From 0200a0c16e3f3daf7f42fc4dbb4438149e7e3515 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 17 Jun 2025 13:41:20 +0200
Subject: [PATCH] add run-vm-test-offline package for offline VM testing

This package allows running NixOS VM tests in an offline environment
using network namespace isolation. It builds the test driver and runs
it with unshare to ensure no network access.
---
 checks/flake-module.nix              |  3 +++
 pkgs/run-vm-test-offline/default.nix | 38 ++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 pkgs/run-vm-test-offline/default.nix

diff --git a/checks/flake-module.nix b/checks/flake-module.nix
index ed3122540..f817efcc7 100644
--- a/checks/flake-module.nix
+++ b/checks/flake-module.nix
@@ -112,6 +112,9 @@ in
             cp ${../flake.lock} $out/flake.lock
           '';
         };
+      packages = lib.optionalAttrs (pkgs.stdenv.isLinux) {
+        run-vm-test-offline = pkgs.callPackage ../pkgs/run-vm-test-offline { };
+      };
       legacyPackages = {
         nixosTests =
           let
diff --git a/pkgs/run-vm-test-offline/default.nix b/pkgs/run-vm-test-offline/default.nix
new file mode 100644
index 000000000..c4c3d20d6
--- /dev/null
+++ b/pkgs/run-vm-test-offline/default.nix
@@ -0,0 +1,38 @@
+{
+  writeShellApplication,
+  util-linux,
+  coreutils,
+}:
+
+writeShellApplication {
+  name = "run-vm-test-offline";
+  runtimeInputs = [
+    util-linux
+    coreutils
+  ]; # nix is inherited from the environment
+  text = ''
+    set -euo pipefail
+
+    if [ $# -eq 0 ]; then
+      echo "Error: Test name required"
+      echo "Usage: nix run .#run-offline-test -- <test-name>"
+      echo "Example: nix run .#run-offline-test -- installation"
+      exit 1
+    fi
+
+    TEST_NAME="$1"
+
+    echo "Building $TEST_NAME test driver..."
+    SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem')
+    nix build ".#checks.$SYSTEM.$TEST_NAME.driver"
+
+    echo "Running $TEST_NAME test in offline environment..."
+    # We use unshare here with root to avoid usernamespace issues originating from bubblewrap
+    currentUser="$(whoami)"
+    sudo unshare --net -- bash -c "
+      ip link set lo up
+      runuser -u $(printf "%q" "$currentUser") ./result/bin/nixos-test-driver
+    "
+  '';
+  meta.description = "Run interactivly NixOS VM tests in an sandbox without network access";
+}