nixpkgs/nixos/tests/acme.nix

let
  commonConfig = { lib, nodes, ... }: {
    networking.nameservers = [
      nodes.letsencrypt.config.networking.primaryIPAddress
    ];

    nixpkgs.overlays = lib.singleton (self: super: {
      cacert = super.cacert.overrideDerivation (drv: {
        installPhase = (drv.installPhase or "") + ''
          cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \
            >> "$out/etc/ssl/certs/ca-bundle.crt"
        '';
      });

      # Override certifi so that it accepts fake certificate for Let's Encrypt
      # Need to override the attribute used by simp_le, which is python3Packages
      python3Packages = (super.python3.override {
        packageOverrides = lib.const (pysuper: {
          certifi = pysuper.certifi.overridePythonAttrs (attrs: {
            postPatch = (attrs.postPatch or "") + ''
              cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \
                > certifi/cacert.pem
            '';
          });
        });
      }).pkgs;
    });
  };

in import ./make-test.nix {
  name = "acme";

  nodes = {
    letsencrypt = ./common/letsencrypt;

    webserver = { config, pkgs, ... }: {
      imports = [ commonConfig ];
      networking.firewall.allowedTCPPorts = [ 80 443 ];

      networking.extraHosts = ''
        ${config.networking.primaryIPAddress} example.com
      '';

      services.nginx.enable = true;
      services.nginx.virtualHosts."example.com" = {
        enableACME = true;
        forceSSL = true;
        locations."/".root = pkgs.runCommand "docroot" {} ''
          mkdir -p "$out"
          echo hello world > "$out/index.html"
        '';
      };
    };

    client = commonConfig;
  };

  testScript = ''
    $letsencrypt->waitForUnit("default.target");
    $letsencrypt->waitForUnit("boulder.service");
    $webserver->waitForUnit("default.target");
    $webserver->waitForUnit("acme-certificates.target");
    $client->waitForUnit("default.target");
    $client->succeed('curl https://example.com/ | grep -qF "hello world"');
  '';
}
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`let`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`commonConfig = { lib, nodes, ... }: {`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`networking.nameservers = [`
			`nodes.letsencrypt.config.networking.primaryIPAddress`
			`];`

			`nixpkgs.overlays = lib.singleton (self: super: {`
			`cacert = super.cacert.overrideDerivation (drv: {`
			`installPhase = (drv.installPhase or "") + ''`
			`cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \`
			`>> "$out/etc/ssl/certs/ca-bundle.crt"`
			`'';`
			`});`

simp_le: use python3Packages (#44476) 2018-08-05 01:17:38 +02:00			`# Override certifi so that it accepts fake certificate for Let's Encrypt`
			`# Need to override the attribute used by simp_le, which is python3Packages`
			`python3Packages = (super.python3.override {`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`packageOverrides = lib.const (pysuper: {`
nixos/tests/acme: Use overridePythonAttrs Quoting from @FRidh: Note overridePythonAttrs exists since 17.09. It overrides the call to buildPythonPackage. While it's not strictly necessary to do this, because postPatch ends up in drvAttrs anyway, it's probably better to use overridePythonAttrs so we don't run into problems when the underlying implementation of buildPythonPackage changes. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-09-14 23:18:52 +02:00			`certifi = pysuper.certifi.overridePythonAttrs (attrs: {`
			`postPatch = (attrs.postPatch or "") + ''`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \`
nixos/tests/acme: Patch certifi with cacert Since 67651d80bc8baaf09ab91fec8ea423e09107ed8f the requests package now depends on certifi, which in turn provides the CA root certificates that we need to replace. It might also be a good idea to actually patch certifi with our version of cacert by default so that if we want to override and/or add something we only need to do it once. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Cc: @fpletz, @k0ral, @FRidh 2017-09-13 23:06:39 +02:00			`> certifi/cacert.pem`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`'';`
			`});`
			`});`
			`}).pkgs;`
			`});`
			`};`

			`in import ./make-test.nix {`
			`name = "acme";`

			`nodes = {`
nixos/tests/letsencrypt: Hardcode certs and keys In 0c7c1660f78e4f6befe0a210e1a9efae783a1733 I have set allowSubstitutes to false, which avoided the substitution of the certificates. Unfortunately substitution may still happen later when the certificate is merged with the CA bundle. So the merged CA bundle might be substituted from a binary cache but the certificate itself is built locally, which could result in a different certificate in the bundle. So instead of adding just yet another workaround, I've now hardcoded all the certificates and keys in a separate file. This also moves letsencrypt.nix into its own directory so we don't mess up nixos/tests/common too much. This was long overdue and should finally make the dependency graph for the ACME test more deterministic. Signed-off-by: aszlig <aszlig@nix.build> 2018-07-12 00:56:48 +02:00			`letsencrypt = ./common/letsencrypt;`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00
			`webserver = { config, pkgs, ... }: {`
			`imports = [ commonConfig ];`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`

			`networking.extraHosts = ''`
			`${config.networking.primaryIPAddress} example.com`
			`'';`

			`services.nginx.enable = true;`
			`services.nginx.virtualHosts."example.com" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/".root = pkgs.runCommand "docroot" {} ''`
			`mkdir -p "$out"`
			`echo hello world > "$out/index.html"`
			`'';`
			`};`
			`};`

			`client = commonConfig;`
			`};`

			`testScript = ''`
nixos/tests/acme: fix on i686, improve timing (#40410) ... to prevent non-deterministic failures 2018-05-13 19:59:59 +02:00			`$letsencrypt->waitForUnit("default.target");`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`$letsencrypt->waitForUnit("boulder.service");`
nixos/tests/acme: fix on i686, improve timing (#40410) ... to prevent non-deterministic failures 2018-05-13 19:59:59 +02:00			`$webserver->waitForUnit("default.target");`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`$webserver->waitForUnit("acme-certificates.target");`
nixos/tests/acme: fix on i686, improve timing (#40410) ... to prevent non-deterministic failures 2018-05-13 19:59:59 +02:00			`$client->waitForUnit("default.target");`
nixos/tests: Add a basic test for ACME The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2017-07-27 13:24:17 +02:00			`$client->succeed('curl https://example.com/ \| grep -qF "hello world"');`
			`'';`
			`}`