nixos/tests/netbox-upgrade: don't require NIXPKGS_ALLOW_INSECURE

Before this change, this NetBox test required NIXPKGS_ALLOW_INSECURE=1, because of its use of the end-of-line NetBox version. This meant that the GitHub CI failed to evaluate the tests, and so didn't run them.
2026-01-12 02:40:31 +08:00 · 2025-04-23 15:29:46 +02:00
parent 2d0fdeb0d7
commit e152cef13d
1 changed files with 19 additions and 16 deletions
--- a/nixos/tests/web-apps/netbox-upgrade.nix
+++ b/nixos/tests/web-apps/netbox-upgrade.nix
@@ -1,8 +1,18 @@
 import ../make-test-python.nix (
  { lib, pkgs, ... }:
  let
-    oldNetbox = pkgs.netbox_4_1;
-    newNetbox = pkgs.netbox_4_2;
+    oldNetbox = "netbox_4_1";
+    newNetbox = "netbox_4_2";
+
+    apiVersion =
+      version:
+      lib.pipe version [
+        (lib.splitString ".")
+        (lib.take 2)
+        (lib.concatStringsSep ".")
+      ];
+    oldApiVersion = apiVersion pkgs."${oldNetbox}".version;
+    newApiVersion = apiVersion pkgs."${newNetbox}".version;
  in
  {
    name = "netbox-upgrade";
@@ -15,12 +25,14 @@ import ../make-test-python.nix (
    };

    nodes.machine =
-      { config, ... }:
+      { config, pkgs, ... }:
      {
        virtualisation.memorySize = 2048;
        services.netbox = {
          enable = true;
-          package = oldNetbox;
+          # Pick the NetBox package from this config's "pkgs" argument,
+          # so that `nixpkgs.config.permittedInsecurePackages` works
+          package = pkgs."${oldNetbox}";
          secretKeyFile = pkgs.writeText "secret" ''
            abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
          '';
@@ -42,22 +54,13 @@ import ../make-test-python.nix (

        networking.firewall.allowedTCPPorts = [ 80 ];

-        specialisation.upgrade.configuration.services.netbox.package = lib.mkForce newNetbox;
+        nixpkgs.config.permittedInsecurePackages = [ pkgs."${oldNetbox}".name ];
+
+        specialisation.upgrade.configuration.services.netbox.package = lib.mkForce pkgs."${newNetbox}";
      };

    testScript =
      { nodes, ... }:
-      let
-        apiVersion =
-          version:
-          lib.pipe version [
-            (lib.splitString ".")
-            (lib.take 2)
-            (lib.concatStringsSep ".")
-          ];
-        oldApiVersion = apiVersion oldNetbox.version;
-        newApiVersion = apiVersion newNetbox.version;
-      in
      ''
        start_all()
        machine.wait_for_unit("netbox.target")