From d3b7e8c432e073d4aa1805cbc57158407564952a Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Fri, 23 Sep 2022 09:03:57 +0200
Subject: [PATCH 1/2] revert "tests: disable `nixosSearch`"

---
 .cirrus.yml       | 1 +
 README.md         | 2 ++
 test/run-tests.sh | 5 -----
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index 207b534..430078f 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -35,6 +35,7 @@ task:
     - name: flake
       build_script:
         - nix flake check
+        - ./test/nixos-search/ci-test.sh
 
     - name: shellcheck
       build_script:
diff --git a/README.md b/README.md
index a282146..75147e3 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,8 @@ Hint: To show a table of contents, click the button (![Github TOC button](docs/i
 top left corner of the documents.
 
 <!-- TODO-EXTERNAL: -->
+<!-- Change query to `nix-bitcoin` when upstream search has been fixed -->
+* [NixOS options search](https://search.nixos.org/flakes?channel=unstable&sort=relevance&type=options&query=bitcoin)
 * [Hardware requirements](docs/hardware.md)
 * [Installation](docs/install.md)
 * [Configuration and maintenance](docs/configuration.md)
diff --git a/test/run-tests.sh b/test/run-tests.sh
index 9bf0b05..b380853 100755
--- a/test/run-tests.sh
+++ b/test/run-tests.sh
@@ -275,11 +275,6 @@ flake() {
 
 # Test generating module documentation for search.nixos.org
 nixosSearch() {
-    # TODO-EXTERNAL:
-    # Remove this when nixos-search has been fixed
-    echo "Skipping test nixosSearch"
-    return
-
     if ! checkFlakeSupport "nixosSearch"; then return; fi
 
     if [[ $_nixBitcoinInCopiedSrc ]]; then

From 277510c7ee4acf0f2bc69eb3cd867d18d5aca41d Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Fri, 23 Sep 2022 09:03:58 +0200
Subject: [PATCH 2/2] tests: run flake-info in sandbox

Don't use sandboxing in Cirrus CI where namespace support is missing.
---
 test/nixos-search/flake-info-sandboxed.sh | 44 +++++++++++++++++++++++
 test/run-tests.sh                         |  3 +-
 2 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100755 test/nixos-search/flake-info-sandboxed.sh

diff --git a/test/nixos-search/flake-info-sandboxed.sh b/test/nixos-search/flake-info-sandboxed.sh
new file mode 100755
index 0000000..cb7d727
--- /dev/null
+++ b/test/nixos-search/flake-info-sandboxed.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Run flake-info for the nix-bitcoin flake in a sandbox:
+# - Adds a consistent, reproducible runtime environment
+# - Removes the need to trust the flake-info binary
+#
+# Use bubblewrap instead of a sandboxed Nix build so that we don't have to copy
+# the whole repo to the sandbox when running this test.
+
+cd "${BASH_SOURCE[0]%/*}"
+
+nbFlake=$(realpath ../..)
+
+# shellcheck disable=SC2016
+PATH=$(nix shell -L .#{flake-info,bubblewrap} -c sh -c 'echo $PATH')
+
+tmpDir=$(mktemp -d /tmp/nix-bitcoin-flake-info.XXX)
+trap 'rm -rf $tmpDir' EXIT
+
+echo '
+experimental-features = nix-command flakes
+flake-registry = /dev/null
+' > "$tmpDir/nix.conf"
+
+echo "Running flake-info (nixos-search)"
+
+bwrap \
+  --unshare-all \
+  --clearenv \
+  --setenv PATH "$PATH" \
+  --setenv NIX_PATH "$NIX_PATH" \
+  --bind "$tmpDir" / \
+  --proc /proc \
+  --dev /dev \
+  --tmpfs /tmp \
+  --ro-bind "$nbFlake" "$nbFlake" \
+  --ro-bind /nix /nix \
+  --ro-bind /etc /etc \
+  --tmpfs /etc/nix \
+  --ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
+  --ro-bind /usr /usr \
+  --ro-bind-try /run /run \
+  -- flake-info flake "$nbFlake"
diff --git a/test/run-tests.sh b/test/run-tests.sh
index b380853..f33792d 100755
--- a/test/run-tests.sh
+++ b/test/run-tests.sh
@@ -286,8 +286,7 @@ nixosSearch() {
         # Add gcroots for flake-info
         nix build "$scriptDir/nixos-search#flake-info" -o "$outLinkPrefix-flake-info"
     fi
-    echo "Running flake-info (nixos-search)"
-    nix run "$scriptDir/nixos-search#flake-info" -- flake "$scriptDir/.."
+    "$scriptDir/nixos-search/flake-info-sandboxed.sh"
 }
 
 # A basic subset of tests to keep the total runtime within