pyrox.dev / nixpkgs
lol
fork atom

nixosTests.certmgr: fix systemd test

Nginx fails to start, because it can't read the certificate file. This
happens because PrivateTmp is set for the service, which makes the
system wide /tmp inaccessible.

authored by

Fabian Möller and committed by
Jon e83bd25a c58233a3

+17 -13
+17 -13
nixos/tests/certmgr.nix
··· 11 11 file = { 12 12 group = "nginx"; 13 13 owner = "nginx"; 14 - path = "/tmp/${host}-ca.pem"; 14 + path = "/var/ssl/${host}-ca.pem"; 15 15 }; 16 16 label = "www_ca"; 17 17 profile = "three-month"; ··· 20 20 certificate = { 21 21 group = "nginx"; 22 22 owner = "nginx"; 23 - path = "/tmp/${host}-cert.pem"; 23 + path = "/var/ssl/${host}-cert.pem"; 24 24 }; 25 25 private_key = { 26 26 group = "nginx"; 27 27 mode = "0600"; 28 28 owner = "nginx"; 29 - path = "/tmp/${host}-key.pem"; 29 + path = "/var/ssl/${host}-key.pem"; 30 30 }; 31 31 request = { 32 32 CN = host; ··· 56 56 57 57 services.cfssl.enable = true; 58 58 systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ]; 59 + 60 + systemd.tmpfiles.rules = [ "d /var/ssl 777 root root" ]; 59 61 60 62 systemd.services.cfssl-init = { 61 63 description = "Initialize the cfssl CA"; ··· 87 89 enable = true; 88 90 virtualHosts = lib.mkMerge (map (host: { 89 91 ${host} = { 90 - sslCertificate = "/tmp/${host}-cert.pem"; 91 - sslCertificateKey = "/tmp/${host}-key.pem"; 92 + sslCertificate = "/var/ssl/${host}-cert.pem"; 93 + sslCertificateKey = "/var/ssl/${host}-key.pem"; 92 94 extraConfig = '' 93 95 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 94 96 ''; ··· 124 126 }; 125 127 testScript = '' 126 128 machine.wait_for_unit("cfssl.service") 127 - machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem") 128 - machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem") 129 - machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem") 130 - machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem") 131 - machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem") 132 - machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem") 129 + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-ca.pem") 130 + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-key.pem") 131 + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-cert.pem") 132 + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-ca.pem") 133 + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-key.pem") 134 + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-cert.pem") 133 135 machine.wait_for_unit("nginx.service") 134 136 assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l')) 135 - machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org") 136 - machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org") 137 + machine.succeed("curl --cacert /var/ssl/imp.example.org-ca.pem https://imp.example.org") 138 + machine.succeed( 139 + "curl --cacert /var/ssl/decl.example.org-ca.pem https://decl.example.org" 140 + ) 137 141 ''; 138 142 }; 139 143