feat(server): Really make users stateless (with tests)

This commit also remove another load of unneeded features.

1 files changed, 47 insertions, 0 deletions

diff --git a/tests/common/acme/default.nix b/tests/common/acme/default.nix
new file mode 100644
index 00000000..c756a4f1
--- /dev/null
+++ b/tests/common/acme/default.nix
@@ -0,0 +1,47 @@
+{pkgs}: let
+  add_pebble_ca_certs = pkgs.writeShellScript "fetch-and-set-ca" ''
+    set -xe
+
+    # Fetch the randomly generated ca certificate
+    curl https://acme.test:15000/roots/0 > /tmp/ca.crt
+    curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt
+
+    # Append it to the various system stores
+    # The file paths are from <nixpgks>/modules/security/ca.nix
+    for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do
+      cert_path="/etc/$cert_path"
+
+      mv "$cert_path" "$cert_path.old"
+      cat "$cert_path.old" > "$cert_path"
+      cat /tmp/ca.crt >> "$cert_path"
+    done
+
+    export NIX_SSL_CERT_FILE=/tmp/ca.crt
+    export SSL_CERT_FILE=/tmp/ca.crt
+
+    # TODO
+    # # P11-Kit trust source.
+    # environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source";
+  '';
+in {
+  prepare = clients: extra:
+  # The parens are needed for the syntax highlighting to work.
+    ( # python
+      ''
+        # Start dependencies for the other services
+        acme.start()
+        acme.wait_for_unit("pebble.service")
+        name_server.start()
+        name_server.wait_for_unit("nsd.service")
+
+        # Start actual test
+        start_all()
+
+        with subtest("Add pebble ca key to all services"):
+          for node in [name_server, ${builtins.concatStringsSep "," clients}]:
+            node.wait_until_succeeds("curl https://acme.test:15000/roots/0")
+            node.succeed("${add_pebble_ca_certs}")
+      ''
+    )
+    + extra;
+}