diff --git a/checks/impure/flake-module.nix b/checks/impure/flake-module.nix index 7683980b7..83183266f 100644 --- a/checks/impure/flake-module.nix +++ b/checks/impure/flake-module.nix @@ -1,6 +1,11 @@ { perSystem = - { pkgs, lib, ... }: + { + pkgs, + lib, + self', + ... + }: { # a script that executes all other checks packages.impure-checks = pkgs.writeShellScriptBin "impure-checks" '' @@ -10,14 +15,21 @@ unset CLAN_DIR export PATH="${ - lib.makeBinPath [ - pkgs.gitMinimal - pkgs.nix - pkgs.rsync # needed to have rsync installed on the dummy ssh server - ] + lib.makeBinPath ( + [ + pkgs.gitMinimal + pkgs.nix + pkgs.rsync # needed to have rsync installed on the dummy ssh server + ] + ++ self'.packages.clan-cli-full.runtimeDependencies + ) }" ROOT=$(git rev-parse --show-toplevel) cd "$ROOT/pkgs/clan-cli" + + # this disables dynamic dependency loading in clan-cli + export CLAN_NO_DYNAMIC_DEPS=1 + nix develop "$ROOT#clan-cli" -c bash -c "TMPDIR=/tmp python -m pytest -s -m impure ./tests $@" ''; }; diff --git a/pkgs/clan-cli/clan_cli/machines/machines.py b/pkgs/clan-cli/clan_cli/machines/machines.py index b8be7d8d0..57c85c7ae 100644 --- a/pkgs/clan-cli/clan_cli/machines/machines.py +++ b/pkgs/clan-cli/clan_cli/machines/machines.py @@ -166,7 +166,10 @@ class Machine: if extra_config is not None: metadata = nix_metadata(self.flake_dir) url = metadata["url"] - if "dirtyRevision" in metadata: + if ( + "dirtyRevision" in metadata + or "dirtyRev" in metadata["locks"]["nodes"]["clan-core"]["locked"] + ): # if not impure: # raise ClanError( # "The machine has a dirty revision, and impure mode is not allowed" diff --git a/pkgs/clan-cli/clan_cli/nix/__init__.py b/pkgs/clan-cli/clan_cli/nix/__init__.py index e09be8918..e343263a5 100644 --- a/pkgs/clan-cli/clan_cli/nix/__init__.py +++ b/pkgs/clan-cli/clan_cli/nix/__init__.py @@ -103,7 +103,7 @@ def nix_metadata(flake_url: str | Path) -> dict[str, Any]: def nix_shell(packages: list[str], cmd: list[str]) -> list[str]: # we cannot use nix-shell inside the nix sandbox # in our tests we just make sure we have all the packages - if os.environ.get("IN_NIX_SANDBOX"): + if os.environ.get("IN_NIX_SANDBOX") or os.environ.get("CLAN_NO_DYNAMIC_DEPS"): return cmd return [ *nix_command(["shell", "--inputs-from", f"{nixpkgs_flake()!s}"]), diff --git a/pkgs/clan-cli/clan_cli/nix/allowed-programs.json b/pkgs/clan-cli/clan_cli/nix/allowed-programs.json index f429db13c..79a7a6e01 100644 --- a/pkgs/clan-cli/clan_cli/nix/allowed-programs.json +++ b/pkgs/clan-cli/clan_cli/nix/allowed-programs.json @@ -1,6 +1,7 @@ [ "age", "bash", + "bubblewrap", "e2fsprogs", "git", "mypy", @@ -8,8 +9,10 @@ "openssh", "qemu", "rsync", + "pass", "sops", "sshpass", "tor", + "virtiofsd", "zbar" ] diff --git a/pkgs/clan-cli/default.nix b/pkgs/clan-cli/default.nix index 56f9512df..cb82816e4 100644 --- a/pkgs/clan-cli/default.nix +++ b/pkgs/clan-cli/default.nix @@ -30,8 +30,8 @@ let # load nixpkgs runtime dependencies from a json file # This file represents an allow list at the same time that is checked by the run_cmd # implementation in nix.py - runtimeDependenciesAsSet = lib.genAttrs (lib.importJSON ./clan_cli/nix/allowed-programs.json) ( - name: pkgs.${name} + runtimeDependenciesAsSet = lib.filterAttrs (_name: pkg: !pkg.meta.unsupported or false) ( + lib.genAttrs (lib.importJSON ./clan_cli/nix/allowed-programs.json) (name: pkgs.${name}) ); runtimeDependencies = lib.attrValues runtimeDependenciesAsSet; diff --git a/pkgs/clan-cli/tests/test_vms_cli.py b/pkgs/clan-cli/tests/test_vms_cli.py index 03561d41b..818da7496 100644 --- a/pkgs/clan-cli/tests/test_vms_cli.py +++ b/pkgs/clan-cli/tests/test_vms_cli.py @@ -40,7 +40,7 @@ def run_vm_in_thread(machine_name: str) -> None: # wait for qmp socket to exist def wait_vm_up(state_dir: Path) -> None: socket_file = state_dir / "qga.sock" - timeout: float = 20 + timeout: float = 100 while True: if timeout <= 0: raise TimeoutError(