servarr: add configXml option with preStart hook

Adds services.arrInit.<name>.configXml for declaratively ensuring XML elements exist in a Servarr config.xml before the service starts. Generates a preStart hook on the main service that runs a Python helper to patch or create config.xml. Undeclared elements are preserved; declared elements are written with exact values. Primary use case: preventing recurring Prowlarr 'not listening on port' failures when config.xml loses the <Port> element — now guaranteed to exist before Prowlarr starts. Hardening: - Atomic writes (tmp + rename): power loss cannot corrupt config.xml - Malformed XML recovery: fresh <Config> root instead of blocking boot - Secure default mode (0600) for new files containing ApiKey - Preserves existing file mode on rewrite - Assertion against duplicate serviceName targeting Tests (10 subtests): creates-from-missing, patches-existing, preserves- undeclared, corrects-tampered, idempotent, malformed-recovery, ownership-preserved, not-world-readable.
2026-04-17 00:38:32 -04:00
parent a1ae022dc3
commit 6dde2a3e0d
14 changed files with 684 additions and 212 deletions
--- a/tests/permanent-failure.nix
+++ b/tests/permanent-failure.nix
@@ -1,59 +1,71 @@
-{ pkgs, lib, self }:
+{
+  pkgs,
+  lib,
+  self,
+}:
 pkgs.testers.runNixOSTest {
  name = "arr-init-permanent-failure";
-  nodes.machine = { pkgs, lib, ... }: {
-    imports = [ self.nixosModules.default ];
-    system.stateVersion = "24.11";
-    virtualisation.memorySize = 2048;
-    environment.systemPackages = with pkgs; [ curl jq gnugrep ];
+  nodes.machine =
+    { pkgs, lib, ... }:
+    {
+      imports = [ self.nixosModules.default ];
+      system.stateVersion = "24.11";
+      virtualisation.memorySize = 2048;
+      environment.systemPackages = with pkgs; [
+        curl
+        jq
+        gnugrep
+      ];

-    # Mock that always returns 503
-    systemd.services.mock-sonarr = let
-      mockScript = pkgs.writeScript "mock-sonarr-fail.py" ''
-        from http.server import HTTPServer, BaseHTTPRequestHandler
+      # Mock that always returns 503
+      systemd.services.mock-sonarr =
+        let
+          mockScript = pkgs.writeScript "mock-sonarr-fail.py" ''
+            from http.server import HTTPServer, BaseHTTPRequestHandler

-        class FailMock(BaseHTTPRequestHandler):
-            def do_GET(self):
-                self.send_response(503)
-                self.send_header("Content-Type", "text/plain")
-                self.end_headers()
-                self.wfile.write(b"Service Unavailable")
+            class FailMock(BaseHTTPRequestHandler):
+                def do_GET(self):
+                    self.send_response(503)
+                    self.send_header("Content-Type", "text/plain")
+                    self.end_headers()
+                    self.wfile.write(b"Service Unavailable")

-            def do_POST(self):
-                self.do_GET()
+                def do_POST(self):
+                    self.do_GET()

-            def log_message(self, format, *args):
-                pass
+                def log_message(self, format, *args):
+                    pass

-        HTTPServer(("0.0.0.0", 8989), FailMock).serve_forever()
-      '';
-    in {
-      description = "Mock Sonarr that never becomes ready";
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        ExecStart = "${pkgs.python3}/bin/python3 ${mockScript}";
-        Type = "simple";
+            HTTPServer(("0.0.0.0", 8989), FailMock).serve_forever()
+          '';
+        in
+        {
+          description = "Mock Sonarr that never becomes ready";
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            ExecStart = "${pkgs.python3}/bin/python3 ${mockScript}";
+            Type = "simple";
+          };
+        };
+
+      # Pre-seed config.xml
+      systemd.tmpfiles.rules = [
+        "d /var/lib/mock-sonarr 0755 root root -"
+        "f /var/lib/mock-sonarr/config.xml 0644 root root - <Config><ApiKey>test-api-key-fail</ApiKey></Config>"
+      ];
+
+      services.arrInit.sonarr = {
+        enable = true;
+        serviceName = "mock-sonarr";
+        dataDir = "/var/lib/mock-sonarr";
+        port = 8989;
+        # Very short timeout so retries happen fast
+        apiTimeout = 3;
      };
+
+      # Speed up retries for test
+      systemd.services.mock-sonarr-init.serviceConfig.RestartSec = lib.mkForce 2;
    };
-
-    # Pre-seed config.xml
-    systemd.tmpfiles.rules = [
-      "d /var/lib/mock-sonarr 0755 root root -"
-      "f /var/lib/mock-sonarr/config.xml 0644 root root - <Config><ApiKey>test-api-key-fail</ApiKey></Config>"
-    ];
-
-    services.arrInit.sonarr = {
-      enable = true;
-      serviceName = "mock-sonarr";
-      dataDir = "/var/lib/mock-sonarr";
-      port = 8989;
-      # Very short timeout so retries happen fast
-      apiTimeout = 3;
-    };
-
-    # Speed up retries for test
-    systemd.services.mock-sonarr-init.serviceConfig.RestartSec = lib.mkForce 2;
-  };
  testScript = ''
    start_all()
    machine.wait_for_unit("mock-sonarr.service")