diff --git a/hosts/metronom/default.nix b/hosts/metronom/default.nix index a1699f1..a6b523c 100644 --- a/hosts/metronom/default.nix +++ b/hosts/metronom/default.nix @@ -7,6 +7,7 @@ ./networking.nix ./wireguard.nix + ./email.nix #./backups.nix ]; } diff --git a/hosts/metronom/email.nix b/hosts/metronom/email.nix new file mode 100644 index 0000000..71f3798 --- /dev/null +++ b/hosts/metronom/email.nix @@ -0,0 +1,45 @@ +{ config, flake, ... }: { + age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age"; + age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age"; + age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age"; + age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age"; + age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age"; + age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age"; + age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age"; + + mailserver = { + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt' + loginAccounts = { + "admins@${config.pub-solar-os.networking.domain}" = { + hashedPasswordFile = config.age.secrets.mail-admins.path; + }; + "hakkonaut@${config.pub-solar-os.networking.domain}" = { + hashedPasswordFile = config.age.secrets.mail-hakkonaut.path; + }; + + "hensoko@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-hensoko.path; + quota = "2G"; + }; + "teutat3s@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-teutat3s.path; + quota = "2G"; + }; + "bot@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-bot.path; + quota = "2G"; + aliases = [ "hackernews-bot@pub.solar" ]; + }; + "crew@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-crew.path; + quota = "2G"; + aliases = [ "moderation@pub.solar" ]; + }; + "erpnext@pub.solar" = { + hashedPasswordFile = config.age.secrets.mail-erpnext.path; + quota = "2G"; + }; + }; + }; +} diff --git a/hosts/nachtigall/test-vm.nix b/hosts/nachtigall/test-vm.nix deleted file mode 100644 index ff0e4dc..0000000 --- a/hosts/nachtigall/test-vm.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ flake, lib, ... }: - -{ - imports = [ - ./backups.nix - ./apps/nginx.nix - - ./apps/collabora.nix - ./apps/coturn.nix - ./apps/forgejo.nix - ./apps/keycloak.nix - ./apps/mailman.nix - ./apps/mastodon.nix - ./apps/mediawiki.nix - ./apps/nextcloud.nix - ./apps/nginx-mastodon.nix - ./apps/nginx-mastodon-files.nix - ./apps/nginx-prometheus-exporters.nix - ./apps/nginx-website.nix - ./apps/nginx-website-miom.nix - ./apps/opensearch.nix - ./apps/owncast.nix - ./apps/postgresql.nix - ./apps/prometheus-exporters.nix - ./apps/promtail.nix - ./apps/searx.nix - ./apps/tmate.nix - - ./apps/matrix/irc.nix - ./apps/matrix/mautrix-telegram.nix - ./apps/matrix/synapse.nix - ./apps/nginx-matrix.nix - ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - - security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - security.acme.preliminarySelfsigned = true; - - networking.useDHCP = true; - networking.interfaces."enp35s0".ipv4.addresses = [ - { - address = "10.0.0.1"; - prefixLength = 26; - } - ]; - networking.interfaces."enp35s0".ipv6.addresses = [ - { - address = "2a01:4f8:172:1c25::1"; - prefixLength = 64; - } - ]; -} diff --git a/modules/mail/default.nix b/modules/mail/default.nix index 9b28816..cfbfe87 100644 --- a/modules/mail/default.nix +++ b/modules/mail/default.nix @@ -1,62 +1,28 @@ -{ config, flake, ... }: - -{ - age.secrets.mail-hensoko.file = "${flake.self}/secrets/mail/hensoko.age"; - age.secrets.mail-teutat3s.file = "${flake.self}/secrets/mail/teutat3s.age"; - age.secrets.mail-admins.file = "${flake.self}/secrets/mail/admins.age"; - age.secrets.mail-bot.file = "${flake.self}/secrets/mail/bot.age"; - age.secrets.mail-crew.file = "${flake.self}/secrets/mail/crew.age"; - age.secrets.mail-erpnext.file = "${flake.self}/secrets/mail/erpnext.age"; - age.secrets.mail-hakkonaut.file = "${flake.self}/secrets/mail/hakkonaut.age"; - +{ config, ... }: { mailserver = { enable = true; - fqdn = "mail.pub.solar"; - domains = [ "pub.solar" ]; + fqdn = "mail.${config.pub-solar-os.networking.domain}"; + domains = [ config.pub-solar-os.networking.domain ]; # A list of all login accounts. To create the password hashes, use # nix-shell -p mkpasswd --run 'mkpasswd -R11 -m bcrypt' loginAccounts = { - "hensoko@pub.solar" = { - hashedPasswordFile = config.age.secrets.mail-hensoko.path; - quota = "2G"; - }; - "teutat3s@pub.solar" = { - hashedPasswordFile = config.age.secrets.mail-teutat3s.path; - quota = "2G"; - }; - "admins@pub.solar" = { - hashedPasswordFile = config.age.secrets.mail-admins.path; + "admins@${config.pub-solar-os.networking.domain}" = { quota = "2G"; aliases = [ - "abuse@pub.solar" - "alerts@pub.solar" - "forgejo@pub.solar" - "keycloak@pub.solar" - "mastodon-notifications@pub.solar" - "matrix@pub.solar" - "postmaster@pub.solar" - "nextcloud@pub.solar" - "no-reply@pub.solar" - "security@pub.solar" + "abuse@${config.pub-solar-os.networking.domain}" + "alerts@${config.pub-solar-os.networking.domain}" + "forgejo@${config.pub-solar-os.networking.domain}" + "keycloak@${config.pub-solar-os.networking.domain}" + "mastodon-notifications@${config.pub-solar-os.networking.domain}" + "matrix@${config.pub-solar-os.networking.domain}" + "postmaster@${config.pub-solar-os.networking.domain}" + "nextcloud@${config.pub-solar-os.networking.domain}" + "no-reply@${config.pub-solar-os.networking.domain}" + "security@${config.pub-solar-os.networking.domain}" ]; }; - "bot@pub.solar" = { - hashedPasswordFile = config.age.secrets.mail-bot.path; - quota = "2G"; - aliases = [ "hackernews-bot@pub.solar" ]; - }; - "crew@pub.solar" = { - hashedPasswordFile = config.age.secrets.mail-crew.path; - quota = "2G"; - aliases = [ "moderation@pub.solar" ]; - }; - "erpnext@pub.solar" = { - hashedPasswordFile = config.age.secrets.mail-erpnext.path; - quota = "2G"; - }; - "hakkonaut@pub.solar" = { - hashedPasswordFile = config.age.secrets.mail-hakkonaut.path; + "hakkonaut@${config.pub-solar-os.networking.domain}" = { quota = "2G"; }; }; @@ -66,5 +32,5 @@ certificateScheme = "acme-nginx"; }; security.acme.acceptTerms = true; - security.acme.defaults.email = "security@pub.solar"; + security.acme.defaults.email = "security@${config.pub-solar-os.networking.domain}"; } diff --git a/tests/keycloak.nix b/tests/keycloak.nix index 815d975..b189391 100644 --- a/tests/keycloak.nix +++ b/tests/keycloak.nix @@ -1,5 +1,6 @@ { self, + system, pkgs, lib, config, @@ -20,21 +21,10 @@ in node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs; nodes = { - acme-server = { - imports = [ - self.nixosModules.home-manager - self.nixosModules.core - ./support/ca.nix - ]; - }; - - client = { - imports = [ - self.nixosModules.home-manager - self.nixosModules.core - ./support/client.nix - ]; - }; + dns-server.imports = [ ./support/dns-server.nix ]; + acme-server.imports = [ ./support/acme-server.nix ]; + mail-server.imports = [ ./support/mail-server.nix ]; + client.imports = [ ./support/client.nix ]; nachtigall = { imports = [ @@ -57,63 +47,30 @@ in database-password-file = "/tmp/dbf"; }; services.keycloak.database.createLocally = true; - - networking.interfaces.eth0.ipv4.addresses = [ - { - address = "192.168.1.3"; - prefixLength = 32; - } - ]; + services.keycloak.initialAdminPassword = "password"; }; }; - testScript = - { ... }: '' + testScript = { ... }: '' def puppeteer_run(cmd): client.succeed(f'puppeteer-run \'{cmd}\' ') start_all() + acme_server.wait_for_unit("system.slice") + mail_server.wait_for_unit("dovecot2.service") + mail_server.wait_for_unit("postfix.service") nachtigall.wait_for_unit("system.slice") nachtigall.succeed("ping 127.0.0.1 -c 2") nachtigall.wait_for_unit("nginx.service") - nachtigall.systemctl("stop keycloak.service") - nachtigall.wait_until_succeeds("if (($(ps aux | grep 'Dkc.home.dir=/run/keycloak' | grep -v grep | wc -l) == 0)); then true; else false; fi") - nachtigall.succeed("${pkgs.keycloak}/bin/kc.sh --verbose import --optimized --file=${realm-export}") - nachtigall.systemctl("start keycloak.service") - nachtigall.sleep(30) nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/") nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/") + nachtigall.succeed("${pkgs.keycloak}/bin/kcadm.sh create realms -f ${realm-export} --server http://localhost:8080 --realm master --user admin --password password --no-config") client.wait_for_unit("system.slice") client.wait_for_file("/tmp/puppeteer.sock") - puppeteer_run('page.goto("https://auth.test.pub.solar/admin/master/console")') - puppeteer_run('page.waitForNetworkIdle()') - client.screenshot("admin-initial") - puppeteer_run('page.locator("[name=username]").fill("admin")') - puppeteer_run('page.locator("::-p-text(Sign In)").click()') - puppeteer_run('page.waitForNetworkIdle()') - client.screenshot("admin-password") - puppeteer_run('page.locator("[name=password]").fill("password")') - puppeteer_run('page.locator("::-p-text(Sign In)").click()') - puppeteer_run('page.waitForNetworkIdle()') - client.screenshot("admin-login") - puppeteer_run('page.locator("::-p-text(Realm settings)").click()') - puppeteer_run('page.waitForNetworkIdle()') - client.screenshot("admin-theme") - puppeteer_run('page.locator("::-p-text(Themes)").click()') - puppeteer_run('page.waitForNetworkIdle()') - puppeteer_run('page.locator("#kc-login-theme").click()') - client.screenshot("admin-theme-changed") - puppeteer_run('page.locator("li button::-p-text(pub.solar)").click()') - puppeteer_run('page.locator("::-p-text(Save)").click()') - puppeteer_run('page.waitForNetworkIdle()') - client.screenshot("admin-theme-saved") - - - puppeteer_run('page.goto("https://auth.test.pub.solar")') puppeteer_run('page.waitForNetworkIdle()') client.screenshot("initial") diff --git a/tests/support/ca.nix b/tests/support/acme-server.nix similarity index 86% rename from tests/support/ca.nix rename to tests/support/acme-server.nix index 632c610..2ff408a 100644 --- a/tests/support/ca.nix +++ b/tests/support/acme-server.nix @@ -1,21 +1,19 @@ { + flake, pkgs, lib, config, ... }: { - imports = [ ./global.nix ]; + imports = [ + flake.self.nixosModules.home-manager + flake.self.nixosModules.core + ./global.nix + ]; systemd.tmpfiles.rules = [ "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" ]; - networking.interfaces.eth0.ipv4.addresses = [ - { - address = "192.168.1.1"; - prefixLength = 32; - } - ]; - services.step-ca = let certificates = pkgs.stdenv.mkDerivation { diff --git a/tests/support/client.nix b/tests/support/client.nix index 43ad235..ddc8457 100644 --- a/tests/support/client.nix +++ b/tests/support/client.nix @@ -1,4 +1,5 @@ { + flake, pkgs, lib, config, @@ -9,7 +10,11 @@ let puppeteer-run = (pkgs.callPackage (import ./puppeteer-socket/puppeteer-run.nix) { }); in { - imports = [ ./global.nix ]; + imports = [ + flake.self.nixosModules.home-manager + flake.self.nixosModules.core + ./global.nix + ]; security.polkit.enable = true; @@ -41,11 +46,4 @@ in }; }; }; - - networking.interfaces.eth0.ipv4.addresses = [ - { - address = "192.168.1.2"; - prefixLength = 32; - } - ]; } diff --git a/tests/support/dns-server.nix b/tests/support/dns-server.nix new file mode 100644 index 0000000..c4a4abc --- /dev/null +++ b/tests/support/dns-server.nix @@ -0,0 +1,70 @@ +{ + config, + flake, + lib, + ... +}: { + imports = [ + flake.self.nixosModules.home-manager + flake.self.nixosModules.core + ./global.nix + ]; + + networking.nameservers = lib.mkForce [ + "193.110.81.0" #dns0.eu + "2a0f:fc80::" #dns0.eu + "185.253.5.0" #dns0.eu + "2a0f:fc81::" #dns0.eu + ]; + + services.resolved.enable = lib.mkForce false; + + networking.firewall.allowedUDPPorts = [53]; + networking.firewall.allowedTCPPorts = [53]; + + networking.interfaces.eth1.ipv4.addresses = [ + { + address = "192.168.1.254"; + prefixLength = 32; + } + ]; + + services.unbound = { + enable = true; + settings = { + server = { + interface = [ + "192.168.1.254" + ]; + access-control = [ + "0.0.0.0/0 allow" + ]; + local-zone = [ + "\"pub.solar\" transparent" + ]; + local-data = [ + "\"mail.${config.pub-solar-os.networking.domain}. 10800 IN CNAME mail-server\"" + "\"ca.${config.pub-solar-os.networking.domain}. 10800 IN CNAME acme-server\"" + "\"${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\"" + "\"www.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\"" + "\"auth.${config.pub-solar-os.networking.domain}. 10800 IN CNAME nachtigall\"" + ]; + + tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt"; + }; + + forward-zone = [ + { + name = "."; + forward-addr = [ + "193.110.81.0#dns0.eu" + "2a0f:fc80::#dns0.eu" + "185.253.5.0#dns0.eu" + "2a0f:fc81::#dns0.eu" + ]; + forward-tls-upstream = "yes"; + } + ]; + }; + }; +} diff --git a/tests/support/global.nix b/tests/support/global.nix index f5e68c9..8736b4e 100644 --- a/tests/support/global.nix +++ b/tests/support/global.nix @@ -23,28 +23,13 @@ security.pam.services.sshd.allowNullPassword = true; - virtualisation.forwardPorts = - let - address = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address; - lastAddressPart = builtins.elemAt (lib.strings.splitString "." address) 3; - in - [ - { - from = "host"; - host.port = 2000 + (lib.strings.toInt lastAddressPart); - guest.port = 22; - } - ]; + services.resolved.extraConfig = lib.mkForce '' + DNS=192.168.1.254 + Domains=~. + ''; - networking.interfaces.eth0.useDHCP = false; - - networking.hosts = { - "192.168.1.1" = [ "ca.${config.pub-solar-os.networking.domain}" ]; - "192.168.1.2" = [ "client.${config.pub-solar-os.networking.domain}" ]; - "192.168.1.3" = [ - "${config.pub-solar-os.networking.domain}" - "www.${config.pub-solar-os.networking.domain}" - "auth.${config.pub-solar-os.networking.domain}" - ]; - }; + environment.systemPackages = [ + pkgs.dig + ]; } + diff --git a/tests/support/keycloak-realm-export/README.md b/tests/support/keycloak-realm-export/README.md index 3edceaa..c3f71f7 100644 --- a/tests/support/keycloak-realm-export/README.md +++ b/tests/support/keycloak-realm-export/README.md @@ -2,4 +2,4 @@ 1. Export realm settings from keycloak, you'll get a file called `realm-export.json`. 2. Install dependencies for this package: `npm ci` -3. Clean the exported file: `npm start $downloadedExportJSON > realm-export.json +3. Clean the exported file: `node src/index.mjs $downloadedExportJSON > realm-export.json diff --git a/tests/support/keycloak-realm-export/realm-export.json b/tests/support/keycloak-realm-export/realm-export.json index aa76b76..63fd58c 100644 --- a/tests/support/keycloak-realm-export/realm-export.json +++ b/tests/support/keycloak-realm-export/realm-export.json @@ -1,6 +1,6 @@ { "id": "8cd6ddbb-d0d3-40ff-9f1e-efdfce05fa6e", - "realm": "test.test.pub.solar", + "realm": "test.pub.solar", "notBefore": 0, "defaultSignatureAlgorithm": "RS256", "revokeRefreshToken": false, @@ -57,7 +57,7 @@ }, { "id": "2e271b49-ed2b-4dc0-a578-47e7571a2934", - "name": "default-roles-test.test.pub.solar", + "name": "default-roles-test.pub.solar", "description": "${role_default-roles}", "composite": true, "composites": { @@ -434,7 +434,7 @@ "groups": [], "defaultRole": { "id": "2e271b49-ed2b-4dc0-a578-47e7571a2934", - "name": "default-roles-test.test.pub.solar", + "name": "default-roles-test.pub.solar", "description": "${role_default-roles}", "composite": true, "clientRole": false, @@ -494,7 +494,7 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": [ - "default-roles-test.test.pub.solar" + "default-roles-test.pub.solar" ], "clientRoles": { "realm-management": [ @@ -533,7 +533,7 @@ "disableableCredentialTypes": [], "requiredActions": [], "realmRoles": [ - "default-roles-test.test.pub.solar" + "default-roles-test.pub.solar" ], "clientRoles": { "matrix": [ @@ -571,13 +571,13 @@ "description": "", "rootUrl": "${authBaseUrl}", "adminUrl": "", - "baseUrl": "/realms/test.test.pub.solar/account/", + "baseUrl": "/realms/test.pub.solar/account/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "/realms/test.test.pub.solar/account/*" + "/realms/test.pub.solar/account/*" ], "webOrigins": [], "notBefore": 0, @@ -628,13 +628,13 @@ "description": "", "rootUrl": "${authBaseUrl}", "adminUrl": "", - "baseUrl": "/realms/test.test.pub.solar/account/", + "baseUrl": "/realms/test.pub.solar/account/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "/realms/test.test.pub.solar/account/*" + "/realms/test.pub.solar/account/*" ], "webOrigins": [], "notBefore": 0, @@ -829,19 +829,19 @@ "clientId": "gitea", "name": "", "description": "", - "rootUrl": "https://git.test.test.pub.solar", - "adminUrl": "https://git.test.test.pub.solar", - "baseUrl": "https://git.test.test.pub.solar", + "rootUrl": "https://git.test.pub.solar", + "adminUrl": "https://git.test.pub.solar", + "baseUrl": "https://git.test.pub.solar", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "secret", "redirectUris": [ - "https://git.test.test.pub.solar/*" + "https://git.test.pub.solar/*" ], "webOrigins": [ - "https://git.test.test.pub.solar" + "https://git.test.pub.solar" ], "notBefore": 0, "bearerOnly": false, @@ -889,9 +889,9 @@ "id": "b016fab5-bced-404a-93ba-c084d360701f", "clientId": "grafana", "name": "", - "description": "https://grafana.test.test.pub.solar", - "rootUrl": "https://grafana.test.test.pub.solar", - "adminUrl": "https://grafana.test.test.pub.solar", + "description": "https://grafana.test.pub.solar", + "rootUrl": "https://grafana.test.pub.solar", + "adminUrl": "https://grafana.test.pub.solar", "baseUrl": "/login/generic_oauth", "surrogateAuthRequired": false, "enabled": true, @@ -899,10 +899,10 @@ "clientAuthenticatorType": "client-secret", "secret": "secret", "redirectUris": [ - "https://grafana.test.test.pub.solar/login/generic_oauth" + "https://grafana.test.pub.solar/login/generic_oauth" ], "webOrigins": [ - "https://grafana.test.test.pub.solar" + "https://grafana.test.pub.solar" ], "notBefore": 0, "bearerOnly": false, @@ -945,9 +945,9 @@ "clientId": "mastodon", "name": "mastodon", "description": "", - "rootUrl": "https://mastodon.test.test.pub.solar", + "rootUrl": "https://mastodon.test.pub.solar", "adminUrl": "", - "baseUrl": "https://mastodon.test.test.pub.solar", + "baseUrl": "https://mastodon.test.pub.solar", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, @@ -955,10 +955,10 @@ "secret": "secret", "redirectUris": [ "", - "https://mastodon.test.test.pub.solar/auth/auth/openid_connect/callback" + "https://mastodon.test.pub.solar/auth/auth/openid_connect/callback" ], "webOrigins": [ - "https://mastodon.test.test.pub.solar/auth/openid_connect/callback" + "https://mastodon.test.pub.solar/auth/openid_connect/callback" ], "notBefore": 0, "bearerOnly": false, @@ -1006,17 +1006,17 @@ "clientId": "matrix", "name": "", "description": "", - "rootUrl": "https://chat.test.test.pub.solar", + "rootUrl": "https://chat.test.pub.solar", "adminUrl": "", - "baseUrl": "https://chat.test.test.pub.solar", + "baseUrl": "https://chat.test.pub.solar", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "secret", "redirectUris": [ - "https://matrix.test.test.pub.solar/_synapse/client/oidc/callback", - "https://matrix.test.test.test.pub.solar/_synapse/client/oidc/callback" + "https://matrix.test.pub.solar/_synapse/client/oidc/callback", + "https://matrix.test.test.pub.solar/_synapse/client/oidc/callback" ], "webOrigins": [], "notBefore": 0, @@ -1038,7 +1038,7 @@ "tls-client-certificate-bound-access-tokens": "false", "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "backchannel.logout.url": "https://chat.test.test.pub.solar/_synapse/client/oidc/backchannel_logout", + "backchannel.logout.url": "https://chat.test.pub.solar/_synapse/client/oidc/backchannel_logout", "client_credentials.use_refresh_token": "false", "acr.loa.map": "{}", "require.pushed.authorization.requests": "false", @@ -1111,9 +1111,9 @@ "clientId": "matrix-authentication-service", "name": "", "description": "Used for our hosted https://github.com/matrix-org/matrix-authentication-service", - "rootUrl": "https://matrix.test.test.pub.solar/", - "adminUrl": "https://matrix.test.test.pub.solar/", - "baseUrl": "https://matrix.test.test.pub.solar/", + "rootUrl": "https://matrix.test.pub.solar/", + "adminUrl": "https://matrix.test.pub.solar/", + "baseUrl": "https://matrix.test.pub.solar/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, @@ -1166,19 +1166,19 @@ "clientId": "mediawiki", "name": "", "description": "", - "rootUrl": "https://wiki.test.test.pub.solar", - "adminUrl": "https://wiki.test.test.pub.solar", - "baseUrl": "https://wiki.test.test.pub.solar", + "rootUrl": "https://wiki.test.pub.solar", + "adminUrl": "https://wiki.test.pub.solar", + "baseUrl": "https://wiki.test.pub.solar", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "secret", "redirectUris": [ - "https://wiki.test.test.pub.solar/*" + "https://wiki.test.pub.solar/*" ], "webOrigins": [ - "https://wiki.test.test.pub.solar" + "https://wiki.test.pub.solar" ], "notBefore": 0, "bearerOnly": false, @@ -1221,19 +1221,19 @@ "clientId": "nextcloud", "name": "", "description": "", - "rootUrl": "https://cloud.test.test.pub.solar", - "adminUrl": "https://cloud.test.test.pub.solar", - "baseUrl": "https://cloud.test.test.pub.solar", + "rootUrl": "https://cloud.test.pub.solar", + "adminUrl": "https://cloud.test.pub.solar", + "baseUrl": "https://cloud.test.pub.solar", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "secret", "redirectUris": [ - "https://cloud.test.test.pub.solar/apps/user_oidc/code" + "https://cloud.test.pub.solar/apps/user_oidc/code" ], "webOrigins": [ - "https://cloud.test.test.pub.solar" + "https://cloud.test.pub.solar" ], "notBefore": 0, "bearerOnly": false, @@ -1247,14 +1247,14 @@ "protocol": "openid-connect", "attributes": { "client.secret.creation.time": 1724762383467, - "post.logout.redirect.uris": "https://cloud.test.test.pub.solar##https://cloud.test.test.pub.solar/##https://cloud.test.test.pub.solar/*", + "post.logout.redirect.uris": "https://cloud.test.pub.solar##https://cloud.test.pub.solar/##https://cloud.test.pub.solar/*", "oauth2.device.authorization.grant.enabled": "false", "backchannel.logout.revoke.offline.tokens": "false", "use.refresh.tokens": "true", "tls-client-certificate-bound-access-tokens": "false", "oidc.ciba.grant.enabled": "false", "backchannel.logout.session.required": "true", - "backchannel.logout.url": "https://cloud.test.test.pub.solar/apps/user_oidc/backchannel-logout/test.test.pub.solar%20ID", + "backchannel.logout.url": "https://cloud.test.pub.solar/apps/user_oidc/backchannel-logout/test.pub.solar%20ID", "client_credentials.use_refresh_token": "false", "require.pushed.authorization.requests": "false", "acr.loa.map": "{}", @@ -1283,16 +1283,16 @@ "clientId": "openbikesensor-portal", "name": "", "description": "", - "rootUrl": "https://obs-portal.test.test.pub.solar", + "rootUrl": "https://obs-portal.test.pub.solar", "adminUrl": "", - "baseUrl": "https://obs-portal.test.test.pub.solar", + "baseUrl": "https://obs-portal.test.pub.solar", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "secret", "redirectUris": [ - "https://obs-portal.test.test.pub.solar/*" + "https://obs-portal.test.pub.solar/*" ], "webOrigins": [ "+" @@ -1382,13 +1382,13 @@ "clientId": "security-admin-console", "name": "${client_security-admin-console}", "rootUrl": "${authAdminUrl}", - "baseUrl": "/admin/test.test.pub.solar/console/", + "baseUrl": "/admin/test.pub.solar/console/", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "/admin/test.test.pub.solar/console/*" + "/admin/test.pub.solar/console/*" ], "webOrigins": [ "+" @@ -1498,19 +1498,19 @@ "clientId": "tt-rss", "name": "tt-rss", "description": "", - "rootUrl": "https://rss.test.test.pub.solar", - "adminUrl": "https://rss.test.test.pub.solar", - "baseUrl": "https://rss.test.test.pub.solar", + "rootUrl": "https://rss.test.pub.solar", + "adminUrl": "https://rss.test.pub.solar", + "baseUrl": "https://rss.test.pub.solar", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "secret": "secret", "redirectUris": [ - "https://rss.test.test.pub.solar" + "https://rss.test.pub.solar" ], "webOrigins": [ - "https://rss.test.test.pub.solar" + "https://rss.test.pub.solar" ], "notBefore": 0, "bearerOnly": false, @@ -2095,23 +2095,23 @@ "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, "smtpServer": { - "password": "**********", - "replyToDisplayName": "test.test.pub.solar Support", + "password": "password", + "replyToDisplayName": "test.pub.solar Support", "starttls": "false", "auth": "true", "port": "465", - "replyTo": "admins@test.test.pub.solar", - "host": "mail.test.test.pub.solar", - "from": "keycloak@test.test.pub.solar", - "fromDisplayName": "test.test.pub.solar ID", + "replyTo": "admins@test.pub.solar", + "host": "mail.test.pub.solar", + "from": "keycloak@test.pub.solar", + "fromDisplayName": "test.pub.solar ID", "envelopeFrom": "", "ssl": "true", - "user": "admins@test.test.pub.solar" + "user": "admins@test.pub.solar" }, - "loginTheme": "test.test.pub.solar", - "accountTheme": "test.test.pub.solar", - "adminTheme": "test.test.pub.solar", - "emailTheme": "test.test.pub.solar", + "loginTheme": "pub.solar", + "accountTheme": "pub.solar", + "adminTheme": "pub.solar", + "emailTheme": "pub.solar", "eventsEnabled": false, "eventsListeners": [ "jboss-logging" diff --git a/tests/support/keycloak-realm-export/src/index.mjs b/tests/support/keycloak-realm-export/src/index.mjs index fdccbff..8aef73f 100644 --- a/tests/support/keycloak-realm-export/src/index.mjs +++ b/tests/support/keycloak-realm-export/src/index.mjs @@ -60,11 +60,23 @@ const changeIds = (node) => { return node; }; +const setExtra = (data) => ({ + ...data, + loginTheme: "pub.solar", + accountTheme: "pub.solar", + adminTheme: "pub.solar", + emailTheme: "pub.solar", + smtpServer: { + ...data.smtpServer, + password: "password", + }, +}); + (async () => { const fileContents = await readFile(filePath, { encoding: 'utf8' }); const data = JSON.parse(renameDomain(fileContents)); - const newData = changeIds(cleanClients(data)); + const newData = setExtra(changeIds(cleanClients(data))); console.log(JSON.stringify(newData, null, 2)); })(); diff --git a/tests/support/mail-server.nix b/tests/support/mail-server.nix new file mode 100644 index 0000000..b0a1ada --- /dev/null +++ b/tests/support/mail-server.nix @@ -0,0 +1,27 @@ +{ + config, + flake, + ... +}: { + imports = [ + flake.self.nixosModules.home-manager + flake.self.nixosModules.core + flake.self.nixosModules.mail + flake.inputs.simple-nixos-mailserver.nixosModule + ./global.nix + ]; + + # password is password + systemd.tmpfiles.rules = [ "f /tmp/emailpw 1777 root root 10d $2b$11$NV75HGZzMcIwrnVUZKXtxexX9DN52HayDW4eKrD1A8O3uIPnCquQ2" ]; + + mailserver = { + loginAccounts = { + "admins@${config.pub-solar-os.networking.domain}" = { + hashedPasswordFile = "/tmp/emailpw"; + }; + "hakkonaut@${config.pub-solar-os.networking.domain}" = { + hashedPasswordFile = "/tmp/emailpw"; + }; + }; + }; +} diff --git a/tests/website.nix b/tests/website.nix index 452262b..3a2b91e 100644 --- a/tests/website.nix +++ b/tests/website.nix @@ -14,13 +14,7 @@ node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs; nodes = { - acme-server = { - imports = [ - self.nixosModules.home-manager - self.nixosModules.core - ./support/ca.nix - ]; - }; + acme-server.imports = [ ./support/acme-server.nix ]; nachtigall = { imports = [