Skip to content

Commit

Permalink
nixosTests.certmgr: fix systemd test
Browse files Browse the repository at this point in the history 
Nginx fails to start, because it can't read the certificate file. This
happens because PrivateTmp is set for the service, which makes the
system wide /tmp inaccessible.
  • Loading branch information
@B4dM4n @jonringer
B4dM4n authored and jonringer committed Oct 24, 2020
1 parent c58233a commit e83bd25
Showing 1 changed file with 17 additions and 13 deletions.
30 changes: 17 additions & 13 deletions nixos/tests/certmgr.nix
View file
Expand Up @@ -11,7 +11,7 @@ let
file = {
group = "nginx";
owner = "nginx";
path = "/tmp/${host}-ca.pem";
path = "/var/ssl/${host}-ca.pem";
};
label = "www_ca";
profile = "three-month";
Expand All @@ -20,13 +20,13 @@ let
certificate = {
group = "nginx";
owner = "nginx";
path = "/tmp/${host}-cert.pem";
path = "/var/ssl/${host}-cert.pem";
};
private_key = {
group = "nginx";
mode = "0600";
owner = "nginx";
path = "/tmp/${host}-key.pem";
path = "/var/ssl/${host}-key.pem";
};
request = {
CN = host;
Expand Down Expand Up @@ -57,6 +57,8 @@ let
services.cfssl.enable = true;
systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ];

systemd.tmpfiles.rules = [ "d /var/ssl 777 root root" ];

systemd.services.cfssl-init = {
description = "Initialize the cfssl CA";
wantedBy = [ "multi-user.target" ];
Expand Down Expand Up @@ -87,8 +89,8 @@ let
enable = true;
virtualHosts = lib.mkMerge (map (host: {
${host} = {
sslCertificate = "/tmp/${host}-cert.pem";
sslCertificateKey = "/tmp/${host}-key.pem";
sslCertificate = "/var/ssl/${host}-cert.pem";
sslCertificateKey = "/var/ssl/${host}-key.pem";
extraConfig = ''
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
'';
Expand Down Expand Up @@ -124,16 +126,18 @@ in
};
testScript = ''
machine.wait_for_unit("cfssl.service")
machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem")
machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem")
machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem")
machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem")
machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem")
machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem")
machine.wait_until_succeeds("ls /var/ssl/decl.example.org-ca.pem")
machine.wait_until_succeeds("ls /var/ssl/decl.example.org-key.pem")
machine.wait_until_succeeds("ls /var/ssl/decl.example.org-cert.pem")
machine.wait_until_succeeds("ls /var/ssl/imp.example.org-ca.pem")
machine.wait_until_succeeds("ls /var/ssl/imp.example.org-key.pem")
machine.wait_until_succeeds("ls /var/ssl/imp.example.org-cert.pem")
machine.wait_for_unit("nginx.service")
assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l'))
machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org")
machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org")
machine.succeed("curl --cacert /var/ssl/imp.example.org-ca.pem https://imp.example.org")
machine.succeed(
"curl --cacert /var/ssl/decl.example.org-ca.pem https://decl.example.org"
)
'';
};

Expand Down

0 comments on commit e83bd25

Please sign in to comment.