Skip to content

Add nix build environment and tests#1367

Open
makefu wants to merge 14 commits intoFuzzyGrim:devfrom
makefu:dev
Open

Add nix build environment and tests#1367
makefu wants to merge 14 commits intoFuzzyGrim:devfrom
makefu:dev

Conversation

@makefu
Copy link
Copy Markdown

@makefu makefu commented Apr 20, 2026

This pull request adds capability to build, configure and run yamtrack with nix. The nix configuration includes a module definition for easily setting up yamtrack on NixOS systems. Additionally the configuration defines VM Integration Tests (think vagrant + tests) which allows to easily check if yamtrack runs as a service and it will test real interaction.
The PR includes tests to run by github-ci, i can remove them if uncertain.

Summary

  • Add flake.nix with Yamtrack package, NixOS module, and VM tests
  • NixOS module provides gunicorn, celery worker, celery beat services
    • Supports both SQLite (default) and PostgreSQL (via Unix socket)
    • Supports nginx module configuration
  • Unit tests run in nix sandbox with mocked external APIs
  • nix run .#run-tests for full test suite with real API access
  • GitHub CI job for nix checks

Tests run

  • nix build .#default passes
  • nix build .#checks.x86_64-linux.yamtrack-unit-tests passes (460+ tests)
  • nix build .#checks.x86_64-linux.yamtrack-sqlite VM test passes
  • nix build .#checks.x86_64-linux.yamtrack-nginx VM test passes with nginx integration
  • nix build .#checks.x86_64-linux.yamtrack-postgresql VM test passes with postgres integration
  • nix run .#run-tests runs real API tests with network access

makefu added 11 commits April 20, 2026 21:20
@makefu
nix: initial add of flake.nix
06d5a5a 
Add a flake.nix to build the complete application with
[nix](https://nixos.org/).

Package the Django application with all Python dependencies,
collectstatic at build time, and a yamtrack-manage wrapper script.

django-select2 and django-health-check are built from PyPI since
nixpkgs versions are too old or missing.

The settings.py is patched at build time to support a configurable
DB_PATH for SQLite and to guard the mkdir call in read-only /nix/store.
@makefu
nix: add NixOS module for yamtrack service
1283658 
Provides services.yamtrack with gunicorn, celery worker, and celery
beat as separate systemd services. Supports SQLite (default) and
PostgreSQL via Unix socket with database.createLocally option.

Redis is provisioned automatically for caching and Celery broker.
The secretKeyFile option wires Django's SECRET_KEY via env var.
@makefu
nix: add sandboxed unit tests and run-tests script
af295ea 
Add 460+ unit tests that run inside the nix sandbox without network
access. External API calls (TMDB, TVDB, MAL, etc.) are mocked via
nix/conftest.py which intercepts services.get_media_metadata and
services.search with realistic fixture data.

Tests that require real network (provider tests, import tests,
webhook tests, Playwright integration) are excluded from the
sandboxed check and available via `nix run .#run-tests` instead.
@makefu
nix: add SQLite and PostgreSQL NixOS VM tests
09b31f1 
Two integration tests that boot a full NixOS VM and verify that
yamtrack starts correctly with each database backend:

- yamtrack-sqlite: default configuration with SQLite + Redis
- yamtrack-postgresql: PostgreSQL via Unix socket + Redis

Both tests wait for gunicorn, celery worker, then check the login
page and /health/ endpoint (which validates DB, cache, and celery).
@makefu
nix: add Playwright integration tests as NixOS VM check
50299e1 
Run the browser-based Playwright tests inside a NixOS VM without
internet access. All external API calls are mocked with realistic
fixture data for Breaking Bad (TMDB 1396) and Perfect Blue (MAL 437)
matching the exact values the tests assert (62 episodes, S1E1 air
date 2008-01-20, etc.).

The VM gets 2048MB for headless Chromium and uses a dedicated
conftest_playwright.py that also disables allauth's IP header
check which conflicts with StaticLiveServerTestCase.
@makefu
nix: document all flake outputs and module options
e269516 
Add a header comment to flake.nix listing every exported package,
check, app, and NixOS module option for discoverability.
@makefu
ci: add nix unit test check to GitHub Actions
cab0ec3 
Run the sandboxed unit tests via nix build on every PR and push.
VM tests are excluded since GitHub runners lack KVM support.
@makefu
doc: add Nix and NixOS usage to README
72b2f9a 
Document standalone usage with nix run, NixOS module configuration
with SQLite and PostgreSQL examples, and how to run the test suite.
@makefu
ci: add flake evaluation and package build to nix checks
16fa5fa 
Validate the flake evaluates correctly and the package builds
before running unit tests. This catches packaging regressions
like broken dependencies or collectstatic failures early.

VM tests (sqlite, postgresql, playwright) are excluded since
GitHub runners lack KVM support.
@makefu
nix: add retry and timeout to flaky test suites
f434042 
Add pytest-rerunfailures and pytest-timeout to the Playwright VM
test and run-tests script. These suites are prone to transient
failures from browser timing (Playwright) and external API
availability (run-tests with real network).

Configuration: 5 retries with 10s delay between attempts, 120s
per-test timeout. Not applied to sandboxed unit tests which use
mocks and should never be flaky.
@makefu
nix: add nginx reverse proxy option and expand VM test coverage
77ba400 
The module gains configureNginx, hostName, and trustedOrigins options
so users can deploy behind nginx with static file serving and proper
CSRF handling out of the box.

VM tests now exercise the full user journey (login, create entry,
verify listing) for sqlite, postgresql, and the new nginx setup,
replacing the minimal health-check-only tests that missed real
integration bugs.
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces Nix support for Yamtrack, providing a flake for reproducible builds, a NixOS service module, and a comprehensive test suite including sandboxed unit tests and NixOS VM integration tests. The feedback focuses on improving the NixOS module's security by restricting ALLOWED_HOSTS, enhancing compatibility for SSL/TLS in trustedOrigins, and optimizing Gunicorn's timeout settings. Additionally, improvements to test isolation and documentation for deselected tests were suggested.

Comment thread nix/module.nix Outdated
Comment thread nix/module.nix Outdated
Comment thread nix/module.nix Outdated
Comment thread nix/tests.nix Outdated
Comment thread nix/tests.nix Outdated
@makefu
nix/nginx: fix duplicate Host header causing DisallowedHost error
24c756d 
The extraConfig proxy_set_header directives duplicated headers already
provided by nixpkgs' recommendedProxySettings, causing nginx to send
"Host: track.euer,track.euer" which Django rejects per RFC 1034/1035.

Remove the redundant headers and explicitly enable recommendedProxySettings
to make the dependency clear.
makefu added a commit to makefu/Yamtrack that referenced this pull request Apr 21, 2026
@makefu
nix/module: harden ALLOWED_HOSTS, CSRF origins, and gunicorn timeout
bb79b78 
Address review feedback from PR FuzzyGrim#1367:

- Set ALLOWED_HOSTS to cfg.hostName when configured, preventing Host
  header injection attacks (Django defaults to wildcard '*' otherwise)
- Include both http:// and https:// schemes in trustedOrigins when
  configureNginx is enabled, so CSRF validation works when SSL/TLS
  is configured via ACME
- Reduce gunicorn timeout from 200s to 60s to prevent worker
  exhaustion from hanging requests
makefu added 2 commits April 21, 2026 07:25
@makefu
nix/module: harden ALLOWED_HOSTS, CSRF origins, and gunicorn timeout
eccddf2 
Address review feedback from PR FuzzyGrim#1367:

- Set ALLOWED_HOSTS to cfg.hostName when configured, preventing Host
  header injection attacks (Django defaults to wildcard '*' otherwise)
- Include both http:// and https:// schemes in trustedOrigins when
  configureNginx is enabled, so CSRF validation works when SSL/TLS
  is configured via ACME
- Reduce gunicorn timeout from 200s to 60s to prevent worker
  exhaustion from hanging requests
@makefu
nix/tests: use relative build dir, re-enable import tests, add comments
b8655e1 
Address review feedback and expand sandboxed test coverage:

- Use ./test-root instead of /tmp/yamtrack-test for better isolation
  within the nix build sandbox
- Re-enable all 7 import test files (anilist, goodreads, hltb, imdb,
  mal, simkl, yamtrack) by extending conftest.py with mocks for
  tmdb.find, tmdb.get_image_url, tmdb.tv_with_seasons, tmdb.movie,
  mal.anime, and a search mock returning plausible results
- Add comments documenting why each test is ignored or deselected:
  integration tests need Playwright, provider tests validate real API
  responses, webhook tests need TVDB+anime mapping, and individual
  deselects target tests asserting exact API metadata
@makefu
Copy link
Copy Markdown
Author

makefu commented Apr 21, 2026

i tried to incorporate all proposals of the LLM, ready for re-review :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@makefu