nixos/acme: Run postRun script as root

author: Lucas Savva <lucas@m1cr0man.com> 2020-09-04 18:48:47 +0100
committer: Lucas Savva <lucas@m1cr0man.com> 2020-09-04 19:34:10 +0100
commit: 67a5d660cbba42d4461cbc67296bb9e96fd9c74f (patch)
tree: 9f9de8723d4181282b330eb346cd546a17b223f8 /nixos/tests/acme.nix
parent: 1b6cfd9796788a3c5b8e8f27b49271f4a423c9a7 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index 90ae06542c4c..223945907da9 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -79,8 +79,15 @@ in import ./make-test-python.nix ({ lib, ... }: {
 
       # Cert config changes will not cause the nginx configuration to change.
       # This tests that the reload service is correctly triggered.
+      # It also tests that postRun is exec'd as root
       specialisation.cert-change.configuration = { pkgs, ... }: {
         security.acme.certs."a.example.test".keyType = "ec384";
+        security.acme.certs."a.example.test".postRun = ''
+          set -euo pipefail
+          touch test
+          chown root:root test
+          echo testing > test
+        '';
       };
 
       # Now adding an alias to ensure that the certs are updated
@@ -283,6 +290,7 @@ in import ./make-test-python.nix ({ lib, ... }: {
           switch_to(webserver, "cert-change")
           webserver.wait_for_unit("acme-finished-a.example.test.target")
           check_connection_key_bits(client, "a.example.test", "384")
+          webserver.succeed("grep testing /var/lib/acme/a.example.test/test")
 
       with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):
           switch_to(webserver, "slow-startup")
author	Lucas Savva <lucas@m1cr0man.com>	2020-09-04 18:48:47 +0100
committer	Lucas Savva <lucas@m1cr0man.com>	2020-09-04 19:34:10 +0100
commit	67a5d660cbba42d4461cbc67296bb9e96fd9c74f (patch)
tree	9f9de8723d4181282b330eb346cd546a17b223f8 /nixos/tests/acme.nix
parent	1b6cfd9796788a3c5b8e8f27b49271f4a423c9a7 (diff)