From e8927f2631084705318d97794334cb7ffe70aa1a Mon Sep 17 00:00:00 2001 From: Izorkin Date: Fri, 25 Nov 2022 14:03:43 +0300 Subject: [PATCH] nixos/tests/mastodon: remove CA service --- nixos/tests/web-apps/mastodon.nix | 66 ++++++------------------------- 1 file changed, 13 insertions(+), 53 deletions(-) diff --git a/nixos/tests/web-apps/mastodon.nix b/nixos/tests/web-apps/mastodon.nix index bc1122e7268f..528246a684a2 100644 --- a/nixos/tests/web-apps/mastodon.nix +++ b/nixos/tests/web-apps/mastodon.nix @@ -1,15 +1,12 @@ import ../make-test-python.nix ({pkgs, ...}: let - test-certificates = pkgs.runCommandLocal "test-certificates" { } '' + cert = pkgs: pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=mastodon.local' -days 36500 mkdir -p $out - echo insecure-root-password > $out/root-password-file - echo insecure-intermediate-password > $out/intermediate-password-file - ${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca - ${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key + cp key.pem cert.pem $out ''; hosts = '' - 192.168.2.10 ca.local 192.168.2.11 mastodon.local ''; @@ -19,42 +16,6 @@ in meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin turion ]; nodes = { - ca = { pkgs, ... }: { - networking = { - interfaces.eth1 = { - ipv4.addresses = [ - { address = "192.168.2.10"; prefixLength = 24; } - ]; - }; - extraHosts = hosts; - }; - services.step-ca = { - enable = true; - address = "0.0.0.0"; - port = 8443; - openFirewall = true; - intermediatePasswordFile = "${test-certificates}/intermediate-password-file"; - settings = { - dnsNames = [ "ca.local" ]; - root = "${test-certificates}/root_ca.crt"; - crt = "${test-certificates}/intermediate_ca.crt"; - key = "${test-certificates}/intermediate_ca.key"; - db = { - type = "badger"; - dataSource = "/var/lib/step-ca/db"; - }; - authority = { - provisioners = [ - { - type = "ACME"; - name = "acme"; - } - ]; - }; - }; - }; - }; - server = { pkgs, ... }: { virtualisation.memorySize = 2048; @@ -70,12 +31,7 @@ in }; security = { - acme = { - acceptTerms = true; - defaults.server = "https://ca.local:8443/acme/acme/directory"; - defaults.email = "mastodon@mastodon.local"; - }; - pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; }; services.redis.servers.mastodon = { @@ -107,6 +63,14 @@ in EMAIL_DOMAIN_ALLOWLIST = "example.com"; }; }; + + services.nginx = { + virtualHosts."mastodon.local" = { + enableACME = pkgs.lib.mkForce false; + sslCertificate = "${cert pkgs}/cert.pem"; + sslCertificateKey = "${cert pkgs}/key.pem"; + }; + }; }; client = { pkgs, ... }: { @@ -121,7 +85,7 @@ in }; security = { - pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ]; + pki.certificateFiles = [ "${cert pkgs}/cert.pem" ]; }; }; }; @@ -129,9 +93,6 @@ in testScript = '' start_all() - ca.wait_for_unit("step-ca.service") - ca.wait_for_open_port(8443) - # Check that mastodon-media-auto-remove is scheduled server.succeed("systemctl status mastodon-media-auto-remove.timer") @@ -169,7 +130,6 @@ in server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks remove 192.168.0.0/16'") client.succeed("curl --fail https://mastodon.local/about") - ca.shutdown() server.shutdown() client.shutdown() '';