nixos/step-ca: use `pathWith` for `intermediatePasswordFile`

nixpkgs mirror (for testing) github.com/NixOS/nixpkgs

nix

This lets us remove an assertion, because `pathWith` can require that a
file not be in the store.

Note that the old assertion didn't quite do what we wanted: it prevented
you from using top level store paths (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates`), but was
ok with sub-files (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates/intermediate-password-file`).

Now that we're stricter, we need some way to populate
`intermediatePasswordFile` in our test without making the type unhappy.
I opted to solve that by creating a file in `/etc`.

Jeremy Fleischman 1 year ago afee6318 d8b348c8

+6 -13

2 changed files

expand all

nixos

modules

services

security

step-ca.nix

tests

step-ca.nix

+4 -12

nixos/modules/services/security/step-ca.nix

··· 60 60 ''; 61 61 }; 62 62 intermediatePasswordFile = lib.mkOption { 63 - type = lib.types.path; 63 + type = lib.types.pathWith { 64 + inStore = false; 65 + absolute = true; 66 + }; 64 67 example = "/run/keys/smallstep-password"; 65 68 description = '' 66 69 Path to the file containing the password for the intermediate ··· 89 86 ); 90 87 in 91 88 { 92 - assertions = [ 93 - { 94 - assertion = !lib.isStorePath cfg.intermediatePasswordFile; 95 - message = '' 96 - <option>services.step-ca.intermediatePasswordFile</option> points to 97 - a file in the Nix store. You should use a quoted absolute path to 98 - prevent this. 99 - ''; 100 - } 101 - ]; 102 - 103 89 systemd.packages = [ cfg.package ]; 104 90 105 91 # configuration file indirection is needed to support reloading

+2 -1

nixos/tests/step-ca.nix

··· 14 14 { 15 15 caserver = 16 16 { config, pkgs, ... }: { 17 + environment.etc.password-file.source = "${test-certificates}/intermediate-password-file"; 17 18 services.step-ca = { 18 19 enable = true; 19 20 address = "[::]"; 20 21 port = 8443; 21 22 openFirewall = true; 22 - intermediatePasswordFile = "${test-certificates}/intermediate-password-file"; 23 + intermediatePasswordFile = "/etc/${config.environment.etc.password-file.target}"; 23 24 settings = { 24 25 dnsNames = [ "caserver" ]; 25 26 root = "${test-certificates}/root_ca.crt";