mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-01 15:11:25 +00:00
7b87554ca1
In 0c7c1660f7
I have set allowSubstitutes
to false, which avoided the substitution of the certificates.
Unfortunately substitution may still happen later when the certificate
is merged with the CA bundle. So the merged CA bundle might be
substituted from a binary cache but the certificate itself is built
locally, which could result in a different certificate in the bundle.
So instead of adding just yet another workaround, I've now hardcoded all
the certificates and keys in a separate file. This also moves
letsencrypt.nix into its own directory so we don't mess up
nixos/tests/common too much.
This was long overdue and should finally make the dependency graph for
the ACME test more deterministic.
Signed-off-by: aszlig <aszlig@nix.build>
65 lines
1.8 KiB
Nix
65 lines
1.8 KiB
Nix
let
|
|
commonConfig = { config, lib, pkgs, nodes, ... }: {
|
|
networking.nameservers = [
|
|
nodes.letsencrypt.config.networking.primaryIPAddress
|
|
];
|
|
|
|
nixpkgs.overlays = lib.singleton (self: super: {
|
|
cacert = super.cacert.overrideDerivation (drv: {
|
|
installPhase = (drv.installPhase or "") + ''
|
|
cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \
|
|
>> "$out/etc/ssl/certs/ca-bundle.crt"
|
|
'';
|
|
});
|
|
|
|
pythonPackages = (super.python.override {
|
|
packageOverrides = lib.const (pysuper: {
|
|
certifi = pysuper.certifi.overridePythonAttrs (attrs: {
|
|
postPatch = (attrs.postPatch or "") + ''
|
|
cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \
|
|
> certifi/cacert.pem
|
|
'';
|
|
});
|
|
});
|
|
}).pkgs;
|
|
});
|
|
};
|
|
|
|
in import ./make-test.nix {
|
|
name = "acme";
|
|
|
|
nodes = {
|
|
letsencrypt = ./common/letsencrypt;
|
|
|
|
webserver = { config, pkgs, ... }: {
|
|
imports = [ commonConfig ];
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
networking.extraHosts = ''
|
|
${config.networking.primaryIPAddress} example.com
|
|
'';
|
|
|
|
services.nginx.enable = true;
|
|
services.nginx.virtualHosts."example.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".root = pkgs.runCommand "docroot" {} ''
|
|
mkdir -p "$out"
|
|
echo hello world > "$out/index.html"
|
|
'';
|
|
};
|
|
};
|
|
|
|
client = commonConfig;
|
|
};
|
|
|
|
testScript = ''
|
|
$letsencrypt->waitForUnit("default.target");
|
|
$letsencrypt->waitForUnit("boulder.service");
|
|
$webserver->waitForUnit("default.target");
|
|
$webserver->waitForUnit("acme-certificates.target");
|
|
$client->waitForUnit("default.target");
|
|
$client->succeed('curl https://example.com/ | grep -qF "hello world"');
|
|
'';
|
|
}
|