From 657e16aa42cd6cc054da7741051551e58239e921 Mon Sep 17 00:00:00 2001
From: Joachim Ernst <joachim.ernst@helsinki-systems.de>
Date: Sat, 19 Jul 2025 00:16:19 +0200
Subject: [PATCH] oxidized: add nixosTests

---
 nixos/tests/all-tests.nix            |   1 +
 nixos/tests/oxidized.nix             | 104 +++++++++++++++++++++++++++
 pkgs/by-name/ox/oxidized/package.nix |   6 +-
 3 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 nixos/tests/oxidized.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index e1447d74579e..a10485486d39 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -1121,6 +1121,7 @@ in
   osquery = handleTestOn [ "x86_64-linux" ] ./osquery.nix { };
   osrm-backend = runTest ./osrm-backend.nix;
   overlayfs = runTest ./overlayfs.nix;
+  oxidized = handleTest ./oxidized.nix { };
   pacemaker = runTest ./pacemaker.nix;
   packagekit = runTest ./packagekit.nix;
   paisa = runTest ./paisa.nix;
diff --git a/nixos/tests/oxidized.nix b/nixos/tests/oxidized.nix
new file mode 100644
index 000000000000..88aadce7a8f4
--- /dev/null
+++ b/nixos/tests/oxidized.nix
@@ -0,0 +1,104 @@
+{
+  system ? builtins.currentSystem,
+  pkgs ? import ../.. {
+    inherit system;
+    config = { };
+  },
+}:
+
+let
+  inherit (import ../lib/testing-python.nix { inherit system pkgs; }) makeTest;
+in
+makeTest {
+  name = "oxidized";
+
+  nodes.server =
+    { config, pkgs, ... }:
+    {
+      security.pam.services.sshd.allowNullPassword = true; # the default `UsePam yes` makes this necessary
+      services = {
+        sshd.enable = true;
+        openssh = {
+          settings.PermitRootLogin = "yes";
+          settings.PermitEmptyPasswords = "yes";
+        };
+        oxidized = {
+          enable = true;
+          package = pkgs.oxidized;
+          routerDB = pkgs.writeText "oxidized-router.db" ''
+            localhost:linuxgeneric:root
+          '';
+          configFile = pkgs.writeText "oxidized-config.yml" ''
+            # vi: ft=yaml
+            ---
+            extensions:
+              oxidized-web:
+                load: true
+                listen: 127.0.0.1
+                port: 8888
+                vhosts:
+                  - localhost
+                  - 127.0.0.1
+                  - oxidized
+                  - oxidized.example.com
+            interval: 3600
+            retries: 3
+            model: linuxgeneric
+            username: root
+            source:
+              default: csv
+              csv:
+                file: "/var/lib/oxidized/.config/oxidized/router.db"
+                delimiter: !ruby/regexp /:/
+                map:
+                  name: 0
+                  model: 1
+                  username: 2
+                  password: 3
+                vars_map:
+                  enable: 4
+            input:
+              default: ssh
+              utf8_encoded: true
+            output:
+              default: git
+              git:
+                single_repo:  true
+                user: oxidized
+                email: oxidized@example.com
+                repo: /var/lib/oxidized/git
+          '';
+        };
+      };
+      systemd.services.oxidized = {
+        stopIfChanged = false;
+        environment.HOME = "/var/lib/oxidized";
+        environment.APP_ENV = "production";
+        serviceConfig = {
+          StateDirectory = "oxidized";
+          MemoryDenyWriteExecute = false;
+
+          PrivateNetwork = false;
+          SystemCallFilter = "@system-service";
+        };
+
+        path = [ config.programs.ssh.package ];
+      };
+
+    };
+
+  testScript =
+    { nodes, ... }:
+    ''
+      start_all()
+
+      server.wait_for_unit("oxidized.service")
+
+      with subtest("Check if oxidized reports the correct version"):
+        server.wait_until_succeeds(("curl --silent --fail --location http://127.0.0.1:8888/ | grep '${nodes.server.services.oxidized.package.version}' >&2"))
+      with subtest("Check if oxidized can be accessed with a vhost and reports the correct version"):
+        server.wait_until_succeeds(("curl --silent --fail --resolve oxidized:8888:127.0.0.1 --location http://oxidized:8888/ | grep '${nodes.server.services.oxidized.package.version}' >&2"))
+      with subtest("Check if oxidized can connect to linuxgeneric model"):
+        server.wait_until_succeeds("journalctl -b --grep 'Oxidized::Worker -- Configuration updated for /localhost' -t oxidized")
+    '';
+}
diff --git a/pkgs/by-name/ox/oxidized/package.nix b/pkgs/by-name/ox/oxidized/package.nix
index bfe2e7fa8cf3..9dbfd3502fa9 100644
--- a/pkgs/by-name/ox/oxidized/package.nix
+++ b/pkgs/by-name/ox/oxidized/package.nix
@@ -3,6 +3,7 @@
   ruby,
   bundlerApp,
   bundlerUpdateScript,
+  nixosTests,
 }:
 
 bundlerApp {
@@ -16,7 +17,10 @@ bundlerApp {
     "oxs"
   ];
 
-  passthru.updateScript = bundlerUpdateScript "oxidized";
+  passthru = {
+    tests = nixosTests.oxidized;
+    updateScript = bundlerUpdateScript "oxidized";
+  };
 
   meta = with lib; {
     description = "Network device configuration backup tool. It's a RANCID replacement";