movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 04:35:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/nextcloud: verify that Nextcloud is using the system-wide CA

Browse source 
Nextcloud manages the CA bundle on its own by default, but we patch this
out and replace it with the system-wide bundle.

Since this was originally designed for the objectstore feature, this
test ensures that an S3 behind a reverse proxy with TLS and its own CA
works fine.
This commit is contained in:
Maximilian Bosch 2025-05-13 12:29:04 +02:00
parent 12f8199080
commit e9f70c9462
No known key found for this signature in database
1 changed files with 70 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

81
nixos/tests/nextcloud/with-objectstore.nix
View file

@ -26,11 +26,13 @@ runTest (
nodes = { nodes = {
nextcloud = nextcloud =
{ config, pkgs, ... }:
{ {
networking.firewall.allowedTCPPorts = [ 9000 ]; config,
environment.systemPackages = [ pkgs.minio-client ]; pkgs,
nodes,
...
}:
{
services.nextcloud.config.dbtype = "sqlite"; services.nextcloud.config.dbtype = "sqlite";
services.nextcloud.config.objectstore.s3 = { services.nextcloud.config.objectstore.s3 = {
@ -39,13 +41,66 @@ runTest (
autocreate = true; autocreate = true;
key = accessKey; key = accessKey;
secretFile = "${pkgs.writeText "secretKey" secretKey}"; secretFile = "${pkgs.writeText "secretKey" secretKey}";
hostname = "nextcloud"; hostname = "acme.test";
useSsl = false; useSsl = true;
port = 9000; port = 443;
usePathStyle = true; usePathStyle = true;
region = "us-east-1"; region = "us-east-1";
}; };
security.pki.certificates = [
(builtins.readFile ../common/acme/server/ca.cert.pem)
];
environment.systemPackages = [ pkgs.minio-client ];
# The dummy certs are for acme.test, so we pretend that's the FQDN
# of the minio VM.
networking.extraHosts = ''
${nodes.minio.networking.primaryIPAddress} acme.test
'';
};
client =
{ nodes, ... }:
{
security.pki.certificates = [
(builtins.readFile ../common/acme/server/ca.cert.pem)
];
networking.extraHosts = ''
${nodes.minio.networking.primaryIPAddress} acme.test
'';
};
minio =
{ ... }:
{
security.pki.certificates = [
(builtins.readFile ../common/acme/server/ca.cert.pem)
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."acme.test" = {
onlySSL = true;
sslCertificate = ../common/acme/server/acme.test.cert.pem;
sslCertificateKey = ../common/acme/server/acme.test.key.pem;
locations."/".proxyPass = "http://127.0.0.1:9000";
};
};
networking.extraHosts = ''
127.0.0.1 acme.test
'';
networking.firewall.allowedTCPPorts = [
9000
80
443
];
services.minio = { services.minio = {
enable = true; enable = true;
listenAddress = "0.0.0.0:9000"; listenAddress = "0.0.0.0:9000";
@ -56,18 +111,22 @@ runTest (
}; };
test-helpers.init = '' test-helpers.init = ''
nextcloud.wait_for_open_port(9000) minio.start()
minio.wait_for_open_port(9000)
minio.wait_for_unit("nginx.service")
minio.wait_for_open_port(443)
''; '';
test-helpers.extraTests = test-helpers.extraTests =
{ nodes, ... }: { nodes, ... }:
'' ''
with subtest("File is not on the filesystem"): with subtest("File is not on the filesystem"):
nextcloud.succeed("test ! -e ${nodes.nextcloud.services.nextcloud.home}/data/root/files/test-shared-file") nextcloud.succeed("test ! -e ${nodes.nextcloud.services.nextcloud.home}/data/root/files/test-shared-file")
with subtest("Check if file is in S3"): with subtest("Check if file is in S3"):
nextcloud.succeed( nextcloud.succeed(
"mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4" "mc config host add minio https://acme.test ${accessKey} ${secretKey} --api s3v4"
) )
files = nextcloud.succeed('mc ls minio/nextcloud|sort').strip().split('\n') files = nextcloud.succeed('mc ls minio/nextcloud|sort').strip().split('\n')
@ -100,8 +159,8 @@ runTest (
with subtest("Test download from S3"): with subtest("Test download from S3"):
client.succeed( client.succeed(
"env AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey} " "env AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey} "
+ f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url http://nextcloud:9000 " + f"${lib.getExe pkgs.awscli2} s3 cp s3://nextcloud/{file} test --endpoint-url https://acme.test "
+ "--region us-east-1" + "--region us-east-1 --ca-bundle /etc/ssl/certs/ca-bundle.crt"
) )
client.succeed("test hi = $(cat test)") client.succeed("test hi = $(cat test)")