diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-06-07 16:59:49 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-06-07 16:59:49 +0200 |
| commit | b0ca235f33795d05a02601486b8e11a72501ff2c (patch) | |
| tree | e9b9e4459920dc1f9f8c9395353c3808198f6a8f | |
| parent | pkgs/stalwart-mail-patched/spamfilter: Provide infrastructure to update it (diff) | |
| download | nixos-server-b0ca235f33795d05a02601486b8e11a72501ff2c.zip | |
tests/common/acme/default.nix: Inline the `acmeScripts`
There is just one script, and having it at an accessible entry point is not useful, as the script itself needs to be wrapped.
Diffstat (limited to '')
| -rw-r--r-- | tests/common/acme/default.nix | 27 | ||||
| -rw-r--r-- | tests/common/acme/scripts.nix | 30 |
2 files changed, 25 insertions, 32 deletions
diff --git a/tests/common/acme/default.nix b/tests/common/acme/default.nix index 794a939..c756a4f 100644 --- a/tests/common/acme/default.nix +++ b/tests/common/acme/default.nix @@ -1,5 +1,28 @@ {pkgs}: let - acme_scripts = import ./scripts.nix {inherit pkgs;}; + add_pebble_ca_certs = pkgs.writeShellScript "fetch-and-set-ca" '' + set -xe + + # Fetch the randomly generated ca certificate + curl https://acme.test:15000/roots/0 > /tmp/ca.crt + curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt + + # Append it to the various system stores + # The file paths are from <nixpgks>/modules/security/ca.nix + for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do + cert_path="/etc/$cert_path" + + mv "$cert_path" "$cert_path.old" + cat "$cert_path.old" > "$cert_path" + cat /tmp/ca.crt >> "$cert_path" + done + + export NIX_SSL_CERT_FILE=/tmp/ca.crt + export SSL_CERT_FILE=/tmp/ca.crt + + # TODO + # # P11-Kit trust source. + # environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source"; + ''; in { prepare = clients: extra: # The parens are needed for the syntax highlighting to work. @@ -17,7 +40,7 @@ in { with subtest("Add pebble ca key to all services"): for node in [name_server, ${builtins.concatStringsSep "," clients}]: node.wait_until_succeeds("curl https://acme.test:15000/roots/0") - node.succeed("${acme_scripts.add_pebble_ca_certs}") + node.succeed("${add_pebble_ca_certs}") '' ) + extra; diff --git a/tests/common/acme/scripts.nix b/tests/common/acme/scripts.nix deleted file mode 100644 index 4161ab8..0000000 --- a/tests/common/acme/scripts.nix +++ /dev/null @@ -1,30 +0,0 @@ -{pkgs}: -/* -* Extra functions useful for the test script. -*/ -{ - add_pebble_ca_certs = pkgs.writeShellScript "fetch-and-set-ca" '' - set -xe - - # Fetch the randomly generated ca certificate - curl https://acme.test:15000/roots/0 > /tmp/ca.crt - curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt - - # Append it to the various system stores - # The file paths are from <nixpgks>/modules/security/ca.nix - for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do - cert_path="/etc/$cert_path" - - mv "$cert_path" "$cert_path.old" - cat "$cert_path.old" > "$cert_path" - cat /tmp/ca.crt >> "$cert_path" - done - - export NIX_SSL_CERT_FILE=/tmp/ca.crt - export SSL_CERT_FILE=/tmp/ca.crt - - # TODO - # # P11-Kit trust source. - # environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source"; - ''; -} |