movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-27 11:36:29 +03:00
Code Activity

nixos/acme: Add test for lego's built-in web server

Browse source 
In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.
This commit is contained in:
Lucas Savva 2021-12-18 14:52:32 +00:00
parent 2dcc3daadf
commit 65f1b8c6ae
No known key found for this signature in database
GPG key ID: E4EC5BF2E2F116A2
2 changed files with 32 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/security/acme.nix
View file

@ -324,7 +324,7 @@ let
fi fi
''); '');
} // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) { } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) {
AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
}; };
# Working directory will be /tmp # Working directory will be /tmp

45
nixos/tests/acme.nix
View file

@ -203,7 +203,7 @@ in {
webserverBasicConfig webserverBasicConfig
{ {
security.acme.certs."a.example.test".ocspMustStaple = true; security.acme.certs."a.example.test".ocspMustStaple = true;
services.nginx.virtualHosts."a.example.com" = { services.nginx.virtualHosts."a.example.test" = {
extraConfig = '' extraConfig = ''
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
@ -224,7 +224,7 @@ in {
script = "${pkgs.python3}/bin/python -m http.server"; script = "${pkgs.python3}/bin/python -m http.server";
}; };
services.nginx.virtualHosts."slow.example.com" = { services.nginx.virtualHosts."slow.example.test" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://localhost:8000"; locations."/".proxyPass = "http://localhost:8000";
@ -232,10 +232,24 @@ in {
} }
]; ];
use-root.configuration = { ... }: lib.mkMerge [ # Test lego internal server (listenHTTP option)
# Also tests useRoot option
lego-server.configuration = { ... }: lib.mkMerge [
webserverBasicConfig webserverBasicConfig
{ {
security.acme.useRoot = true; security.acme.useRoot = true;
security.acme.certs."lego.example.test" = {
listenHTTP = ":80";
group = "nginx";
};
services.nginx.virtualHosts."a.example.test" = {
onlySSL = true;
forceSSL = lib.mkForce false;
};
services.nginx.virtualHosts."lego.example.test" = {
useACMEHost = "lego.example.test";
onlySSL = true;
};
} }
]; ];
@ -402,7 +416,7 @@ in {
# Perform general tests first # Perform general tests first
switch_to(webserver, "general") switch_to(webserver, "general")
with subtest("Can request certificate with HTTPS-01 challenge"): with subtest("Can request certificate with HTTP-01 challenge"):
webserver.wait_for_unit("acme-finished-a.example.test.target") webserver.wait_for_unit("acme-finished-a.example.test.target")
check_fullchain(webserver, "a.example.test") check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble") check_issuer(webserver, "a.example.test", "pebble")
@ -449,19 +463,22 @@ in {
webserver.wait_for_unit("acme-finished-a.example.test.target") webserver.wait_for_unit("acme-finished-a.example.test.target")
check_stapling(client, "a.example.test") check_stapling(client, "a.example.test")
with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"): with subtest("Can request certificate with HTTP-01 using lego's internal web server"):
switch_to(webserver, "lego-server")
webserver.wait_for_unit("acme-finished-lego.example.test.target")
webserver.wait_for_unit("nginx.service")
webserver.succeed("echo HENLO && systemctl cat nginx.service")
webserver.succeed("test \"$(stat -c '%U' /var/lib/acme/* | uniq)\" = \"root\"")
check_connection(client, "a.example.test")
check_connection(client, "lego.example.test")
with subtest("Can request certificate with HTTP-01 when nginx startup is delayed"):
webserver.execute("systemctl stop nginx") webserver.execute("systemctl stop nginx")
switch_to(webserver, "slow-startup") switch_to(webserver, "slow-startup")
webserver.wait_for_unit("acme-finished-slow.example.com.target") webserver.wait_for_unit("acme-finished-slow.example.test.target")
check_issuer(webserver, "slow.example.com", "pebble") check_issuer(webserver, "slow.example.test", "pebble")
webserver.wait_for_unit("nginx.service") webserver.wait_for_unit("nginx.service")
check_connection(client, "slow.example.com") check_connection(client, "slow.example.test")
with subtest("Can set useRoot to true and still use certs normally"):
switch_to(webserver, "use-root")
webserver.wait_for_unit("nginx.service")
webserver.succeed("test \"$(stat -c '%U' /var/lib/acme/* | uniq)\" = \"root\"")
check_connection(client, "a.example.com")
domains = ["http", "dns", "wildcard"] domains = ["http", "dns", "wildcard"]
for server, logsrc in [ for server, logsrc in [