logrotate: add logrotate-checkconf.service

the build-time check is not safe (e.g. doesn't protect from bad users or nomissingok
paths missing), so add a new unit for configuration switch time check

1 files changed, 20 insertions, 0 deletions

diff --git a/nixos/tests/logrotate.nix b/nixos/tests/logrotate.nix
index 31592f0a39c58..b0685f3af9ff1 100644
--- a/nixos/tests/logrotate.nix
+++ b/nixos/tests/logrotate.nix
@@ -17,6 +17,12 @@ import ./make-test-python.nix ({ pkgs, ... }: rec {
 
   nodes = {
     defaultMachine = { ... }: { };
+    failingMachine = { ... }: {
+      services.logrotate.configFile = pkgs.writeText "logrotate.conf" ''
+        # self-written config file
+        su notarealuser notagroupeither
+      '';
+    };
     machine = { config, ... }: {
       imports = [ importTest ];
 
@@ -128,5 +134,19 @@ import ./make-test-python.nix ({ pkgs, ... }: rec {
               "[[ $(sed -ne '/\"compat_keep\" {/,/}/p' /tmp/logrotate.conf | grep -w rotate) = \"  rotate 1\" ]]",
               "! sed -ne '/\"compat_keep\" {/,/}/p' /tmp/logrotate.conf | grep -w keep",
           )
+          # also check configFile option
+          failingMachine.succeed(
+              "conf=$(systemctl cat logrotate | grep -oE '/nix/store[^ ]*logrotate.conf'); cp $conf /tmp/logrotate.conf",
+              "grep 'self-written config' /tmp/logrotate.conf",
+          )
+      with subtest("Check logrotate-checkconf service"):
+          machine.wait_for_unit("logrotate-checkconf.service")
+          # wait_for_unit also asserts for success, so wait for
+          # parent target instead and check manually.
+          failingMachine.wait_for_unit("multi-user.target")
+          info = failingMachine.get_unit_info("logrotate-checkconf.service")
+          if info["ActiveState"] != "failed":
+              raise Exception('logrotate-checkconf.service was not failed')
+
     '';
 })