From 23fce946eba82434900e95c4ca13bc575932b014 Mon Sep 17 00:00:00 2001
From: Mathieu Othacehe <othacehe@gnu.org>
Date: Thu, 6 Nov 2025 15:31:03 +0100
Subject: [PATCH] gnu: tests: Fix fail2ban tests.

As discussed here: https://github.com/fail2ban/fail2ban/issues/1593, the
monitored file has to be present before the fail2ban service starts. Create
this file in a dedicated activation service.

* gnu/tests/security.scm (%auth-log-activation-service): New variable.
(run-fail2ban-basic-test, run-fail2ban-simple-test)
(run-fail2ban-extension-test): Use it.

Fixes: guix/guix#3645
Change-Id: Ic12891cc5438abbd041ceb19e1d22dae51c7c848
---
 gnu/tests/security.scm | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/gnu/tests/security.scm b/gnu/tests/security.scm
index 93cbe4a9772394295c80f23116e3c7c023fa6cec..8887396b89b1f9fd5380e5bdcd463d3874c79a7e 100644
--- a/gnu/tests/security.scm
+++ b/gnu/tests/security.scm
@@ -97,6 +97,17 @@
 
     (gexp->derivation test-name test)))
 
+;; The /var/log/secure file that is monitored by fail2ban has to be present
+;; before the service starts. This limitation is discussed here:
+;; https://github.com/fail2ban/fail2ban/issues/1593.
+(define %auth-log-activation-service
+  (simple-service 'create-authlog-file
+                  activation-service-type
+                  #~(begin
+                      (call-with-output-file "/var/log/secure"
+                        (lambda (port)
+                          (display "" port))))))
+
 (define run-fail2ban-basic-test
   (fail2ban-test
    "fail2ban-basic-test"
@@ -121,12 +132,14 @@
 
 (define run-fail2ban-simple-test
   (fail2ban-test
-   "fail2ban-basic-test"
+   "fail2ban-simple-test"
 
    (simple-operating-system
-    (service fail2ban-service-type (fail2ban-configuration
-                                    (jails (list (fail2ban-jail-configuration
-                                                  (name "sshd")))))))
+    %auth-log-activation-service
+    (service fail2ban-service-type
+             (fail2ban-configuration
+               (jails (list (fail2ban-jail-configuration
+                              (name "sshd")))))))
 
    (test-equal "fail2ban sshd jail running status output"
      '("Status for the jail: sshd"
@@ -175,8 +188,11 @@
    "fail2ban-extension-test"
 
    (simple-operating-system
-    (service (fail2ban-jail-service openssh-service-type (fail2ban-jail-configuration
-                                                          (name "sshd") (enabled? #t)))
+    %auth-log-activation-service
+    (service (fail2ban-jail-service openssh-service-type
+                                    (fail2ban-jail-configuration
+                                      (name "sshd")
+                                      (enabled? #t)))
              (openssh-configuration))
     (service static-networking-service-type
              (list %qemu-static-networking)))