nixos/public-inbox: test confinement

2025-01-24 11:27:27 +01:00 · 2025-01-24 11:27:27 +01:00 · bbb68bef2e
commit bbb68bef2e
parent 69b606d103
1 changed files with 6 additions and 0 deletions
--- a/nixos/tests/public-inbox.nix
+++ b/nixos/tests/public-inbox.nix
@ -183,6 +183,12 @@ import ./make-test-python.nix (
    testScript = ''
      start_all()

+      # The threshold and/or hardening may have to be changed with new features/checks
+      with subtest("systemd hardening thresholds"):
+        print(machine.succeed("systemd-analyze security public-inbox-httpd.service --threshold=5 --no-pager"))
+        print(machine.succeed("systemd-analyze security public-inbox-imapd.service --threshold=5 --no-pager"))
+        print(machine.succeed("systemd-analyze security public-inbox-nntpd.service --threshold=4 --no-pager"))
+
      machine.wait_for_unit("multi-user.target")
      machine.wait_for_unit("public-inbox-init.service")