nixpkgs-suyu/nixos/tests/plausible.nix
Niklas Hambüchen 65a471717c plausible, nixos/plausible: Add listenAddress option.
This changes

* the plausible HTTP web server

to be listening on localhost only, explicitly.

This makes Plausible have an explicit safe default configuration,
like all other networked services in NixOS.

For background discussion, see: https://github.com/NixOS/nixpkgs/issues/130244

As per my upstream Plausible contribution
(https://github.com/plausible/analytics/pull/1190)
Plausible >= 1.5 also defaults to listening to localhost only;
nevertheless, this default should be stated explicitly in nixpkgs
for easier review and independence from upstream changes, and
a NixOS user must be able to configure the
`listenAddress`, as there are valid use cases for that.

Also, disable

* the Erlang Beam VM inter-node RPC port
* the Erlang EPMD port

because Plausible does not use them (see added comment).
This is done by setting `RELEASE_DISTRIBUTION=none`.

Thus, this commit also removes the NixOS setting `releaseCookiePath`,
because it now has no effect.
2023-11-14 10:51:16 +01:00

52 lines
1.6 KiB
Nix

import ./make-test-python.nix ({ pkgs, lib, ... }: {
name = "plausible";
meta = with lib.maintainers; {
maintainers = [ ];
};
nodes.machine = { pkgs, ... }: {
virtualisation.memorySize = 4096;
services.plausible = {
enable = true;
adminUser = {
email = "admin@example.org";
passwordFile = "${pkgs.writeText "pwd" "foobar"}";
activate = true;
};
server = {
baseUrl = "http://localhost:8000";
secretKeybaseFile = "${pkgs.writeText "dont-try-this-at-home" "nannannannannannannannannannannannannannannannannannannan_batman!"}";
};
};
};
testScript = ''
start_all()
machine.wait_for_unit("plausible.service")
machine.wait_for_open_port(8000)
# Ensure that the software does not make not make the machine
# listen on any public interfaces by default.
machine.fail("ss -tlpn 'src = 0.0.0.0 or src = [::]' | grep LISTEN")
machine.succeed("curl -f localhost:8000 >&2")
machine.succeed("curl -f localhost:8000/js/script.js >&2")
csrf_token = machine.succeed(
"curl -c /tmp/cookies localhost:8000/login | grep '_csrf_token' | sed -E 's,.*value=\"(.*)\".*,\\1,g'"
)
machine.succeed(
f"curl -b /tmp/cookies -f -X POST localhost:8000/login -F email=admin@example.org -F password=foobar -F _csrf_token={csrf_token.strip()} -D headers"
)
# By ensuring that the user is redirected to the dashboard after login, we
# also make sure that the automatic verification of the module works.
machine.succeed(
"[[ $(grep 'location: ' headers | cut -d: -f2- | xargs echo) == /sites* ]]"
)
machine.shutdown()
'';
})