talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity
nixpkgs/nixos/tests/dependency-track.nix
Julian Stecklina 5517b6f068 nixos/dependency-track: fix default JVM heap size 
The default of 4GB is too low for a production setup and causes
DependencyTrack to hit java.lang.OutOfMemoryError. This causes
Dependency Track to enter a weird state where it will throw 502 and
504 errors.

The initial 4GB was set to make Dependency Track run in the (too
small) VM in the NixOS integration test. Move the explicit heap
configuration there. For the service itself, we now don't set a limit.
This means the JVM will choose its maximum heap on its own, which does
a much better job for realistic scenarios.

I added a release note, because people who run Dependency Track on
very tiny VMs/machines may experience issues.
2025-07-16 12:16:49 +02:00

75 lines
2.1 KiB
Nix
Raw Blame History

{ pkgs, ... }:
let
dependencyTrackPort = 8081;
in
{
name = "dependency-track";
meta = {
maintainers = pkgs.lib.teams.cyberus.members;
};
nodes = {
server =
{ pkgs, ... }:
{
virtualisation = {
cores = 2;
diskSize = 4096;
memorySize = 1024 * 2;
};
environment.systemPackages = with pkgs; [ curl ];
systemd.services.dependency-track = {
# source: https://github.com/DependencyTrack/dependency-track/blob/37e0ba59e8057c18a87a7a76e247a8f75677a56c/dev/scripts/data-nist-generate-dummy.sh
preStart = ''
set -euo pipefail
NIST_DIR="$HOME/.dependency-track/nist"
rm -rf "$NIST_DIR"
mkdir -p "$NIST_DIR"
for feed in $(seq "2024" "2002"); do
touch "$NIST_DIR/nvdcve-1.1-$feed.json.gz"
echo "9999999999999" > "$NIST_DIR/nvdcve-1.1-$feed.json.gz.ts"
done
'';
};
services.dependency-track = {
enable = true;
# The Java VM defaults (correctly) to tiny heap on this tiny
# VM, but that's not enough to start dependency-track.
javaArgs = [ "-Xmx4G" ];
port = dependencyTrackPort;
nginx.domain = "localhost";
database.passwordFile = "${pkgs.writeText "dbPassword" ''hunter2'THE'''H''''E''}";
};
};
};
testScript =
# python
''
import json
start_all()
server.wait_for_unit("dependency-track.service")
server.wait_until_succeeds(
"journalctl -o cat -u dependency-track.service | grep 'Dependency-Track is ready'"
)
server.wait_for_open_port(${toString dependencyTrackPort})
with subtest("version api returns correct version"):
version = json.loads(
server.succeed("curl http://localhost/api/version")
)
assert version["version"] == "${pkgs.dependency-track.version}"
with subtest("nginx serves frontend"):
server.succeed("curl http://localhost/ | grep \"<title>Dependency-Track</title>\"")
'';
}
Reference in New Issue View Git Blame Copy Permalink