From eb337ddd478003150d15876fdf4572ea4a562eff Mon Sep 17 00:00:00 2001 From: b12f Date: Sat, 24 Aug 2024 16:21:48 +0200 Subject: [PATCH] tests/keycloak: certificate fetching with step-ca works --- flake.nix | 13 +- hosts/default.nix | 4 + hosts/nachtigall/configuration.nix | 16 +- modules/backups/default.nix | 253 ++++++++++++++++++ modules/keycloak/default.nix | 29 +- tests/keycloak.nix | 79 ++++++ tests/support/ca.nix | 48 ++++ tests/support/client.nix | 26 ++ tests/support/global.nix | 26 ++ tests/support/step/certs/intermediate_ca.crt | 13 + tests/support/step/certs/root_ca.crt | 12 + tests/support/step/config/ca.json | 46 ++++ tests/support/step/config/defaults.json | 6 + .../support/step/secrets/intermediate_ca_key | 8 + tests/support/step/secrets/root_ca_key | 8 + tests/website.nix | 7 +- 16 files changed, 569 insertions(+), 25 deletions(-) create mode 100644 modules/backups/default.nix create mode 100644 tests/keycloak.nix create mode 100644 tests/support/ca.nix create mode 100644 tests/support/client.nix create mode 100644 tests/support/global.nix create mode 100644 tests/support/step/certs/intermediate_ca.crt create mode 100644 tests/support/step/certs/root_ca.crt create mode 100644 tests/support/step/config/ca.json create mode 100644 tests/support/step/config/defaults.json create mode 100644 tests/support/step/secrets/intermediate_ca_key create mode 100644 tests/support/step/secrets/root_ca_key diff --git a/flake.nix b/flake.nix index 063589c..b22f325 100644 --- a/flake.nix +++ b/flake.nix @@ -81,12 +81,12 @@ packages = let nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { }; - in builtins.listToAttrs ( - map (x: { - name = "test-${lib.strings.removeSuffix ".nix" x}"; - value = nixos-lib.runTest (import (./tests + "/${x}") { inherit self; inherit pkgs; inherit lib; inherit config; }); - }) (builtins.attrNames (builtins.readDir ./tests)) - ); + testDir = builtins.attrNames (builtins.readDir ./tests); + testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir; + in builtins.listToAttrs (map (x: { + name = "test-${lib.strings.removeSuffix ".nix" x}"; + value = nixos-lib.runTest (import (./tests + "/${x}") { inherit self; inherit pkgs; inherit lib; inherit config; }); + }) testFiles); devShells.default = pkgs.mkShell { buildInputs = with pkgs; [ @@ -106,6 +106,7 @@ jq ]; }; + devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; }; }; diff --git a/hosts/default.nix b/hosts/default.nix index af64b84..c8aaf1c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -11,6 +11,7 @@ self.nixosModules.unlock-zfs-on-boot self.nixosModules.core self.nixosModules.docker + self.nixosModules.backups self.nixosModules.nginx self.nixosModules.collabora @@ -49,6 +50,7 @@ ./flora-6 self.nixosModules.overlays self.nixosModules.core + self.nixosModules.backups self.nixosModules.keycloak self.nixosModules.caddy @@ -68,6 +70,7 @@ self.nixosModules.overlays self.nixosModules.unlock-zfs-on-boot self.nixosModules.core + self.nixosModules.backups self.nixosModules.mail self.nixosModules.prometheus-exporters self.nixosModules.promtail @@ -83,6 +86,7 @@ ./tankstelle self.nixosModules.overlays self.nixosModules.core + self.nixosModules.backups self.nixosModules.prometheus-exporters self.nixosModules.promtail ]; diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 324755e..bc7e76d 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -48,9 +48,21 @@ owner = "root"; }; - pub-solar-os.auth.enable = true; + age.secrets.keycloak-database-password = { + file = "${flake.self}/secrets/keycloak-database-password.age"; + mode = "600"; + #owner = "keycloak"; + }; - nixpkgs.config.permittedInsecurePackages = [ "keycloak-23.0.6" ]; + pub-solar-os.auth = { + enable = true; + database-password-file = config.age.secrets.keycloak-database-password.path; + }; + + pub-solar-os.backups.stores.storagebox = { + passwordFile = config.age.secrets."restic-repo-storagebox".path; + repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; + }; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database diff --git a/modules/backups/default.nix b/modules/backups/default.nix new file mode 100644 index 0000000..50ffef8 --- /dev/null +++ b/modules/backups/default.nix @@ -0,0 +1,253 @@ +{ + flake, + config, + lib, + pkgs, + ... +}: +{ + options.pub-solar-os.backups = { + stores = with lib; mkOption { + description = '' + Periodic backups to create with Restic. + ''; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + passwordFile = mkOption { + type = types.str; + description = '' + Read the repository password from a file. + ''; + example = "/etc/nixos/restic-password"; + }; + + repository = mkOption { + type = with types; nullOr str; + default = null; + description = '' + repository to backup to. + ''; + example = "sftp:backup@192.168.1.100:/backups/${name}"; + }; + }; + })); + + default = { }; + example = { + remotebackup = { + repository = "sftp:backup@host:/backups/home"; + passwordFile = "/etc/nixos/secrets/restic-password"; + }; + }; + }; + + backups = with lib; mkOption { + description = '' + Periodic backups to create with Restic. + ''; + type = types.attrsOf (types.submodule ({ name, ... }: { + options = { + paths = mkOption { + # This is nullable for legacy reasons only. We should consider making it a pure listOf + # after some time has passed since this comment was added. + type = types.nullOr (types.listOf types.str); + default = [ ]; + description = '' + Which paths to backup, in addition to ones specified via + `dynamicFilesFrom`. If null or an empty array and + `dynamicFilesFrom` is also null, no backup command will be run. + This can be used to create a prune-only job. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; + + exclude = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Patterns to exclude when backing up. See + https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files for + details on syntax. + ''; + example = [ + "/var/cache" + "/home/*/.cache" + ".git" + ]; + }; + + timerConfig = mkOption { + type = types.nullOr (types.attrsOf unitOption); + default = { + OnCalendar = "daily"; + Persistent = true; + }; + description = '' + When to run the backup. See {manpage}`systemd.timer(5)` for + details. If null no timer is created and the backup will only + run when explicitly started. + ''; + example = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + Persistent = true; + }; + }; + + user = mkOption { + type = types.str; + default = "root"; + description = '' + As which user the backup should run. + ''; + example = "postgresql"; + }; + + extraBackupArgs = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Extra arguments passed to restic backup. + ''; + example = [ + "--exclude-file=/etc/nixos/restic-ignore" + ]; + }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Extra extended options to be passed to the restic --option flag. + ''; + example = [ + "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" + ]; + }; + + initialize = mkOption { + type = types.bool; + default = false; + description = '' + Create the repository if it doesn't exist. + ''; + }; + + pruneOpts = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + A list of options (--keep-\* et al.) for 'restic forget + --prune', to automatically prune old snapshots. The + 'forget' command is run *after* the 'backup' command, so + keep that in mind when constructing the --keep-\* options. + ''; + example = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + + runCheck = mkOption { + type = types.bool; + default = (builtins.length config.services.restic.backups.${name}.checkOpts > 0); + defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0''; + description = "Whether to run the `check` command with the provided `checkOpts` options."; + example = true; + }; + + checkOpts = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + A list of options for 'restic check'. + ''; + example = [ + "--with-cache" + ]; + }; + + dynamicFilesFrom = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that produces a list of files to back up. The + results of this command are given to the '--files-from' + option. The result is merged with paths specified via `paths`. + ''; + example = "find /home/matt/git -type d -name .git"; + }; + + backupPrepareCommand = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that must run before starting the backup process. + ''; + }; + + backupCleanupCommand = mkOption { + type = with types; nullOr str; + default = null; + description = '' + A script that must run after finishing the backup process. + ''; + }; + + package = mkPackageOption pkgs "restic" { }; + + createWrapper = lib.mkOption { + type = lib.types.bool; + default = true; + description = '' + Whether to generate and add a script to the system path, that has the same environment variables set + as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without + having to manually specify most options. + ''; + }; + }; + })); + default = { }; + example = { + localbackup = { + paths = [ "/home" ]; + exclude = [ "/home/*/.cache" ]; + initialize = true; + }; + remotebackup = { + paths = [ "/home" ]; + extraOptions = [ + "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + }; + }; + }; + + config = { + services.restic.backups = let + stores = config.pub-solar-os.backups.stores; + backups = config.pub-solar-os.backups.backups; + + storeNames = builtins.attrNames stores; + backupNames = builtins.attrNames backups; + + createBackups = backupName: map + (storeName: { + name = "${backupName}-${storeName}"; + value = stores."${storeName}" // backups."${backupName}"; + }) + storeNames; + + in builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames)); + }; +} diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix index 3c9316e..d2b1975 100644 --- a/modules/keycloak/default.nix +++ b/modules/keycloak/default.nix @@ -6,23 +6,22 @@ ... }: { - options.pub-solar-os.auth = { - enable = lib.mkEnableOption "Enable keycloak to run on the node"; + options.pub-solar-os.auth = with lib; { + enable = mkEnableOption "Enable keycloak to run on the node"; - realm = lib.mkOption { + realm = mkOption { description = "Name of the realm"; - type = lib.types.str; + type = types.str; default = config.pub-solar-os.networking.domain; }; + + database-password-file = mkOption { + description = "Database password file path"; + type = types.str; + }; }; config = lib.mkIf config.pub-solar-os.auth.enable { - age.secrets.keycloak-database-password = { - file = "${flake.self}/secrets/keycloak-database-password.age"; - mode = "600"; - #owner = "keycloak"; - }; - services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = { enableACME = true; forceSSL = true; @@ -43,10 +42,14 @@ }; }; + nixpkgs.config = lib.mkDefault { + permittedInsecurePackages = [ "keycloak-23.0.6" ]; + }; + # keycloak services.keycloak = { enable = true; - database.passwordFile = config.age.secrets.keycloak-database-password.path; + database.passwordFile = config.pub-solar-os.auth.database-password-file; settings = { hostname = "auth.${config.pub-solar-os.networking.domain}"; http-host = "127.0.0.1"; @@ -59,14 +62,12 @@ }; }; - services.restic.backups.keycloak-storagebox = { + pub-solar-os.backups.backups.keycloak = { paths = [ "/tmp/keycloak-backup.sql" ]; timerConfig = { OnCalendar = "*-*-* 03:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; - repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql ''; diff --git a/tests/keycloak.nix b/tests/keycloak.nix new file mode 100644 index 0000000..4de464d --- /dev/null +++ b/tests/keycloak.nix @@ -0,0 +1,79 @@ +{ + self, + pkgs, + lib, + config, + ... +}: let +in { + name = "keycloak"; + + hostPkgs = pkgs; + + node.pkgs = pkgs; + node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs; + + nodes = { + acme-server = { + imports = [ + self.nixosModules.home-manager + self.nixosModules.core + ./support/ca.nix + ]; + }; + + client = { + imports = [ + self.nixosModules.home-manager + self.nixosModules.core + ./support/client.nix + ]; + }; + + nachtigall = { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + self.nixosModules.core + self.nixosModules.backups + self.nixosModules.nginx + self.nixosModules.keycloak + self.nixosModules.postgresql + ./support/global.nix + ]; + + systemd.tmpfiles.rules = [ + "f /tmp/dbf 1777 root root 10d" + ]; + + pub-solar-os.auth = { + enable = true; + database-password-file = "/tmp/dbf"; + }; + + networking.interfaces.eth0.ipv4.addresses = [ + { + address = "192.168.1.3"; + prefixLength = 32; + } + ]; + }; + }; + + enableOCR = true; + + testScript = '' + start_all() + + nachtigall.wait_for_unit("system.slice") + nachtigall.succeed("ping 127.0.0.1 -c 2") + nachtigall.wait_for_unit("nginx.service") + nachtigall.wait_for_unit("keycloak.service") + nachtigall.succeed("curl https://auth.test.pub.solar/") + + client.wait_for_unit("system.slice") + client.wait_until_succeeds("swaymsg -t get_tree | grep -q 'firefox'") + client.sleep(20) + client.screenshot("screen") + ''; +} diff --git a/tests/support/ca.nix b/tests/support/ca.nix new file mode 100644 index 0000000..c364deb --- /dev/null +++ b/tests/support/ca.nix @@ -0,0 +1,48 @@ +{ + pkgs, + lib, + config, + ... +}: { + imports = [ + ./global.nix + ]; + + systemd.tmpfiles.rules = [ + "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" + ]; + + networking.interfaces.eth0.ipv4.addresses = [ + { + address = "192.168.1.1"; + prefixLength = 32; + } + ]; + + services.step-ca = let + certificates = pkgs.stdenv.mkDerivation { + name = "certificates"; + src = ./step; + installPhase = '' + mkdir -p $out; + cp -r certs $out/ + cp -r secrets $out/ + ''; + }; + in { + enable = true; + openFirewall = true; + intermediatePasswordFile = "/tmp/step-ca-intermediate-pw"; + port = 443; + address = "0.0.0.0"; + settings = (builtins.fromJSON (builtins.readFile ./step/config/ca.json)) // { + root = "${certificates}/certs/root_ca.crt"; + crt = "${certificates}/certs/intermediate_ca.crt"; + key = "${certificates}/secrets/intermediate_ca_key"; + db = { + type = "badgerv2"; + dataSource = "/var/lib/step-ca/db"; + }; + }; + }; +} diff --git a/tests/support/client.nix b/tests/support/client.nix new file mode 100644 index 0000000..728e26e --- /dev/null +++ b/tests/support/client.nix @@ -0,0 +1,26 @@ +{ + pkgs, + lib, + config, + ... +}: +{ + imports = [ + ./global.nix + ]; + + programs.sway = { + enable = true; + }; + + programs.bash.shellInit = '' + exec sway + ''; + + networking.interfaces.eth0.ipv4.addresses = [ + { + address = "192.168.1.2"; + prefixLength = 32; + } + ]; +} diff --git a/tests/support/global.nix b/tests/support/global.nix new file mode 100644 index 0000000..f5ae1dc --- /dev/null +++ b/tests/support/global.nix @@ -0,0 +1,26 @@ +{ + pkgs, + lib, + config, + ... +}: { + pub-solar-os.networking.domain = "test.pub.solar"; + + security.acme.defaults.server = "https://ca.${config.pub-solar-os.networking.domain}/acme/acme/directory"; + + security.pki.certificates = [ + (builtins.readFile ./step/certs/root_ca.crt) + ]; + + networking.interfaces.eth0.useDHCP = false; + + networking.hosts = { + "192.168.1.1" = [ "ca.${config.pub-solar-os.networking.domain}" ]; + "192.168.1.2" = [ "client.${config.pub-solar-os.networking.domain}" ]; + "192.168.1.3" = [ + "${config.pub-solar-os.networking.domain}" + "www.${config.pub-solar-os.networking.domain}" + "auth.${config.pub-solar-os.networking.domain}" + ]; + }; +} diff --git a/tests/support/step/certs/intermediate_ca.crt b/tests/support/step/certs/intermediate_ca.crt new file mode 100644 index 0000000..3220838 --- /dev/null +++ b/tests/support/step/certs/intermediate_ca.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4DCCAYagAwIBAgIQVR/3c0swvc/ifeYqLQn3HTAKBggqhkjOPQQDAjA6MRcw +FQYDVQQKEw5wdWIuc29sYXItdGVzdDEfMB0GA1UEAxMWcHViLnNvbGFyLXRlc3Qg +Um9vdCBDQTAeFw0yNDA4MjQwMTI3MTBaFw0zNDA4MjIwMTI3MTBaMEIxFzAVBgNV +BAoTDnB1Yi5zb2xhci10ZXN0MScwJQYDVQQDEx5wdWIuc29sYXItdGVzdCBJbnRl +cm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpCjy3PAiawAeb +47ZZ9kPXuuV0EavOfFlgnlZBkOc2AXY0R6P1jK06US0SiPo17rqyNgUWH0oV4v8i +/HbZYNXYo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAd +BgNVHQ4EFgQU1hueYsLAH6+wxjArqCM3IHFqnIEwHwYDVR0jBBgwFoAUxg/BmKK7 +9Zs+b1bvlpYwggy5lnswCgYIKoZIzj0EAwIDSAAwRQIgfxkjyC4HHADRmNDLqZ5L +0po+JD5/9b1L//JoXG+vgXECIQDgkRe8r8/0Ep/NWgBtbkA3oTYq8vCwo1FewBZZ +43fo5w== +-----END CERTIFICATE----- diff --git a/tests/support/step/certs/root_ca.crt b/tests/support/step/certs/root_ca.crt new file mode 100644 index 0000000..71f5cea --- /dev/null +++ b/tests/support/step/certs/root_ca.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuDCCAV2gAwIBAgIQMXg7xoEIrVjgvKcrRaxo0DAKBggqhkjOPQQDAjA6MRcw +FQYDVQQKEw5wdWIuc29sYXItdGVzdDEfMB0GA1UEAxMWcHViLnNvbGFyLXRlc3Qg +Um9vdCBDQTAeFw0yNDA4MjQwMTI3MDlaFw0zNDA4MjIwMTI3MDlaMDoxFzAVBgNV +BAoTDnB1Yi5zb2xhci10ZXN0MR8wHQYDVQQDExZwdWIuc29sYXItdGVzdCBSb290 +IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYNxMcHclQP/zv2y6LJIGx9pg +Q2337Zb8TuPY+DnL1MjuCMoeTaMwngzjU/DSbKL0Vx/y+I+PBjhHmPrYcGDcSKNF +MEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE +FMYPwZiiu/WbPm9W75aWMIIMuZZ7MAoGCCqGSM49BAMCA0kAMEYCIQDcgr9WyR1C +806aEQ38alYgGg3PhQdT14q47tWIUOnpygIhAM0x/QK/mm7VvQxBLAA4DT6X730m +k/tBvh9SHNbwPxCt +-----END CERTIFICATE----- diff --git a/tests/support/step/config/ca.json b/tests/support/step/config/ca.json new file mode 100644 index 0000000..ab7753a --- /dev/null +++ b/tests/support/step/config/ca.json @@ -0,0 +1,46 @@ +{ + "federatedRoots": null, + "address": ":443", + "insecureAddress": "", + "dnsNames": [ + "ca.test.pub.solar" + ], + "logger": { + "format": "text" + }, + "db": { + "type": "badgerv2", + "badgerFileLoadingMode": "" + }, + "authority": { + "provisioners": [ + { + "name": "acme", + "type": "ACME" + }, + { + "type": "JWK", + "name": "test.pub.solar", + "key": { + "use": "sig", + "kty": "EC", + "kid": "lM-BJXRwwQcdgxLqAS4Za23A2YatZpwXx-PP5NIt8JM", + "crv": "P-256", + "alg": "ES256", + "x": "ouB2mP04Kt8rDa10C8ZzYyzA36rrz-k0c4_ud1hVjyg", + "y": "RbXKcudQRPEFqjG_5AxuqCQXn7pyRToQCwC4MrwLVUQ" + }, + "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiNWR5T2puR2Y5aFFNRlc1U25fRWhzUSJ9.a3xtSBuMmzZCMsdfHAXMgFpe9bq8A6bGGOoW9F2Gw7AhxL4bG-AlgA.IA68rSJSGTAKnaVS.XDQc4da-8D9Ykfw-8S4uphsauq5gsEm4qp7zKQUIvcjUlnPAtiHP3xiiBie29ncdg8rKmyzprEEOpTNvXtQl7LsPsHXyKV3SqsTnJecvim9YXGDneAHyWe-XF6hyCZAfSoFbFMgLDKR6d44hMht3ueazL_TPlkFUBLrJbsW782MfdfF3nzcaDf_JDuhKsKHDmKqZyNXDzwf6rINe8adrf5gqaLM2_sGhk7i3XyXygn8HHVw1Dj_w2gPOVm4MS7CO_NgikPqAtGuXDhpWZfXte-FlnMO6d9xQF67b0cwB8kmColPSp1zRiCKPAk9vof8Nn-gGE_aw8zxPi0CJkoY.xbuqSSspgLc_Uw17uiRF7Q" + } + ] + }, + "tls": { + "cipherSuites": [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ], + "minVersion": 1.2, + "maxVersion": 1.3, + "renegotiation": false + } +} diff --git a/tests/support/step/config/defaults.json b/tests/support/step/config/defaults.json new file mode 100644 index 0000000..f3e3488 --- /dev/null +++ b/tests/support/step/config/defaults.json @@ -0,0 +1,6 @@ +{ + "ca-url": "https://ca.test.pub.solar", + "ca-config": "/home/b12f/.step/config/ca.json", + "fingerprint": "4d6a1a918355380acbd0256a2203d0a0da8436bb788e8f19326589045c3cd842", + "root": "/home/b12f/.step/certs/root_ca.crt" +} \ No newline at end of file diff --git a/tests/support/step/secrets/intermediate_ca_key b/tests/support/step/secrets/intermediate_ca_key new file mode 100644 index 0000000..a8eb8b2 --- /dev/null +++ b/tests/support/step/secrets/intermediate_ca_key @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,0b34c00cb76ffc16441f5fe762d8d915 + +xJQ5r5kGiaG6rCsmVnONxm99sqceb62dO8/YvgdZ/ouHAxz1OlXYpTJNd2GvezAc +XA6Zx6eGzNCOyhgMNJTXEn8QmcJcMd6OjVLxQ9Tr2Mi3LShcBzMPs30/X2XYsM22 +5G4fRhQD0L4nQ08B3GG6FjPe/HYmkRNZmAeDc2wE5Fg= +-----END EC PRIVATE KEY----- diff --git a/tests/support/step/secrets/root_ca_key b/tests/support/step/secrets/root_ca_key new file mode 100644 index 0000000..19605f9 --- /dev/null +++ b/tests/support/step/secrets/root_ca_key @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,48f59a57e5a2b81359e0a3668161b61e + +jMZbpiHSFa74ns30QrAnIlcguqWp+FE20cXbiIVPpLAJpzGskc3k5vRFTpPM8geg +sZ6bVvq3APbKmkopxZHWpd4ly6uHkolbtR1NFxTNKymaJZuSuKspUmDohkIyZN6c +KG0upERMZIOg6Ky1JiM5pLJMHBTsCmzJBmdFCW7GSww= +-----END EC PRIVATE KEY----- diff --git a/tests/website.nix b/tests/website.nix index 10e96a5..bfa6c60 100644 --- a/tests/website.nix +++ b/tests/website.nix @@ -13,12 +13,12 @@ node.pkgs = pkgs; node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs; - nodes.nachtigall-test = { + nodes.nachtigall_test = { imports = [ self.nixosModules.home-manager self.nixosModules.core self.nixosModules.nginx - self.nixosModules.nginx-website + self.nixosModules.keycloak ]; }; @@ -28,6 +28,7 @@ nachtigall_test.wait_for_unit("system.slice") nachtigall_test.succeed("ping 127.0.0.1 -c 2") nachtigall_test.wait_for_unit("nginx.service") - nachtigall_test.succeed("curl -H 'Host:pub.solar' http://127.0.0.1/") + nachtigall_test.succeed("curl https://test.pub.solar/") + nachtigall_test.succeed("curl https://www.test.pub.solar/") ''; }