Merge master into staging-next

  ###### implementation

  config = lib.mkIf config.hardware.cpu.amd.updateMicrocode {

    # Microcode updates must be the first item prepended in the initrd

    boot.initrd.prepend = lib.mkOrder 1 [ "${pkgs.microcodeAmd}/amd-ucode.img" ];

    boot.initrd.prepend = lib.mkOrder 1 [ "${pkgs.microcode-amd}/amd-ucode.img" ];

  };

}

  ###### implementation

  config = lib.mkIf config.hardware.cpu.intel.updateMicrocode {

    # Microcode updates must be the first item prepended in the initrd

    boot.initrd.prepend = lib.mkOrder 1 [ "${pkgs.microcodeIntel}/intel-ucode.img" ];

    boot.initrd.prepend = lib.mkOrder 1 [ "${pkgs.microcode-intel}/intel-ucode.img" ];

  };

}

    # ensure all required lock files exist, but none more

    script = ''

      GLOBIGNORE="${lib.concatStringsSep ":" concurrencyLockfiles}"

      rm -f *

      rm -f -- *

      unset GLOBIGNORE

      xargs touch <<< "${toString concurrencyLockfiles}"

        cat key.pem fullchain.pem > full.pem

        # Group might change between runs, re-apply it

        chown '${user}:${data.group}' *

        chown '${user}:${data.group}' -- *

        # Default permissions make the files unreadable by group + anon

        # Need to be readable by group

        chmod 640 *

        chmod 640 -- *

      '';

    };

          expiration_line="$(

            set -euxo pipefail

            openssl x509 -noout -enddate <$pem \

            openssl x509 -noout -enddate <"$pem" \

                  | grep notAfter \

                  | sed -e 's/^notAfter=//'

          )"

          expiration_date="$(date -d "$expiration_line" +%s)"

          now="$(date +%s)"

          expiration_s=$[expiration_date - now]

          expiration_days=$[expiration_s / (3600 * 24)]   # rounds down

          expiration_s=$((expiration_date - now))

          expiration_days=$((expiration_s / (3600 * 24)))   # rounds down

          [[ $expiration_days -gt ${toString data.validMinDays} ]]

        }

        # Check if we can renew.

        # We can only renew if the list of domains has not changed.

        # We also need an account key. Avoids #190493

        if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' -a -e 'certificates/${keyName}.crt' -a -n "$(find accounts -name '${data.email}.key')" ]; then

        if cmp -s domainhash.txt certificates/domainhash.txt && [ -e 'certificates/${keyName}.key' ] && [ -e 'certificates/${keyName}.crt' ] && [ -n "$(find accounts -name '${data.email}.key')" ]; then

          # Even if a cert is not expired, it may be revoked by the CA.

          # Try to renew, and silently fail if the cert is not expired.

    with subtest("binary should report the correct version"):

        pkgver = "${pkgs.atop.version}"

        ver = re.sub(r'(?s)^Version: (\d\.\d\.\d).*', r'\1', machine.succeed("atop -V"))

        ver = re.sub(r'(?s)^Version: (\d+\.\d+\.\d+).*', r'\1', machine.succeed("atop -V"))

        assert ver == pkgver, f"Version is `{ver}`, expected `{pkgver}`"

  '';

  atoprc = contents:

          machine.fail("type -p atopgpud")

    '';

};

meta = {

  timeout = 600;

};

in

{

  justThePackage = makeTest {

      (netatop false)

      (atopgpu false)

    ];

    inherit meta;

  };

  defaults = makeTest {

    name = "atop-defaults";

      (netatop false)

      (atopgpu false)

    ];

    inherit meta;

  };

  minimal = makeTest {

    name = "atop-minimal";

      (netatop false)

      (atopgpu false)

    ];

    inherit meta;

  };

  netatop = makeTest {

    name = "atop-netatop";

      (netatop true)

      (atopgpu false)

    ];

    inherit meta;

  };

  atopgpu = makeTest {

    name = "atop-atopgpu";

      (netatop false)

      (atopgpu true)

    ];

    inherit meta;

  };

  everything = makeTest {

    name = "atop-everything";

      (netatop true)

      (atopgpu true)

    ];

    inherit meta;

  };

}

    # system one. Overriding this pretty bad default behaviour.

    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

    echo "jamy-password" | toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test"

    toot --debug login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" -p "jamy-password"

    echo "Login OK"

    # Send a toot then verify it's part of the public timeline

    client = { nodes, pkgs, config, ... }: {

      security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];

      networking.extraHosts = hosts nodes;

      environment.systemPackages = with pkgs; [

      environment.systemPackages = [

        pkgs.toot

        send-toot

      ];

      security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];

      networking.extraHosts = hosts nodes;

      networking.firewall.enable = false;

      environment.systemPackages = with pkgs; [

      environment.systemPackages = [

        provision-db

        provision-secrets

        provision-user

  testScript = { nodes, ... }: ''

    pleroma.wait_for_unit("postgresql.service")

    pleroma.succeed("provision-db")

    pleroma.wait_for_file("/var/lib/pleroma")

    pleroma.succeed("provision-secrets")

    pleroma.systemctl("restart pleroma.service")

    pleroma.wait_for_unit("pleroma.service")

    pleroma.succeed("provision-user")

    client.succeed("send-toot")

  '';

  meta.timeout = 600;

})