1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
{
nixos-lib,
pkgsUnstable,
nixpkgs-unstable,
vhackPackages,
pkgs,
extraModules,
nixLib,
...
}: let
mail_server = import ./nodes/mail_server.nix {inherit extraModules pkgs vhackPackages;};
inherit (mail_server) mkMailServer;
user = import ./nodes/user.nix {inherit pkgs vhackPackages;};
inherit (user) mkUser;
in
nixos-lib.runTest {
hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
name = "email-http";
node = {
specialArgs = {inherit pkgsUnstable vhackPackages nixpkgs-unstable nixLib;};
# Use the nixpkgs as constructed by the `nixpkgs.*` options
pkgs = null;
};
nodes = {
acme = {
nodes,
lib,
...
}: {
imports = [../../../common/acme];
networking.nameservers = lib.mkForce [
nodes.name_server.networking.primaryIPAddress
];
};
name_server = import ./nodes/name_server.nix {inherit extraModules;};
mail_server = mkMailServer "mail" null;
bob = mkUser "bob" "mail";
};
# TODO(@bpeetz): This test should also test the http JMAP features of stalwart-mail. <2025-04-12>
testScript = _:
/*
python
*/
''
# Start dependencies for the other services
acme.start()
acme.wait_for_unit("pebble.service")
name_server.start()
name_server.wait_for_unit("nsd.service")
# Start the actual testing machines
start_all()
mail_server.wait_for_unit("stalwart-mail.service")
mail_server.wait_for_open_port(993) # imap
mail_server.wait_for_open_port(465) # smtp
bob.wait_for_unit("multi-user.target")
with subtest("Add pebble ca key to all services"):
for node in [name_server, mail_server, bob]:
node.succeed("${pkgs.writeShellScript "fetch-and-set-ca" ''
set -xe
# Fetch the randomly generated ca certificate
curl https://acme.test:15000/roots/0 > /tmp/ca.crt
curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt
# Append it to the various system stores
# The file paths are from <nixpgks>/modules/security/ca.nix
for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do
cert_path="/etc/$cert_path"
mv "$cert_path" "$cert_path.old"
cat "$cert_path.old" > "$cert_path"
cat /tmp/ca.crt >> "$cert_path"
done
export NIX_SSL_CERT_FILE=/tmp/ca.crt
export SSL_CERT_FILE=/tmp/ca.crt
# TODO
# # P11-Kit trust source.
# environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source";
''}")
with subtest("The mailserver successfully started all services"):
import json
def all_services_running(host):
(status, output) = host.systemctl("list-units --state=failed --plain --no-pager --output=json")
host_failed = json.loads(output)
assert len(host_failed) == 0, f"Expected zero failing services, but found: {json.dumps(host_failed, indent=4)}"
all_services_running(mail_server)
with subtest("Bob can use the self-service interface"):
bob.succeed("${pkgs.writeShellScript "check-self-service" ''
curl mail.server.com --location --output /home/bob/output.html;
''}")
bob.copy_from_vm("/home/bob", "")
'';
}
|
