are needed

2025-12-12 15:49:22 -08:00 · 2025-08-20 16:46:11 +02:00
parent ed4ec9d7dd
commit 3498a6e12c
4 changed files with 59 additions and 27 deletions
--- a/tests/integration/flake.lock
+++ b/tests/integration/flake.lock
@@ -100,16 +100,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1751792365,
-        "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
+        "lastModified": 1735563628,
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/tests/integration/rp-key-exchange.nix
+++ b/tests/integration/rp-key-exchange.nix
@@ -10,7 +10,12 @@ let
 in
 {
  options.services.rosenpassKeyExchange = {
-    enable = lib.mkEnableOption "rosenpass key-exchange";
+    create = lib.mkEnableOption "rosenpass key-exchange";
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      description = "Should the service be enabled";
+      default = true;
+    };
    config = lib.mkOption {
      type = lib.types.path;
      description = "Path to rosenpass configuration";
@@ -21,10 +26,10 @@ in
    };
  };

-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf cfg.create {
    systemd.services.rp-exchange = {
      description = "Rosenpass Key Exchanger";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [ ] ++ lib.optional cfg.enable "multi-user.target"; # If we set enable to this, then the service will be masked and cannot be enabled. Doing it this way allows us to enable it.
      requires = [ "network-online.target" ];
      script = ''
        ${cfg.rosenpassVersion}/bin/rosenpass exchange-config ${cfg.config}
--- a/tests/integration/rp-key-sync.nix
+++ b/tests/integration/rp-key-sync.nix
@@ -14,7 +14,13 @@ let
    {
      # Each instance of ths service is defined by the following information:
      options = {
-        enable = lib.mkEnableOption "RP Keysync for ${name}";
+        create = lib.mkEnableOption "RP Keysync for ${name}";
+
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          description = "Should the service be enabled";
+          default = true;
+        };

        wgInterface = lib.mkOption {
          type = lib.types.str;
@@ -52,7 +58,7 @@ in
      name = "${servicePrefix}${instanceName}";
      value = {
        description = "Rosenpass Key Downloader ${instanceName}";
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ ] ++ lib.optional instanceCfg.enable "multi-user.target"; # If we set enable to this, then the service will be masked and cannot be enabled. Doing it this way allows us to enable it.
        requires = [ "network-online.target" ];
        # The script downloads the key generated by rosenpass from the key exchange node and sets it as the preshared key for the specified wireguard peer.
        script = ''
@@ -68,7 +74,7 @@ in
          RestartSec = 10;
        };
      };
-    }) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd service (as above) per configured instance.
+    }) (lib.filterAttrs (_: cfg: cfg.create) cfg.instances); # this creates one systemd service (as above) per configured instance.

    systemd.timers = lib.mapAttrs' (instanceName: instanceCfg: {
      name = "${timerPrefix}${instanceName}";
@@ -80,6 +86,6 @@ in
          Unit = "${servicePrefix}${instanceName}.service";
        };
      };
-    }) (lib.filterAttrs (_: cfg: cfg.enable) cfg.instances); # this creates one systemd time (as above) per configured instance.
+    }) (lib.filterAttrs (_: cfg: cfg.create) cfg.instances); # this creates one systemd timer  (as above) per configured instance.
  };
 }
--- a/tests/integration/rpsc-test.nix
+++ b/tests/integration/rpsc-test.nix
@@ -198,7 +198,8 @@ in
        services.rosenpassKeySync.instances =
          {
            AB = {
-              enable = true;
+              create = true;
+              enable = false;
              inherit wgInterface;
              rpHost = "peerakeyexchanger";
              peerPubkey = staticConfig.peerB.publicKey;
@@ -207,7 +208,8 @@ in
          }
          // lib.optionalAttrs multiPeer {
            AC = {
-              enable = true;
+              create = true;
+              enable = false;
              inherit wgInterface;
              rpHost = "peerakeyexchanger";
              peerPubkey = staticConfig.peerC.publicKey;
@@ -243,7 +245,8 @@ in
        services.rosenpassKeySync.instances =
          {
            BA = {
-              enable = true;
+              create = true;
+              enable = false;
              inherit wgInterface;
              rpHost = "peerbkeyexchanger";
              peerPubkey = staticConfig.peerA.publicKey;
@@ -252,7 +255,8 @@ in
          }
          // lib.optionalAttrs multiPeer {
            BC = {
-              enable = true;
+              create = true;
+              enable = false;
              inherit wgInterface;
              rpHost = "peerbkeyexchanger";
              peerPubkey = staticConfig.peerC.publicKey;
@@ -269,7 +273,8 @@ in
        networking.firewall.allowedUDPPorts = [ rpPort ];

        services.rosenpassKeyExchange = {
-          enable = true;
+          create = true;
+          enable = false;
          config = staticConfig.peerA.rosenpassConfig;
          rosenpassVersion = pkgs.rosenpass-peer-a;
        };
@@ -282,7 +287,8 @@ in
        users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];

        services.rosenpassKeyExchange = {
-          enable = true;
+          create = true;
+          enable = false;
          config = staticConfig.peerB.rosenpassConfig;
          rosenpassVersion = pkgs.rosenpass-peer-b;
        };
@@ -314,14 +320,16 @@ in
        # Each instance of the key sync service loads a symmetric key from a rosenpass keyexchanger node and sets it as the preshared key for the appropriate wireguard tunnel.
        services.rosenpassKeySync.instances = {
          CA = {
-            enable = true;
+            create = true;
+            enable = false;
            inherit wgInterface;
            rpHost = "peerckeyexchanger";
            peerPubkey = staticConfig.peerA.publicKey;
            remoteKeyPath = keyExchangePathCA;
          };
          CB = {
-            enable = true;
+            create = true;
+            enable = false;
            inherit wgInterface;
            rpHost = "peerckeyexchanger";
            peerPubkey = staticConfig.peerB.publicKey;
@@ -338,7 +346,8 @@ in
        networking.firewall.allowedUDPPorts = [ rpPort ];

        services.rosenpassKeyExchange = {
-          enable = true;
+          create = true;
+          enable = false;
          config = staticConfig.peerC.rosenpassConfig;
          rosenpassVersion = pkgs.rosenpass-peer-c;
        };
@@ -484,12 +493,20 @@ in
      )
    ''}

-    # Until now, the services must have failed due to lack of keys
-    peerakeyexchanger.succeed("systemctl restart rp-exchange.service")
-    peerbkeyexchanger.succeed("systemctl restart rp-exchange.service")
+    # Until now, the services were disbaled and didn't start (using the enable option of the services)
+    peerakeyexchanger.succeed("systemctl start rp-exchange.service")
+    peerbkeyexchanger.succeed("systemctl start rp-exchange.service")

    ${lib.optionalString multiPeer ''
-      peerckeyexchanger.succeed("systemctl restart rp-exchange.service")
+      peerckeyexchanger.succeed("systemctl start rp-exchange.service")
+    ''}
+
+    # Wait for the service to have started.
+    for m in [peerbkeyexchanger, peerakeyexchanger]:
+      m.wait_for_unit("rp-exchange.service")
+
+    ${lib.optionalString multiPeer ''
+      peerckeyexchanger.wait_for_unit("rp-exchange.service")
    ''}


@@ -514,11 +531,15 @@ in
      peerC.succeed("wg show all preshared-keys 1>&2")
    ''}

-    for m in [peerbkeyexchanger, peerakeyexchanger]:
-      m.wait_for_unit("rp-exchange.service")
+    # Start key sync services and wait for them to start.
+    peerA.succeed("systemctl start rp-key-sync-AB.service")
+    peerB.succeed("systemctl start rp-key-sync-BA.service")

    ${lib.optionalString multiPeer ''
-      peerckeyexchanger.wait_for_unit("rp-exchange.service")
+      peerA.succeed("systemctl start rp-key-sync-AC.service")
+      peerB.succeed("systemctl start rp-key-sync-BC.service")
+      peerC.succeed("systemctl start rp-key-sync-CA.service")
+      peerC.succeed("systemctl start rp-key-sync-CB.service")
    ''}

    peerA.wait_for_unit("rp-key-sync-AB.service")