nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixosTests.certmgr: fix systemd test

Browse Source 
Nginx fails to start, because it can't read the certificate file. This
happens because PrivateTmp is set for the service, which makes the
system wide /tmp inaccessible.
This commit is contained in:
Fabian Möller 2020-10-21 17:21:32 +02:00 committed by Jon
parent c58233a34a
commit e83bd25aec
1 changed files with 17 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
nixos/tests/certmgr.nix
View File

@ -11,7 +11,7 @@ let
file = { file = {
group = "nginx"; group = "nginx";
owner = "nginx"; owner = "nginx";
path = "/tmp/${host}-ca.pem"; path = "/var/ssl/${host}-ca.pem";
}; };
label = "www_ca"; label = "www_ca";
profile = "three-month"; profile = "three-month";
@ -20,13 +20,13 @@ let
certificate = { certificate = {
group = "nginx"; group = "nginx";
owner = "nginx"; owner = "nginx";
path = "/tmp/${host}-cert.pem"; path = "/var/ssl/${host}-cert.pem";
}; };
private_key = { private_key = {
group = "nginx"; group = "nginx";
mode = "0600"; mode = "0600";
owner = "nginx"; owner = "nginx";
path = "/tmp/${host}-key.pem"; path = "/var/ssl/${host}-key.pem";
}; };
request = { request = {
CN = host; CN = host;
@ -57,6 +57,8 @@ let
services.cfssl.enable = true; services.cfssl.enable = true;
systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ]; systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ];
systemd.tmpfiles.rules = [ "d /var/ssl 777 root root" ];
systemd.services.cfssl-init = { systemd.services.cfssl-init = {
description = "Initialize the cfssl CA"; description = "Initialize the cfssl CA";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -87,8 +89,8 @@ let
enable = true; enable = true;
virtualHosts = lib.mkMerge (map (host: { virtualHosts = lib.mkMerge (map (host: {
${host} = { ${host} = {
sslCertificate = "/tmp/${host}-cert.pem"; sslCertificate = "/var/ssl/${host}-cert.pem";
sslCertificateKey = "/tmp/${host}-key.pem"; sslCertificateKey = "/var/ssl/${host}-key.pem";
extraConfig = '' extraConfig = ''
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
''; '';
@ -124,16 +126,18 @@ in
}; };
testScript = '' testScript = ''
machine.wait_for_unit("cfssl.service") machine.wait_for_unit("cfssl.service")
machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem") machine.wait_until_succeeds("ls /var/ssl/decl.example.org-ca.pem")
machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem") machine.wait_until_succeeds("ls /var/ssl/decl.example.org-key.pem")
machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem") machine.wait_until_succeeds("ls /var/ssl/decl.example.org-cert.pem")
machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem") machine.wait_until_succeeds("ls /var/ssl/imp.example.org-ca.pem")
machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem") machine.wait_until_succeeds("ls /var/ssl/imp.example.org-key.pem")
machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem") machine.wait_until_succeeds("ls /var/ssl/imp.example.org-cert.pem")
machine.wait_for_unit("nginx.service") machine.wait_for_unit("nginx.service")
assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l')) assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l'))
machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org") machine.succeed("curl --cacert /var/ssl/imp.example.org-ca.pem https://imp.example.org")
machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org") machine.succeed(
"curl --cacert /var/ssl/decl.example.org-ca.pem https://decl.example.org"
)
''; '';
}; };