diff options
| author | Lucas Savva <lucas@m1cr0man.com> | 2021-12-26 21:12:33 +0000 |
|---|---|---|
| committer | Lucas Savva <lucas@m1cr0man.com> | 2021-12-26 21:12:40 +0000 |
| commit | 46cd06eb9d2763c0b7adaa362e2d03a945b2645f (patch) | |
| tree | a47c8978610855c0e45a25b210f6e60231416634 /nixos | |
| parent | 65f1b8c6ae2f2cf6a13d77b98b42eba31eef0424 (diff) | |
nixos/acme: Add test for caddy
This test is technically broken since reloading caddy
does not seem to load new certs. This needs to be fixed
in caddy.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/tests/acme.nix | 79 |
1 files changed, 65 insertions, 14 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index 4af2303ce832..0dd7743c52b6 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -234,27 +234,60 @@ in { # Test lego internal server (listenHTTP option) # Also tests useRoot option - lego-server.configuration = { ... }: lib.mkMerge [ - webserverBasicConfig - { - security.acme.useRoot = true; - security.acme.certs."lego.example.test" = { - listenHTTP = ":80"; - group = "nginx"; + lego-server.configuration = { ... }: { + security.acme.useRoot = true; + security.acme.certs."lego.example.test" = { + listenHTTP = ":80"; + group = "nginx"; + }; + services.nginx.enable = true; + services.nginx.virtualHosts."lego.example.test" = { + useACMEHost = "lego.example.test"; + onlySSL = true; + }; + }; + + # Test compatiblity with Caddy + # It only supports useACMEHost, hence not using mkServerConfigs + } // (let + baseCaddyConfig = { nodes, config, ... }: { + security.acme = { + defaults = (dnsConfig nodes) // { + group = config.services.caddy.group; }; - services.nginx.virtualHosts."a.example.test" = { - onlySSL = true; - forceSSL = lib.mkForce false; + # One manual wildcard cert + certs."example.test" = { + domain = "*.example.test"; }; - services.nginx.virtualHosts."lego.example.test" = { - useACMEHost = "lego.example.test"; - onlySSL = true; + }; + + services.caddy = { + enable = true; + virtualHosts."a.exmaple.test" = { + useACMEHost = "example.test"; + extraConfig = '' + root * ${documentRoot} + ''; + }; + }; + }; + in { + caddy.configuration = baseCaddyConfig; + + # Test that the server reloads when only the acme configuration is changed. + "caddy-change-acme-conf".configuration = { nodes, config, ... }: lib.mkMerge [ + (baseCaddyConfig { + inherit nodes config; + }) + { + security.acme.certs."example.test" = { + keyType = "ec384"; }; } ]; # Test compatibility with Nginx - } // (mkServerConfigs { + }) // (mkServerConfigs { server = "nginx"; group = "nginx"; vhostBaseData = vhostBase; @@ -480,6 +513,24 @@ in { webserver.wait_for_unit("nginx.service") check_connection(client, "slow.example.test") + with subtest("Works with caddy"): + switch_to(webserver, "caddy") + webserver.wait_for_unit("acme-finished-example.test.target") + webserver.wait_for_unit("caddy.service") + # FIXME reloading caddy is not sufficient to load new certs. + # Restart it manually until this is fixed. + webserver.succeed("systemctl restart caddy.service") + check_connection(client, "a.example.test") + + with subtest("security.acme changes reflect on caddy"): + switch_to(webserver, "caddy-change-acme-conf") + webserver.wait_for_unit("acme-finished-example.test.target") + webserver.wait_for_unit("caddy.service") + # FIXME reloading caddy is not sufficient to load new certs. + # Restart it manually until this is fixed. + webserver.succeed("systemctl restart caddy.service") + check_connection_key_bits(client, "a.example.test", "384") + domains = ["http", "dns", "wildcard"] for server, logsrc in [ ("nginx", "journalctl -n 30 -u nginx.service"), |