diff options
| author | Lucas Savva <lucas@m1cr0man.com> | 2020-06-19 20:27:46 +0100 |
|---|---|---|
| committer | Lucas Savva <lucas@m1cr0man.com> | 2020-09-02 19:22:43 +0100 |
| commit | 982c5a1f0e7f282f856391304aa4da7bb36c45b8 (patch) | |
| tree | 4cf0e93b6cd4e1ae2371c0d9184fca87ae8e43ca /nixos/tests/postfix.nix | |
| parent | 6ab387699a9f23201cf76091d0f7d4ff09fa510e (diff) | |
| download | nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.gz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.bz2 nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.lz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.xz nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.tar.zst nixpkgs-982c5a1f0e7f282f856391304aa4da7bb36c45b8.zip | |
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests
I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.
I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.
- Fix duplicate systemd rules on reload services
Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
Diffstat (limited to 'nixos/tests/postfix.nix')
| -rw-r--r-- | nixos/tests/postfix.nix | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/nixos/tests/postfix.nix b/nixos/tests/postfix.nix index b0674ca3a0d..37ae76afec1 100644 --- a/nixos/tests/postfix.nix +++ b/nixos/tests/postfix.nix @@ -1,5 +1,6 @@ let certs = import ./common/acme/server/snakeoil-certs.nix; + domain = certs.domain; in import ./make-test-python.nix { name = "postfix"; @@ -11,8 +12,8 @@ import ./make-test-python.nix { enableSubmission = true; enableSubmissions = true; sslCACert = certs.ca.cert; - sslCert = certs."acme.test".cert; - sslKey = certs."acme.test".key; + sslCert = certs.${domain}.cert; + sslKey = certs.${domain}.key; submissionsOptions = { smtpd_sasl_auth_enable = "yes"; smtpd_client_restrictions = "permit"; @@ -25,7 +26,7 @@ import ./make-test-python.nix { ]; networking.extraHosts = '' - 127.0.0.1 acme.test + 127.0.0.1 ${domain} ''; environment.systemPackages = let @@ -33,7 +34,7 @@ import ./make-test-python.nix { #!${pkgs.python3.interpreter} import smtplib - with smtplib.SMTP('acme.test') as smtp: + with smtplib.SMTP('${domain}') as smtp: smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test\n\nTest data.') smtp.quit() ''; @@ -45,7 +46,7 @@ import ./make-test-python.nix { ctx = ssl.create_default_context() - with smtplib.SMTP('acme.test') as smtp: + with smtplib.SMTP('${domain}') as smtp: smtp.ehlo() smtp.starttls(context=ctx) smtp.ehlo() @@ -60,7 +61,7 @@ import ./make-test-python.nix { ctx = ssl.create_default_context() - with smtplib.SMTP_SSL(host='acme.test', context=ctx) as smtp: + with smtplib.SMTP_SSL(host='${domain}', context=ctx) as smtp: smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test SMTPS\n\nTest data.') smtp.quit() ''; |