nixos/acme: Move regression test into acme.nix

2025-07-13 21:50:33 +03:00 · 2020-04-14 20:04:44 +02:00 · 2020-04-14 20:04:44 +02:00 · 0952336d1d
commit 0952336d1d
parent cfd672a94d
2 changed files with 31 additions and 61 deletions
--- a/nixos/tests/acme-issue-81842.nix
+++ b/nixos/tests/acme-issue-81842.nix
@ -1,61 +0,0 @@
 # When nginx depends on a service that is slow to start up, requesting
 # certificates fail.  Reproducer for
 # https://github.com/NixOS/nixpkgs/issues/81842
 import ./make-test-python.nix {
  name = "acme-issue-81842";
  nodes = {
    letsencrypt = { nodes, lib, ... }: {
      imports = [ ./common/letsencrypt ];
      # TODO: Move out to common ?
    };
    webserver = { nodes, config, pkgs, lib, ... }: {
      imports = [ ./common/letsencrypt/common.nix ];
      # TODO move to common?
      security.acme.server = "https://acme-v02.api.letsencrypt.org/dir";
      systemd.services.my-slow-service = {
        wantedBy = [ "multi-user.target" "nginx.service" ];
        before = [ "nginx.service" ];
        preStart = "sleep 5";
        script = "${pkgs.python3}/bin/python -m http.server";
      };
      # Probe to measure that acme-a.example.com.service fired
      systemd.targets."acme-finished-a.example.com" = {
        after = [ "acme-a.example.com.service" ];
        wantedBy = [ "acme-a.example.com.service" ];
      };
      # TODO: Move to pebble dns server. get rid of the resolver.nix hacks
      networking.extraHosts = ''
        ${config.networking.primaryIPAddress} a.example.com
      '';
      networking.firewall.allowedTCPPorts = [ 80 443 ];
      services.nginx = {
        enable = true;
        virtualHosts."a.example.com" = {
          forceSSL = true;
          enableACME = true;
          locations."/".proxyPass = "http://localhost:8000";
        };
      };
    };
    client = { nodes, ... }: { imports = [ ./common/letsencrypt/common.nix ]; };
  };
  testScript = { nodes, ... }:
    ''
      letsencrypt.wait_for_unit("default.target")
      letsencrypt.wait_for_unit("pebble.service")
      client.wait_for_unit("default.target")
      client.succeed("curl https://acme-v02.api.letsencrypt.org:15000/roots/0 > /tmp/ca.crt")
      client.succeed(
          "curl https://acme-v02.api.letsencrypt.org:15000/intermediate-keys/0 >> /tmp/ca.crt"
      )
      webserver.wait_for_unit("acme-finished-a.example.com.target")
      client.succeed("curl --cacert /tmp/ca.crt https://a.example.com/")
    '';
 }
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@ -99,6 +99,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
          '';
        };
      };
      specialisation.dns-01.configuration = {pkgs, config, nodes, lib, ...}: {
        security.acme.certs."example.test" = {
          domain = "*.example.test";
@ -129,6 +130,26 @@ in import ./make-test-python.nix ({ lib, ... }: {
          '';
        };
      };
      # When nginx depends on a service that is slow to start up, requesting used to fail
      # certificates fail.  Reproducer for https://github.com/NixOS/nixpkgs/issues/81842
      specialisation.slow-startup.configuration = { pkgs, config, nodes, lib, ...}: {
        systemd.services.my-slow-service = {
          wantedBy = [ "multi-user.target" "nginx.service" ];
          before = [ "nginx.service" ];
          preStart = "sleep 5";
          script = "${pkgs.python3}/bin/python -m http.server";
        };
        systemd.targets."acme-finished-d.example.com" = {
          after = [ "acme-d.example.com.service" ];
          wantedBy = [ "acme-d.example.com.service" ];
        };
        services.nginx.virtualHosts."d.example.com" = {
          forceSSL = true;
          enableACME = true;
          locations."/".proxyPass = "http://localhost:8000";
        };
      };
    };
    client = {nodes, lib, ...}: {
@ -204,5 +225,15 @@ in import ./make-test-python.nix ({ lib, ... }: {
          client.succeed(
              "curl --cacert /tmp/ca.crt https://c.example.test/ | grep -qF 'hello world'"
          )
      with subtest("Can request certificate of nginx when startup is delayed"):
          webserver.succeed(
              "${switchToNewServer}"
          )
          webserver.succeed(
              "/run/current-system/specialisation/slow-startup/bin/switch-to-configuration test"
          )
          webserver.wait_for_unit("acme-finished-d.example.com.target")
          client.succeed("curl --cacert /tmp/ca.crt https://d.example.com/")
    '';
 })