diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2020-06-19 20:27:46 +0100 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2020-09-02 19:22:43 +0100 |
commit | 982c5a1f0e7f282f856391304aa4da7bb36c45b8 (patch) | |
tree | 4cf0e93b6cd4e1ae2371c0d9184fca87ae8e43ca /nixos/tests/postfix.nix | |
parent | 6ab387699a9f23201cf76091d0f7d4ff09fa510e (diff) | |
download | nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.gz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.bz2 nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.lz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.xz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.zst nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.zip |
nixos/acme: Restructure module
- Use an acme user and group, allow group override only - Use hashes to determine when certs actually need to regenerate - Avoid running lego more than necessary - Harden permissions - Support "systemctl clean" for cert regeneration - Support reuse of keys between some configuration changes - Permissions fix services solves for previously root owned certs - Add a note about multiple account creation and emails - Migrate extraDomains to a list - Deprecate user option - Use minica for self-signed certs - Rewrite all tests I thought of a few more cases where things may go wrong, and added tests to cover them. In particular, the web server reload services were depending on the target - which stays alive, meaning that the renewal timer wouldn't be triggering a reload and old certs would stay on the web servers. I encountered some problems ensuring that the reload took place without accidently triggering it as part of the test. The sync commands I added ended up being essential and I'm not sure why, it seems like either node.succeed ends too early or there's an oddity of the vm's filesystem I'm not aware of. - Fix duplicate systemd rules on reload services Since useACMEHost is not unique to every vhost, if one cert was reused many times it would create duplicate entries in ${server}-config-reload.service for wants, before and ConditionPathExists
Diffstat (limited to 'nixos/tests/postfix.nix')
-rw-r--r-- | nixos/tests/postfix.nix | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/nixos/tests/postfix.nix b/nixos/tests/postfix.nix index b0674ca3a0d..37ae76afec1 100644 --- a/nixos/tests/postfix.nix +++ b/nixos/tests/postfix.nix @@ -1,5 +1,6 @@ let certs = import ./common/acme/server/snakeoil-certs.nix; + domain = certs.domain; in import ./make-test-python.nix { name = "postfix"; @@ -11,8 +12,8 @@ import ./make-test-python.nix { enableSubmission = true; enableSubmissions = true; sslCACert = certs.ca.cert; - sslCert = certs."acme.test".cert; - sslKey = certs."acme.test".key; + sslCert = certs.${domain}.cert; + sslKey = certs.${domain}.key; submissionsOptions = { smtpd_sasl_auth_enable = "yes"; smtpd_client_restrictions = "permit"; @@ -25,7 +26,7 @@ import ./make-test-python.nix { ]; networking.extraHosts = '' - 127.0.0.1 acme.test + 127.0.0.1 ${domain} ''; environment.systemPackages = let @@ -33,7 +34,7 @@ import ./make-test-python.nix { #!${pkgs.python3.interpreter} import smtplib - with smtplib.SMTP('acme.test') as smtp: + with smtplib.SMTP('${domain}') as smtp: smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test\n\nTest data.') smtp.quit() ''; @@ -45,7 +46,7 @@ import ./make-test-python.nix { ctx = ssl.create_default_context() - with smtplib.SMTP('acme.test') as smtp: + with smtplib.SMTP('${domain}') as smtp: smtp.ehlo() smtp.starttls(context=ctx) smtp.ehlo() @@ -60,7 +61,7 @@ import ./make-test-python.nix { ctx = ssl.create_default_context() - with smtplib.SMTP_SSL(host='acme.test', context=ctx) as smtp: + with smtplib.SMTP_SSL(host='${domain}', context=ctx) as smtp: smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test SMTPS\n\nTest data.') smtp.quit() ''; |