mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-10 19:55:41 +03:00
229640ed3a
Split tests up based on certain use cases: - http01-builtin: Tests most functionality of the core module, such as the systemd and hashing components, whilst utilising lego's built in http01 resolution mechanis. - dns01: Tests only that DNS01 renewal works as expected. - nginx: Tests nginx compatability - httpd: Tests httpd compatability - caddy: Tests caddy compatability
120 lines
3.3 KiB
Nix
120 lines
3.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
domain = "example.test";
|
|
in
|
|
{
|
|
# Caddy only supports useACMEHost, hence we use a distinct test suite
|
|
name = "caddy";
|
|
meta = {
|
|
maintainers = lib.teams.acme.members;
|
|
# Hard timeout in seconds. Average run time is about 60 seconds.
|
|
timeout = 180;
|
|
};
|
|
|
|
nodes = {
|
|
# The fake ACME server which will respond to client requests
|
|
acme =
|
|
{ nodes, ... }:
|
|
{
|
|
imports = [ ../common/acme/server ];
|
|
};
|
|
|
|
caddy =
|
|
{ nodes, config, ... }:
|
|
let
|
|
fqdn = config.networking.fqdn;
|
|
in
|
|
{
|
|
imports = [ ../common/acme/client ];
|
|
networking.domain = domain;
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
|
|
# Resolve the vhosts the easy way
|
|
networking.hosts."127.0.0.1" = [
|
|
"caddy-alt.${domain}"
|
|
];
|
|
|
|
# OpenSSL will be used for more thorough certificate validation
|
|
environment.systemPackages = [ pkgs.openssl ];
|
|
|
|
security.acme.certs."${fqdn}" = {
|
|
listenHTTP = ":8080";
|
|
reloadServices = [ "caddy.service" ];
|
|
};
|
|
|
|
users.users."${config.services.caddy.user}".extraGroups = [ "acme" ];
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
# FIXME reloading caddy is not sufficient to load new certs.
|
|
# Restart it manually until this is fixed.
|
|
enableReload = false;
|
|
globalConfig = ''
|
|
auto_https off
|
|
'';
|
|
virtualHosts."${fqdn}:443" = {
|
|
useACMEHost = fqdn;
|
|
};
|
|
virtualHosts.":80".extraConfig = ''
|
|
reverse_proxy localhost:8080
|
|
'';
|
|
};
|
|
|
|
specialisation.add_domain.configuration = {
|
|
security.acme.certs.${fqdn}.extraDomainNames = [
|
|
"caddy-alt.${domain}"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
{ nodes, ... }:
|
|
''
|
|
${(import ./utils.nix).pythonUtils}
|
|
|
|
domain = "${domain}"
|
|
ca_domain = "${nodes.acme.test-support.acme.caDomain}"
|
|
fqdn = "${nodes.caddy.networking.fqdn}"
|
|
|
|
acme.start()
|
|
wait_for_running(acme)
|
|
acme.wait_for_open_port(443)
|
|
|
|
with subtest("Boot and acquire a new cert"):
|
|
caddy.start()
|
|
wait_for_running(caddy)
|
|
|
|
check_issuer(caddy, fqdn, "pebble")
|
|
check_domain(caddy, fqdn, fqdn)
|
|
|
|
download_ca_certs(caddy, ca_domain)
|
|
check_connection(caddy, fqdn)
|
|
|
|
with subtest("Can run on selfsigned certificates"):
|
|
# Switch to selfsigned first
|
|
caddy.succeed(f"systemctl clean acme-{fqdn}.service --what=state")
|
|
caddy.succeed(f"systemctl start acme-selfsigned-{fqdn}.service")
|
|
check_issuer(caddy, fqdn, "minica")
|
|
caddy.succeed("systemctl restart caddy.service")
|
|
# Check that the web server has picked up the selfsigned cert
|
|
check_connection(caddy, fqdn, minica=True)
|
|
caddy.succeed(f"systemctl start acme-{fqdn}.service")
|
|
# This may fail a couple of times before caddy is restarted
|
|
check_issuer(caddy, fqdn, "pebble")
|
|
check_connection(caddy, fqdn)
|
|
|
|
with subtest("security.acme changes reflect on caddy"):
|
|
check_connection(caddy, f"caddy-alt.{domain}", fail=True)
|
|
switch_to(caddy, "add_domain")
|
|
check_connection(caddy, f"caddy-alt.{domain}")
|
|
'';
|
|
}
|