nixos/tests/acme: Use exact match in TOS location

Since the switch to check the nginx config with gixy in
59fac1a6d7e1983a1e7bd518129ff9ef39a013dd, the ACME test doesn't build
anymore, because gixy reports the following false-positive (reindented):

  >> Problem: [alias_traversal] Path traversal via misconfigured alias.
  Severity: MEDIUM
  Description: Using alias in a prefixed location that doesn't ends with
               directory separator could lead to path traversal
               vulnerability.
  Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
  Pseudo config:

  server {
    server_name letsencrypt.org;

    location /documents/2017.11.15-LE-SA-v1.2.pdf {
      alias /nix/store/y4h5ryvnvxkajkmqxyxsk7qpv7bl3vq7-2017.11.15-LE-SA-v1.2.pdf;
    }
  }

The reason this is a false-positive is because the destination is not a
directory, so something like "/foo.pdf../other.txt" won't work here,
because the resulting path would be ".../destfile.pdf../other.txt".

Nevertheless it's a good idea to use the exact match operator (=), to
not only shut up gixy but also gain a bit of performance in lookup (not
that it would matter in our test).

Signed-off-by: aszlig <aszlig@nix.build>

1 files changed, 1 insertions, 1 deletions

diff --git a/nixos/tests/common/letsencrypt/default.nix b/nixos/tests/common/letsencrypt/default.nix
index 73aac51a012..8fe59bf4e70 100644
--- a/nixos/tests/common/letsencrypt/default.nix
+++ b/nixos/tests/common/letsencrypt/default.nix
@@ -381,7 +381,7 @@ in {
       enableACME = false;
       sslCertificate = siteCertFile;
       sslCertificateKey = siteKeyFile;
-      locations.${tosPath}.extraConfig = "alias ${tosFile};";
+      locations."= ${tosPath}".alias = tosFile;
     };
 
     systemd.services = {