movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 19:55:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/nextcloud: verify that Nextcloud is using the system-wide CA

Browse source 
Nextcloud manages the CA bundle on its own by default, but we patch this
out and replace it with the system-wide bundle.

Since this was originally designed for the objectstore feature, this
test ensures that an S3 behind a reverse proxy with TLS and its own CA
works fine.
This commit is contained in:
Maximilian Bosch 2025-05-13 12:29:04 +02:00
parent 12f8199080
commit e9f70c9462
No known key found for this signature in database
1 changed files with 70 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

81
nixos/tests/nextcloud/with-objectstore.nix
View file

@ -26,11 +26,13 @@ runTest (
nodes = {
nextcloud =
{ config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 9000 ];
environment.systemPackages = [ pkgs.minio-client ];
config,
pkgs,
nodes,
...
}:
{
services.nextcloud.config.dbtype = "sqlite";
services.nextcloud.config.objectstore.s3 = {
@ -39,13 +41,66 @@ runTest (
autocreate = true;
key = accessKey;
secretFile = "${pkgs.writeText "secretKey" secretKey}";
hostname = "nextcloud";
useSsl = false;
port = 9000;
hostname = "acme.test";
useSsl = true;
port = 443;
usePathStyle = true;
region = "us-east-1";
};
security.pki.certificates = [
(builtins.readFile ../common/acme/server/ca.cert.pem)
];
environment.systemPackages = [ pkgs.minio-client ];
# The dummy certs are for acme.test, so we pretend that's the FQDN
# of the minio VM.
networking.extraHosts = ''
${nodes.minio.networking.primaryIPAddress} acme.test
'';
};
client =
{ nodes, ... }:
{
security.pki.certificates = [
(builtins.readFile ../common/acme/server/ca.cert.pem)
];
networking.extraHosts = ''
${nodes.minio.networking.primaryIPAddress} acme.test
'';
};
minio =
{ ... }:
{
security.pki.certificates = [
(builtins.readFile ../common/acme/server/ca.cert.pem)
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."acme.test" = {
onlySSL = true;
sslCertificate = ../common/acme/server/acme.test.cert.pem;
sslCertificateKey = ../common/acme/server/acme.test.key.pem;
locations."/".proxyPass = "http://127.0.0.1:9000";
};
};
networking.extraHosts = ''
127.0.0.1 acme.test
'';
networking.firewall.allowedTCPPorts = [
9000
80
443
];
services.minio = {
enable = true;
listenAddress = "0.0.0.0:9000";
@ -56,18 +111,22 @@ runTest (
};
test-helpers.init = ''
nextcloud.wait_for_open_port(9000)
minio.start()
minio.wait_for_open_port(9000)
minio.wait_for_unit("nginx.service")
minio.wait_for_open_port(443)
'';
test-helpers.extraTests =
{ nodes, ... }:
''
with subtest("File is not on the filesystem"):
nextcloud.succeed("test ! -e ${nodes.nextcloud.services.nextcloud.home}/data/root/files/test-shared-file")
with subtest("Check if file is in S3"):
nextcloud.succeed(
"mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4"
"mc config host add minio https://acme.test ${accessKey} ${secretKey} --api s3v4"
)
files = nextcloud.succeed('mc ls minio/nextcloud|sort').strip().split('\n')
@ -100,8 +159,8 @@ runTest (
with subtest("Test download from S3"):
client.succeed(
"env AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey} "
+ f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url http://nextcloud:9000 "
+ "--region us-east-1"
+ f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url https://acme.test "
+ "--region us-east-1 --ca-bundle /etc/ssl/certs/ca-bundle.crt"
)
client.succeed("test hi = $(cat test)")