nixos/acme: Add test for lego's built-in web server

In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.

2 files changed, 32 insertions, 15 deletions

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 2b3a86f96fc7..e244989d6408 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -324,7 +324,7 @@ let
           fi
         '');
       } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) {
-        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
       };
 
       # Working directory will be /tmp
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
index a4ed8fa67bfe..4af2303ce832 100644
--- a/nixos/tests/acme.nix
+++ b/nixos/tests/acme.nix
@@ -203,7 +203,7 @@ in {
           webserverBasicConfig
           {
             security.acme.certs."a.example.test".ocspMustStaple = true;
-            services.nginx.virtualHosts."a.example.com" = {
+            services.nginx.virtualHosts."a.example.test" = {
               extraConfig = ''
                 ssl_stapling on;
                 ssl_stapling_verify on;
@@ -224,7 +224,7 @@ in {
               script = "${pkgs.python3}/bin/python -m http.server";
             };
 
-            services.nginx.virtualHosts."slow.example.com" = {
+            services.nginx.virtualHosts."slow.example.test" = {
               forceSSL = true;
               enableACME = true;
               locations."/".proxyPass = "http://localhost:8000";
@@ -232,10 +232,24 @@ in {
           }
         ];
 
-        use-root.configuration = { ... }: lib.mkMerge [
+        # Test lego internal server (listenHTTP option)
+        # Also tests useRoot option
+        lego-server.configuration = { ... }: lib.mkMerge [
           webserverBasicConfig
           {
             security.acme.useRoot = true;
+            security.acme.certs."lego.example.test" = {
+              listenHTTP = ":80";
+              group = "nginx";
+            };
+            services.nginx.virtualHosts."a.example.test" = {
+              onlySSL = true;
+              forceSSL = lib.mkForce false;
+            };
+            services.nginx.virtualHosts."lego.example.test" = {
+              useACMEHost = "lego.example.test";
+              onlySSL = true;
+            };
           }
         ];
 
@@ -402,7 +416,7 @@ in {
       # Perform general tests first
       switch_to(webserver, "general")
 
-      with subtest("Can request certificate with HTTPS-01 challenge"):
+      with subtest("Can request certificate with HTTP-01 challenge"):
           webserver.wait_for_unit("acme-finished-a.example.test.target")
           check_fullchain(webserver, "a.example.test")
           check_issuer(webserver, "a.example.test", "pebble")
@@ -449,19 +463,22 @@ in {
           webserver.wait_for_unit("acme-finished-a.example.test.target")
           check_stapling(client, "a.example.test")
 
-      with subtest("Can request certificate with HTTPS-01 when nginx startup is delayed"):
-          webserver.execute("systemctl stop nginx")
-          switch_to(webserver, "slow-startup")
-          webserver.wait_for_unit("acme-finished-slow.example.com.target")
-          check_issuer(webserver, "slow.example.com", "pebble")
+      with subtest("Can request certificate with HTTP-01 using lego's internal web server"):
+          switch_to(webserver, "lego-server")
+          webserver.wait_for_unit("acme-finished-lego.example.test.target")
           webserver.wait_for_unit("nginx.service")
-          check_connection(client, "slow.example.com")
+          webserver.succeed("echo HENLO && systemctl cat nginx.service")
+          webserver.succeed("test \"$(stat -c '%U' /var/lib/acme/* | uniq)\" = \"root\"")
+          check_connection(client, "a.example.test")
+          check_connection(client, "lego.example.test")
 
-      with subtest("Can set useRoot to true and still use certs normally"):
-          switch_to(webserver, "use-root")
+      with subtest("Can request certificate with HTTP-01 when nginx startup is delayed"):
+          webserver.execute("systemctl stop nginx")
+          switch_to(webserver, "slow-startup")
+          webserver.wait_for_unit("acme-finished-slow.example.test.target")
+          check_issuer(webserver, "slow.example.test", "pebble")
           webserver.wait_for_unit("nginx.service")
-          webserver.succeed("test \"$(stat -c '%U' /var/lib/acme/* | uniq)\" = \"root\"")
-          check_connection(client, "a.example.com")
+          check_connection(client, "slow.example.test")
 
       domains = ["http", "dns", "wildcard"]
       for server, logsrc in [