diff options
| author | Fabian Möller <fabianm88@gmail.com> | 2020-10-21 17:21:32 +0200 |
|---|---|---|
| committer | Jon <jonringer@users.noreply.github.com> | 2020-10-23 18:09:50 -0700 |
| commit | e83bd25aec2c4acb7803c6fb259406a2c0fae4e7 (patch) | |
| tree | 0b69d05f12678523b88f23392892c292f8413f38 /nixos/tests/certmgr.nix | |
| parent | c58233a34a0c005c0b1d73b3cc853c346dfd11da (diff) | |
| download | nixpkgs-e83bd25aec2c4acb7803c6fb259406a2c0fae4e7.tar nixpkgs-e83bd25aec2c4acb7803c6fb259406a2c0fae4e7.tar.gz nixpkgs-e83bd25aec2c4acb7803c6fb259406a2c0fae4e7.tar.bz2 nixpkgs-e83bd25aec2c4acb7803c6fb259406a2c0fae4e7.tar.lz nixpkgs-e83bd25aec2c4acb7803c6fb259406a2c0fae4e7.tar.xz nixpkgs-e83bd25aec2c4acb7803c6fb259406a2c0fae4e7.tar.zst nixpkgs-e83bd25aec2c4acb7803c6fb259406a2c0fae4e7.zip | |
nixosTests.certmgr: fix systemd test
Nginx fails to start, because it can't read the certificate file. This happens because PrivateTmp is set for the service, which makes the system wide /tmp inaccessible.
Diffstat (limited to 'nixos/tests/certmgr.nix')
| -rw-r--r-- | nixos/tests/certmgr.nix | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/nixos/tests/certmgr.nix b/nixos/tests/certmgr.nix index ef32f54400e..8f5b8948779 100644 --- a/nixos/tests/certmgr.nix +++ b/nixos/tests/certmgr.nix @@ -11,7 +11,7 @@ let file = { group = "nginx"; owner = "nginx"; - path = "/tmp/${host}-ca.pem"; + path = "/var/ssl/${host}-ca.pem"; }; label = "www_ca"; profile = "three-month"; @@ -20,13 +20,13 @@ let certificate = { group = "nginx"; owner = "nginx"; - path = "/tmp/${host}-cert.pem"; + path = "/var/ssl/${host}-cert.pem"; }; private_key = { group = "nginx"; mode = "0600"; owner = "nginx"; - path = "/tmp/${host}-key.pem"; + path = "/var/ssl/${host}-key.pem"; }; request = { CN = host; @@ -57,6 +57,8 @@ let services.cfssl.enable = true; systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ]; + systemd.tmpfiles.rules = [ "d /var/ssl 777 root root" ]; + systemd.services.cfssl-init = { description = "Initialize the cfssl CA"; wantedBy = [ "multi-user.target" ]; @@ -87,8 +89,8 @@ let enable = true; virtualHosts = lib.mkMerge (map (host: { ${host} = { - sslCertificate = "/tmp/${host}-cert.pem"; - sslCertificateKey = "/tmp/${host}-key.pem"; + sslCertificate = "/var/ssl/${host}-cert.pem"; + sslCertificateKey = "/var/ssl/${host}-key.pem"; extraConfig = '' ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ''; @@ -124,16 +126,18 @@ in }; testScript = '' machine.wait_for_unit("cfssl.service") - machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem") - machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem") - machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem") - machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem") - machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem") - machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem") + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-ca.pem") + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-key.pem") + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-cert.pem") + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-ca.pem") + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-key.pem") + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-cert.pem") machine.wait_for_unit("nginx.service") assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l')) - machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org") - machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org") + machine.succeed("curl --cacert /var/ssl/imp.example.org-ca.pem https://imp.example.org") + machine.succeed( + "curl --cacert /var/ssl/decl.example.org-ca.pem https://decl.example.org" + ) ''; }; |