add almost complete valgrind support to complement

Signed-off-by: June Clementine Strawberry <strawberry@puppygock.gay>

nix/pkgs/complement/config.toml

@@ -17,19 +17,30 @@ ip_range_denylist = []
 url_preview_domain_contains_allowlist = ["*"]
 url_preview_domain_explicit_denylist = ["*"]
 media_compat_file_link = false
-media_startup_check = false
-prune_missing_media = false
+media_startup_check = true
+prune_missing_media = true
 log_colors = false
 admin_room_notices = false
 allow_check_for_updates = false
-allow_unstable_room_versions = true
 rocksdb_log_level = "debug"
 rocksdb_max_log_files = 1
 rocksdb_recovery_mode = 0
 rocksdb_paranoid_file_checks = true
 log_guest_registrations = false
 allow_legacy_media = true
-startup_netburst = false
+startup_netburst = true
+
+# valgrind makes things so slow
+dns_timeout = 60
+dns_attempts = 20
+request_conn_timeout = 60
+request_timeout = 120
+well_known_conn_timeout = 60
+well_known_timeout = 60
+federation_idle_timeout = 300
+sender_timeout = 300
+sender_idle_timeout = 300
+sender_retry_backoff_limit = 300
 
 [global.tls]
 certs = "/certificate.crt"

nix/pkgs/complement/default.nix

@@ -9,19 +9,22 @@
 , openssl
 , stdenv
 , tini
+, valgrind
 , writeShellScriptBin
 }:
 
 let
   main' = main.override {
-    profile = "test";
+    #profile = "test";
+    profile = "release-debuginfo";
     all_features = true;
     disable_release_max_log_level = true;
     disable_features = [
-        # no reason to use jemalloc for complement, just has compatibility/build issues
         "jemalloc"
         "jemalloc_stats"
         "jemalloc_prof"
+        "jemalloc_conf"
+        "io_uring"
         # console/CLI stuff isn't used or relevant for complement
         "console"
         "tokio_console"
@@ -29,7 +32,7 @@ let
         "sentry_telemetry"
         "perf_measurements"
         # the containers don't use or need systemd signal support
-        "systemd"
+        #"systemd"
         # this is non-functional on nix for some reason
         "hardened_malloc"
         # dont include experimental features
@@ -44,8 +47,50 @@ let
         "url_preview"
     ];
   };
+        # TODO: figure out why a suspicious amounnt of complement tests fail with valgrind only under complement.
+        # maybe issue with direct TLS mode?
+        #${lib.getExe' valgrind "valgrind"} \
+        #--leak-check=no \
+        #--undef-value-errors=no \
+        #--exit-on-first-error=yes \
+        #--error-exitcode=1 \
 
-  start = writeShellScriptBin "start" ''
+  # valgrind only works in non-static ocntexts
+  start = if !stdenv.hostPlatform.isStatic then writeShellScriptBin "start" ''
+    set -euxo pipefail
+
+    ${lib.getExe openssl} genrsa -out private_key.key 2048
+    ${lib.getExe openssl} req \
+      -new \
+      -sha256 \
+      -key private_key.key \
+      -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=$SERVER_NAME" \
+      -out signing_request.csr
+    cp ${./v3.ext} v3.ext
+    echo "DNS.1 = $SERVER_NAME" >> v3.ext
+    echo "IP.1 = $(${lib.getExe gawk} 'END{print $1}' /etc/hosts)" \
+      >> v3.ext
+    ${lib.getExe openssl} x509 \
+      -req \
+      -extfile v3.ext \
+      -in signing_request.csr \
+      -CA /complement/ca/ca.crt \
+      -CAkey /complement/ca/ca.key \
+      -CAcreateserial \
+      -out certificate.crt \
+      -days 1 \
+      -sha256
+
+    ${lib.getExe' coreutils "env"} \
+      CONDUWUIT_SERVER_NAME="$SERVER_NAME" \
+      TMPDIR="/" \
+        ${lib.getExe' valgrind "valgrind"} \
+          --leak-check=no \
+          --undef-value-errors=no \
+          --exit-on-first-error=yes \
+          --error-exitcode=1 \
+            ${lib.getExe main'}
+  '' else writeShellScriptBin "start" ''
     set -euxo pipefail
 
     ${lib.getExe openssl} genrsa -out private_key.key 2048
@@ -90,6 +135,7 @@ dockerTools.buildImage {
       coreutils
       main'
       start
+      valgrind
     ];
   };