test(archsetup): port full shell validation sweep to Testinfra (P2)

Port all ~26 post-install checks from validation.sh to pytest/Testinfra,
reaching parity before the cutover. Adds test_users, test_packages,
test_services, test_desktop, test_boot, test_keyring, and test_archsetup
(88 tests after parametrizing groups, services, timers, tools, and configs),
plus shared conftest fixtures for ZFS/NVMe/compositor/networking gating.

The shell sweep's three outcomes map cleanly: hard failures become assertions,
advisory warnings and unmet preconditions (headless compositor, slirp
networking, optional services, non-ZFS/non-NVMe hosts) become skips.

One correctness fix vs the shell sweep: check awww, not swww — archsetup
installs awww (swww's successor) and `pacman -Q swww` no longer matches.

Verified on the host: py_compile clean, pytest --collect-only green (88 tests).
The sweep against a real VM is verified by the make test run that follows.

8 files changed, 417 insertions, 6 deletions

diff --git a/scripts/testing/tests/conftest.py b/scripts/testing/tests/conftest.py
index 00632b6..c805de9 100644
--- a/scripts/testing/tests/conftest.py
+++ b/scripts/testing/tests/conftest.py
@@ -70,3 +70,42 @@ def pytest_sessionfinish(session, exitstatus):
 def target_user():
     """The account archsetup created in the VM under test."""
     return os.environ.get("ARCHSETUP_TEST_USER", "cjennings")
+
+
+@pytest.fixture(scope="session")
+def home(target_user):
+    return "/home/%s" % target_user
+
+
+@pytest.fixture(scope="session")
+def zfs_root(host):
+    """True when the VM's root filesystem is ZFS (gates ZFS-specific checks)."""
+    return host.run("findmnt -n -o FSTYPE /").stdout.strip() == "zfs"
+
+
+@pytest.fixture(scope="session")
+def has_nvme(host):
+    """True when the VM exposes an NVMe device."""
+    return host.run("ls /dev/nvme0n1 2>/dev/null").rc == 0
+
+
+@pytest.fixture(scope="session")
+def hyprland_installed(host):
+    return host.package("hyprland").is_installed
+
+
+@pytest.fixture(scope="session")
+def dwm_installed(host):
+    return host.file("/usr/local/bin/dwm").exists
+
+
+@pytest.fixture(scope="session")
+def compositor_running(host):
+    """A graphical session is live (gates socket/portal checks that need one)."""
+    return host.run("pgrep -x Hyprland").rc == 0
+
+
+@pytest.fixture(scope="session")
+def on_slirp(host):
+    """QEMU user-mode networking (10.0.2.x) — no multicast, so mDNS can't work."""
+    return "10.0.2." in host.run("ip -4 addr show").stdout
diff --git a/scripts/testing/tests/test_archsetup.py b/scripts/testing/tests/test_archsetup.py
new file mode 100644
index 0000000..52fe3f7
--- /dev/null
+++ b/scripts/testing/tests/test_archsetup.py
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: archsetup's own log and state markers.
+
+Parity port of validate_archsetup_log and validate_state_markers.
+"""
+
+import pytest
+
+
+EXPECTED_STATE_STEPS = 12
+
+
+@pytest.mark.attribution("archsetup")
+def test_no_errors_in_archsetup_log(host):
+    out = host.run("grep -h '^Error:' /var/log/archsetup-*.log 2>/dev/null | wc -l")
+    count = int((out.stdout.strip() or "0"))
+    assert count == 0, "archsetup log reported %d Error: lines" % count
+
+
+@pytest.mark.attribution("archsetup")
+def test_all_install_steps_completed(host):
+    out = host.run("ls /var/lib/archsetup/state/ 2>/dev/null | wc -l")
+    count = int((out.stdout.strip() or "0"))
+    assert count >= EXPECTED_STATE_STEPS, (
+        "only %d/%d install steps completed" % (count, EXPECTED_STATE_STEPS)
+    )
diff --git a/scripts/testing/tests/test_boot.py b/scripts/testing/tests/test_boot.py
new file mode 100644
index 0000000..c8895ae
--- /dev/null
+++ b/scripts/testing/tests/test_boot.py
@@ -0,0 +1,47 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: boot, initramfs, and filesystem config.
+
+Parity port of validate_zfs_config, validate_boot_config,
+validate_mkinitcpio_hooks, validate_initramfs_consolefont, validate_nvme_module.
+Filesystem/hardware-specific checks are gated on fixtures.
+"""
+
+import pytest
+
+
+@pytest.mark.attribution("archsetup")
+def test_grub_config_exists(host):
+    assert host.file("/boot/grub/grub.cfg").exists
+
+
+@pytest.mark.attribution("archsetup")
+def test_mkinitcpio_hooks(host, zfs_root):
+    hooks = host.run("grep '^HOOKS=' /etc/mkinitcpio.conf").stdout
+    if zfs_root:
+        # ZFS must use the udev hook; the systemd hook breaks a ZFS boot.
+        assert " udev" in hooks or "(udev" in hooks, "ZFS root must use the udev hook"
+        assert "systemd" not in hooks, "ZFS root must not use the systemd hook"
+    else:
+        # Non-ZFS: either hook is acceptable.
+        assert ("systemd" in hooks) or ("udev" in hooks)
+
+
+@pytest.mark.attribution("archsetup")
+def test_console_font_in_initramfs(host):
+    out = host.run(
+        "lsinitcpio /boot/initramfs-linux.img 2>/dev/null | grep -cE 'consolefont.psf|ter-'"
+    )
+    assert int((out.stdout.strip() or "0")) > 0, "console font not found in initramfs"
+
+
+def test_nvme_module_when_nvme_present(host, has_nvme):
+    if not has_nvme:
+        pytest.skip("no NVMe device present")
+    modules = host.run("grep '^MODULES=' /etc/mkinitcpio.conf").stdout
+    assert "nvme" in modules, "NVMe system should list nvme in mkinitcpio MODULES"
+
+
+def test_zfs_has_sanoid(host):
+    if not host.exists("zfs"):
+        pytest.skip("ZFS not installed (non-ZFS system)")
+    assert host.exists("sanoid"), "ZFS system should have sanoid installed"
diff --git a/scripts/testing/tests/test_desktop.py b/scripts/testing/tests/test_desktop.py
new file mode 100644
index 0000000..53e54e1
--- /dev/null
+++ b/scripts/testing/tests/test_desktop.py
@@ -0,0 +1,98 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: window manager + desktop integration.
+
+Parity port of validate_window_manager and its Hyprland/DWM branches, plus
+validate_autologin_config. Hyprland and DWM checks are gated on which DE the
+run installed; socket/portal-query checks are gated on a live compositor (the
+headless test VM has none).
+
+Note: validate_hyprland_tools historically checked `swww`, but archsetup now
+installs `awww` (swww successor) and `pacman -Q swww` no longer matches — so
+this checks awww. That divergence from the shell sweep is a correctness fix.
+"""
+
+import pytest
+
+
+HYPRLAND_TOOLS = [
+    "hyprland", "hypridle", "hyprlock", "waybar", "fuzzel",
+    "awww", "grim", "slurp", "gammastep", "foot",
+]
+
+HYPRLAND_CONFIGS = [
+    ".config/hypr/hyprland.conf",
+    ".config/hypr/hypridle.conf",
+    ".config/hypr/hyprlock.conf",
+    ".config/waybar/config",
+    ".config/fuzzel/fuzzel.ini",
+    ".config/gammastep/config.ini",
+]
+
+SUCKLESS_TOOLS = ["dwm", "st", "dmenu", "slock"]
+
+PORTALS_CONF = ".config/xdg-desktop-portal/portals.conf"
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("pkg", HYPRLAND_TOOLS)
+def test_hyprland_tool_installed(host, hyprland_installed, pkg):
+    if not hyprland_installed:
+        pytest.skip("Hyprland not installed (DESKTOP_ENV != hyprland)")
+    assert host.package(pkg).is_installed, "%s missing" % pkg
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("rel", HYPRLAND_CONFIGS)
+def test_hyprland_config_present(host, hyprland_installed, home, rel):
+    if not hyprland_installed:
+        pytest.skip("Hyprland not installed (DESKTOP_ENV != hyprland)")
+    assert host.file("%s/%s" % (home, rel)).exists, "%s missing" % rel
+
+
+@pytest.mark.attribution("archsetup")
+def test_portal_settings_backend_not_disabled(host, hyprland_installed, home):
+    if not hyprland_installed:
+        pytest.skip("Hyprland not installed")
+    conf = host.file("%s/%s" % (home, PORTALS_CONF))
+    assert conf.exists, "portals.conf missing"
+    line = host.run(
+        "grep org.freedesktop.impl.portal.Settings %s" % conf.path
+    ).stdout
+    assert "=none" not in line.replace(" ", ""), "Settings portal disabled (=none)"
+
+
+def test_portal_returns_dark_mode(host, hyprland_installed, compositor_running, target_user):
+    if not hyprland_installed:
+        pytest.skip("Hyprland not installed")
+    if not compositor_running:
+        pytest.skip("no compositor running (headless) — portal query not applicable")
+    cmd = (
+        "sudo -u %s busctl --user call org.freedesktop.portal.Desktop "
+        "/org/freedesktop/portal/desktop org.freedesktop.portal.Settings Read "
+        "'ss' 'org.freedesktop.appearance' 'color-scheme'" % target_user
+    )
+    out = host.run(cmd).stdout
+    assert "u 1" in out, "Settings portal should report color-scheme=1 (dark)"
+
+
+def test_hyprland_socket(host, hyprland_installed, compositor_running):
+    if not hyprland_installed:
+        pytest.skip("Hyprland not installed")
+    if not compositor_running:
+        pytest.skip("Hyprland not running (headless) — socket check not applicable")
+    assert host.run("test -S /tmp/hypr/*/.socket.sock").rc == 0
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("tool", SUCKLESS_TOOLS)
+def test_suckless_tool_installed(host, dwm_installed, tool):
+    if not dwm_installed:
+        pytest.skip("DWM not installed (DESKTOP_ENV != dwm)")
+    assert host.file("/usr/local/bin/%s" % tool).exists, "%s missing" % tool
+
+
+def test_autologin_configured(host):
+    conf = host.file("/etc/systemd/system/getty@tty1.service.d/autologin.conf")
+    if not conf.exists:
+        pytest.skip("autologin not configured (AUTOLOGIN=no, may be intentional)")
+    assert conf.exists
diff --git a/scripts/testing/tests/test_keyring.py b/scripts/testing/tests/test_keyring.py
new file mode 100644
index 0000000..99d322d
--- /dev/null
+++ b/scripts/testing/tests/test_keyring.py
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: gnome-keyring pre-configuration.
+
+Parity port of validate_gnome_keyring_setup: the keyrings dir must exist, be
+mode 700, owned by the user, with the default keyring set to "login".
+"""
+
+import pytest
+
+
+@pytest.fixture(scope="session")
+def keyring_dir(home):
+    return "%s/.local/share/keyrings" % home
+
+
+@pytest.mark.attribution("archsetup")
+def test_keyring_dir_exists(host, keyring_dir):
+    assert host.file(keyring_dir).is_directory
+
+
+@pytest.mark.attribution("archsetup")
+def test_keyring_dir_mode_700(host, keyring_dir):
+    assert host.file(keyring_dir).mode == 0o700
+
+
+@pytest.mark.attribution("archsetup")
+def test_keyring_dir_owned_by_user(host, keyring_dir, target_user):
+    assert host.file(keyring_dir).user == target_user
+
+
+@pytest.mark.attribution("archsetup")
+def test_default_keyring_is_login(host, keyring_dir):
+    default = host.file("%s/default" % keyring_dir)
+    assert default.exists, "default keyring file missing"
+    assert default.content_string.strip() == "login"
diff --git a/scripts/testing/tests/test_packages.py b/scripts/testing/tests/test_packages.py
new file mode 100644
index 0000000..f237088
--- /dev/null
+++ b/scripts/testing/tests/test_packages.py
@@ -0,0 +1,60 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: package managers and key packages.
+
+Parity port of validate_yay_installed, validate_pacman_working,
+validate_terminus_font, validate_emacs, validate_git_config, validate_dev_tools.
+"""
+
+import pytest
+
+
+DEV_TOOLS = ["python", "node", "npm", "go", "rustc"]
+
+
+@pytest.mark.smoke
+@pytest.mark.attribution("archsetup")
+def test_yay_installed(host):
+    assert host.exists("yay"), "yay binary not on PATH"
+
+
+@pytest.mark.attribution("archsetup")
+def test_yay_functional(host, target_user):
+    # yay must actually query the package DB as the user, not just exist.
+    assert host.run("sudo -u %s yay -Qi yay" % target_user).rc == 0
+
+
+@pytest.mark.smoke
+@pytest.mark.attribution("unknown")
+def test_pacman_functional(host):
+    assert host.package("base").is_installed
+
+
+@pytest.mark.attribution("archsetup")
+def test_terminus_font_installed(host):
+    assert host.package("terminus-font").is_installed
+
+
+@pytest.mark.attribution("archsetup")
+def test_emacs_installed(host):
+    assert host.exists("emacs")
+
+
+@pytest.mark.attribution("archsetup")
+def test_emacs_config_readable_by_user(host, target_user, home):
+    emacsd = host.file("%s/.emacs.d" % home)
+    if not emacsd.exists:
+        pytest.skip(".emacs.d not present (config dir optional on some profiles)")
+    assert emacsd.is_directory
+    assert host.run("sudo -u %s ls %s" % (target_user, emacsd.path)).rc == 0
+
+
+@pytest.mark.smoke
+@pytest.mark.attribution("archsetup")
+def test_git_installed(host):
+    assert host.exists("git")
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("tool", DEV_TOOLS)
+def test_dev_tool_present(host, tool):
+    assert host.exists(tool), "dev tool %s missing from PATH" % tool
diff --git a/scripts/testing/tests/test_services.py b/scripts/testing/tests/test_services.py
index dc89e74..0ca3970 100644
--- a/scripts/testing/tests/test_services.py
+++ b/scripts/testing/tests/test_services.py
@@ -1,13 +1,103 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
-"""Post-install checks: essential services archsetup enables.
+"""Post-install checks: services, timers, and their functional health.
 
-Parity port of validate_firewall from validation.sh (more to follow in P2).
+Parity port of validate_firewall, validate_dns_config, validate_avahi,
+validate_fail2ban, validate_networkmanager, and validate_all_services /
+validate_service_functions.
+
+Mapping of the shell sweep's three outcomes:
+  - validation_fail (hard)  -> assert
+  - validation_warn (soft)  -> pytest.skip with the reason (visible, never red)
+  - validation_skip (precond)-> pytest.skip gated on a fixture
 """
 
 import pytest
 
 
+# Required services: (name, must_be_active). ufw can't activate in the VM (no
+# iptables kernel modules), so it's enabled-only; cronie/atd are enabled-only too.
+REQUIRED_ENABLED_ACTIVE = ["sshd", "systemd-resolved", "fail2ban", "NetworkManager", "rngd"]
+REQUIRED_ENABLED_ONLY = ["ufw", "cronie", "atd"]
+REQUIRED_TIMERS = ["reflector.timer", "paccache.timer"]
+OPTIONAL_SERVICES = ["avahi-daemon", "bluetooth", "cups", "docker", "tailscaled"]
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("svc", REQUIRED_ENABLED_ACTIVE)
+def test_required_service_enabled_and_active(host, svc):
+    s = host.service(svc)
+    assert s.is_enabled, "%s should be enabled" % svc
+    assert s.is_running, "%s should be active" % svc
+
+
 @pytest.mark.smoke
 @pytest.mark.attribution("archsetup")
-def test_ufw_firewall_enabled(host):
-    assert host.service("ufw").is_enabled
+@pytest.mark.parametrize("svc", REQUIRED_ENABLED_ONLY)
+def test_required_service_enabled(host, svc):
+    assert host.service(svc).is_enabled, "%s should be enabled" % svc
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("timer", REQUIRED_TIMERS)
+def test_required_timer_enabled(host, timer):
+    assert host.service(timer).is_enabled, "%s should be enabled" % timer
+
+
+@pytest.mark.parametrize("svc", OPTIONAL_SERVICES)
+def test_optional_service(host, svc):
+    # Optional: warn-if-missing in the shell sweep -> skip here so it never reds.
+    if not host.service(svc).is_enabled:
+        pytest.skip("%s not enabled (optional)" % svc)
+
+
+@pytest.mark.attribution("archsetup")
+def test_dns_over_tls_dropin_present(host):
+    # archsetup ships /etc/systemd/resolved.conf.d/dns-over-tls.conf.
+    assert host.file("/etc/systemd/resolved.conf.d/dns-over-tls.conf").exists
+
+
+@pytest.mark.attribution("archsetup")
+def test_fail2ban_responds(host):
+    assert host.run("fail2ban-client status").rc == 0
+
+
+@pytest.mark.attribution("archsetup")
+def test_networkmanager_responds(host):
+    assert host.run("nmcli general status").rc == 0
+
+
+@pytest.mark.attribution("archsetup")
+def test_log_cleanup_cron_installed(host, target_user):
+    out = host.run("sudo -u %s crontab -l" % target_user).stdout
+    assert "log-cleanup" in out, "log-cleanup entry missing from user crontab"
+
+
+@pytest.mark.attribution("archsetup")
+def test_syncthing_user_lingering_enabled(host, target_user):
+    # syncthing runs as a user service; lingering must be on for autostart.
+    assert host.file("/var/lib/systemd/linger/%s" % target_user).exists
+
+
+def test_dns_resolution(host):
+    # Network-dependent; advisory in the shell sweep. Skip on failure.
+    if host.run("resolvectl query archlinux.org").rc != 0:
+        pytest.skip("DNS resolution query failed (network-dependent)")
+
+
+def test_mdns_resolves(host, on_slirp):
+    # mDNS needs multicast, which QEMU slirp doesn't pass.
+    if on_slirp:
+        pytest.skip("mDNS not possible on slirp networking (no multicast)")
+    if not host.service("avahi-daemon").is_enabled:
+        pytest.skip("avahi-daemon not enabled")
+    hostname = host.run("hostname").stdout.strip()
+    assert host.run("ping -c 1 -W 2 %s.local" % hostname).rc == 0
+
+
+def test_docker_functional(host):
+    if not host.service("docker").is_enabled:
+        pytest.skip("docker not enabled")
+    if not host.service("docker").is_running:
+        # archsetup enables docker for next boot, not --now; pre-reboot this is correct.
+        pytest.skip("docker enabled but not started (starts on boot by design)")
+    assert host.run("docker info").rc == 0
diff --git a/scripts/testing/tests/test_users.py b/scripts/testing/tests/test_users.py
index 92ce768..c0097ed 100644
--- a/scripts/testing/tests/test_users.py
+++ b/scripts/testing/tests/test_users.py
@@ -1,12 +1,20 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 """Post-install checks: the user account archsetup creates.
 
-Parity port of validate_user_created / validate_user_shell from validation.sh.
+Parity port of validate_user_created / validate_user_shell / validate_user_groups.
 """
 
 import pytest
 
 
+# Groups archsetup adds: wheel (useradd -G), the usermod -aG set, and docker
+# (added later in the developer-workstation step).
+EXPECTED_GROUPS = [
+    "wheel", "sys", "adm", "network", "scanner", "power", "uucp",
+    "audio", "lp", "rfkill", "video", "storage", "optical", "users", "docker",
+]
+
+
 @pytest.mark.smoke
 @pytest.mark.attribution("archsetup")
 def test_user_exists(host, target_user):
@@ -15,4 +23,12 @@ def test_user_exists(host, target_user):
 
 @pytest.mark.attribution("archsetup")
 def test_user_shell_is_zsh(host, target_user):
-    assert host.user(target_user).shell == "/usr/bin/zsh"
+    # archsetup may set either path depending on how zsh resolves.
+    assert host.user(target_user).shell in ("/bin/zsh", "/usr/bin/zsh")
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("group", EXPECTED_GROUPS)
+def test_user_in_group(host, target_user, group):
+    # Parametrized so a failure names the exact missing group.
+    assert group in host.user(target_user).groups