Commit Graph

28 Commits

Author SHA1 Message Date
Jan Tojnar
8dc5ff7dcf
nixos/displayManager: deprecate separate options for default wm/dm
The upstream session files display managers use have no concept of sessions being composed from
desktop manager and window manager. To be able to set upstream session files as default
session, we need a single option. Having two different ways to set default session would be confusing,
though, so we decided to deprecate the old method.

We also created separate script for each session, just like we already had a separate desktop
file for each one, and started using displayManager.sessionPackages mechanism to make the
session handling more uniform.
2019-12-15 04:16:20 +01:00
Félix Baylac-Jacqué
781f0cf2ec nixos/tests/acme.nix: remove pebble custom endpoint patch
The recent custom endpoint addition allows us to directly point
certbot to the custom Pebble directory endpoint.

Thanks to that, we can ditch the Pebble patch we were using so far;
making this test maintenance easier.
2019-10-30 11:09:40 +01:00
Félix Baylac-Jacqué
0c0af28cd5 nixos/tests/letsencrypt: use Pebble instead of Boulder
Let's encrypt bumped ACME to V2. We need to update our nixos test to
be compatible with this new protocol version.

We decided to drop the Boulder ACME server in favor of the more
integration test friendly Pebble.

- overriding cacert not necessary
- this avoids rebuilding lots of packages needlessly
- nixos/tests/acme: use pebble's ca for client tests
- pebble always generates its own ca which has to be fetched

TODO: write proper commit msg :)
2019-10-23 21:17:17 +02:00
volth
46420bbaa3 treewide: name -> pname (easy cases) (#66585)
treewide replacement of

stdenv.mkDerivation rec {
  name = "*-${version}";
  version = "*";

to pname
2019-08-15 13:41:18 +01:00
aszlig
6fe989eaed
nixos/tests/acme: Use exact match in TOS location
Since the switch to check the nginx config with gixy in
59fac1a6d7, the ACME test doesn't build
anymore, because gixy reports the following false-positive (reindented):

  >> Problem: [alias_traversal] Path traversal via misconfigured alias.
  Severity: MEDIUM
  Description: Using alias in a prefixed location that doesn't ends with
               directory separator could lead to path traversal
               vulnerability.
  Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
  Pseudo config:

  server {
    server_name letsencrypt.org;

    location /documents/2017.11.15-LE-SA-v1.2.pdf {
      alias /nix/store/y4h5ryvnvxkajkmqxyxsk7qpv7bl3vq7-2017.11.15-LE-SA-v1.2.pdf;
    }
  }

The reason this is a false-positive is because the destination is not a
directory, so something like "/foo.pdf../other.txt" won't work here,
because the resulting path would be ".../destfile.pdf../other.txt".

Nevertheless it's a good idea to use the exact match operator (=), to
not only shut up gixy but also gain a bit of performance in lookup (not
that it would matter in our test).

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-06 12:51:56 +02:00
Vladimír Čunát
4c3ec0e325
nixos docs: run the formatting tool (no content change)
As documented in the docs themselves :-)
2019-03-22 14:44:11 +01:00
Antoine Eiche
ff31014687 nixos/tests/ec2: reuse ssh keys from ssh-keys.nix 2019-02-11 20:58:45 +01:00
Antoine Eiche
2858b35100 nova-image: use wget instead of cloud-init (via EC2 API)
The Openstack metadata service exposes the EC2 API. We use the
existing `ec2.nix` module to configure the hostname and ssh keys of an
Openstack Instance.

A test checks the ssh server is well configured.

This is mainly to reduce the size of the image (700MB). Also,
declarative features provided by cloud-init are not really useful
since we would prefer to use our `configuration.nix` file instead.
2019-01-28 11:59:18 +01:00
Léo Gaspard
0483ce0eee
rss2email module: init
Also adding `system-sendmail` package for sharing the code with other
modules or packages needing it.
2018-11-15 23:44:16 +09:00
Domen Kožar
6eacc17157
nixos tests: move common configuration into separate file
This allows tests outside nixos to use acme setup.
2018-09-24 20:07:33 +01:00
volth
92b3e8f147 fix build with allowAliases=false 2018-07-23 00:12:23 +00:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
aszlig
7b87554ca1
nixos/tests/letsencrypt: Hardcode certs and keys
In 0c7c1660f7 I have set allowSubstitutes
to false, which avoided the substitution of the certificates.

Unfortunately substitution may still happen later when the certificate
is merged with the CA bundle. So the merged CA bundle might be
substituted from a binary cache but the certificate itself is built
locally, which could result in a different certificate in the bundle.

So instead of adding just yet another workaround, I've now hardcoded all
the certificates and keys in a separate file. This also moves
letsencrypt.nix into its own directory so we don't mess up
nixos/tests/common too much.

This was long overdue and should finally make the dependency graph for
the ACME test more deterministic.

Signed-off-by: aszlig <aszlig@nix.build>
2018-07-12 02:32:46 +02:00
aszlig
c21b1ede95
nixos/tests/letsencrypt: Fix go source install
Since e95f17e272, Go packages no longer
contain the source tree, however Boulder seems to need that as it
generates a few files during build.

Ideally we would only pick the files that are needed and put it into a
separate output, but I currently don't have time for this so I'm marking
this with XXX to get back to it later.

Signed-off-by: aszlig <aszlig@nix.build>
2018-07-12 02:32:44 +02:00
Michael Raskin
b43c4d8b75
Merge pull request #42798 from flokli/users-users
tree-wide: users.extraUsers -> users.users, users.extraGroups -> users.groups
2018-07-02 11:23:10 +00:00
aszlig
0c7c1660f7
nixos/tests/letsencrypt: Don't substitute certs
If one of the certificates of the chain gets substituted from a binary
cache and the rest is generated locally it might turn out that we get
invalid certificates, which in turn cause tests using this module to
fail.

So let's set allowSubstitutes to false for all derivations that are
involved with certificate/key generation.

Signed-off-by: aszlig <aszlig@nix.build>
2018-06-30 18:35:10 +02:00
Florian Klink
89d5d191b4 nixos/tests: users.(extraUsers|extraGroup->users|group) 2018-06-30 02:31:30 +02:00
xeji
642bed4b3e
nixos/tests/acme: fix on i686, improve timing (#40410)
... to prevent non-deterministic failures
2018-05-13 19:59:59 +02:00
Sarah Brofeldt
df3706c47c nixos/tests/acme: use mail-test-srv tls certs from source 2018-03-08 22:50:26 +01:00
Sarah Brofeldt
bd35580860 nixos/tests/acme: go compat update, unvendor pkcs11 2018-03-08 22:50:26 +01:00
Franz Pletz
00056e76d0
nixos/tests/acme: update terms of service to fix test 2017-11-17 16:05:13 +01:00
aszlig
bda38317eb
nixos/tests/letsencrypt: Fix nginx options
The enableSSL option has been deprecated in
a912a6a291, so we switch to using onlySSL.

I've also explicitly disabled enableACME, because this is the default
and we don't actually want to have ACME enabled for a host which runs an
actual ACME server.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:40 +02:00
aszlig
b3162a1074
nixos/tests: Add common modules for letsencrypt
These modules implement a way to test ACME based on a test instance of
Letsencrypt's Boulder service. The service implementation is in
letsencrypt.nix and the second module (resolver.nix) is a support-module
for the former, but can also be used for tests not involving ACME.

The second module provides a DNS server which hosts a root zone
containing all the zones and /etc/hosts entries (except loopback) in the
entire test network, so this can be very useful for other modules that
need DNS resolution.

Originally, I wrote these modules for the Headcounter deployment, but
I've refactored them a bit to be generally useful to NixOS users. The
original implementation can be found here:

https://github.com/headcounter/deployment/tree/89e7feafb/modules/testing

Quoting parts from the commit message of the initial implementation of
the Letsencrypt module in headcounter/deployment@95dfb31110:

    This module is going to be used for tests where we need to
    impersonate an ACME service such as the one from Letsencrypt within
    VM tests, which is the reason why this module is a bit ugly (I only
    care if it's working not if it's beautiful).

    While the module isn't used anywhere, it will serve as a pluggable
    module for testing whether ACME works properly to fetch certificates
    and also as a replacement for our snakeoil certificate generator.

Also quoting parts of the commit where I have refactored the same module
in headcounter/deployment@85fa481b34:

    Now we have a fully pluggable module which automatically discovers
    in which network it's used via the nodes attribute.

    The test environment of Boulder used "dns-test-srv", which is a fake
    DNS server that's resolving almost everything to 127.0.0.1. On our
    setup this is not useful, so instead we're now running a local BIND
    name server which has a fake root zone and uses the mentioned node
    attribute to automatically discover other zones in the network of
    machines and generate delegations from the root zone to the
    respective zones with the primaryIPAddress of the node.

    ...

    We want to use real letsencrypt.org FQDNs here, so we can't get away
    with the snakeoil test certificates from the upstream project but
    now roll our own.

    This not only has the benefit that we can easily pass the snakeoil
    certificate to other nodes, but we can (and do) also use it for an
    nginx proxy that's now serving HTTPS for the Boulder web front end.

The Headcounter deployment tests are simulating a production scenario
with real IPs and nameservers so it won't need to rely on
networking.extraHost. However in this implementation we don't
necessarily want to do that, so I've added auto-discovery of
networking.extraHosts in the resolver module.

Another change here is that the letsencrypt module now falls back to
using a local resolver, the Headcounter implementation on the other hand
always required to add an extra test node which serves as a resolver.

I could have squashed both modules into the final ACME test, but that
would make it not very reusable, so that's the main reason why I put
these modules in tests/common.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-09-13 23:16:33 +02:00
Eelco Dolstra
a42698d2a4 Add a regression test for #14623 2016-04-12 19:13:52 +02:00
Eelco Dolstra
15ffb9ad88 Remove fixed uid in tests 2015-05-13 16:23:57 +02:00
Eelco Dolstra
a323d146b7 Add user attribute isNormalUser
This is shorthand for setting group, createHome, home, useDefaultShell
and isSystemUser.
2014-08-15 02:16:04 +02:00
Domen Kožar
ee14f8da9a remove references to isSystemUser and fix eval of tested job 2014-02-08 21:10:00 +01:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00