treewide: bubblewrap nginx test

This commit is contained in:
Daniel Olsen 2024-04-11 23:19:41 +02:00
parent 9b4fbd847f
commit 0056029da7
2 changed files with 36 additions and 4 deletions

View File

@ -65,7 +65,22 @@
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
overlays = [ overlays = [
(import ./overlays/nginx-test.nix) (import ./overlays/nginx-test.nix
# List of all the acme certs from all hosts
# Would be nice to dynamically get this per host
[
"ildkule.pvv.ntnu.no"
"git.pvv.ntnu.no"
"wiki.pvv.ntnu.no"
"webmail.pvv.ntnu.no"
"postgres.pvv.ntnu.no"
"idp.pvv.ntnu.no"
"matrix.pvv.ntnu.no"
"chat.pvv.ntnu.no"
"brzeczyszczykiewicz.pvv.ntnu.no"
"georg.pvv.ntnu.no"
]
)
] ++ config.overlays or [ ]; ] ++ config.overlays or [ ];
}; };
} }

View File

@ -1,11 +1,28 @@
final: prev: { acme-certs: final: prev:
let
lib = final.lib;
crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
in {
writers = prev.writers // { writers = prev.writers // {
writeNginxConfig = name: text: final.runCommandLocal name { writeNginxConfig = name: text: final.runCommandLocal name {
nginxConfig = prev.writers.writeNginxConfig name text; nginxConfig = prev.writers.writeNginxConfig name text;
nativeBuildInputs = [ final.nginx ]; nativeBuildInputs = [ final.bubblewrap ];
} '' } ''
ln -s "$nginxConfig" "$out" ln -s "$nginxConfig" "$out"
nginx -t -c "$out" set +o pipefail
bwrap \
--ro-bind "${crt}" "/etc/certs/nginx.crt" \
--ro-bind "${key}" "/etc/certs/nginx.key" \
--ro-bind "/nix" "/nix" \
--ro-bind "/etc/hosts" "/etc/hosts" \
--dir "/run/nginx" \
--dir "/tmp" \
--dir "/var/log/nginx" \
${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
${lib.getExe final.nginx} -t -c "$out" |& grep "syntax is ok"
''; '';
}; };
} }