pub-solar/infra
6
1
Fork 3
Code Issues 18 Pull requests 11 Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: pub-solar:3d0e5063acadb53a6ca0afb1a963e321a88d1c81
Branches Tags
pub-solar:main
pub-solar:ci-treefmt
pub-solar:docs-garage
pub-solar:docs-cachix
pub-solar:feat/automated-account-deletion
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious
..
compare: pub-solar:74f03555e53bd86da1ee81ec6d6c875ad0d20674
Branches Tags
pub-solar:main
pub-solar:ci-treefmt
pub-solar:docs-garage
pub-solar:docs-cachix
pub-solar:feat/automated-account-deletion
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious

10 commits
3d0e5063ac ... 74f03555e5

Author SHA1 Message Date
teutat3s 74f03555e5
style: format using nixfmt-rfc-style
Some checks failed
Flake checks / Check (pull_request) Has been cancelled
Details
2024-08-25 02:42:03 +02:00
b12f e1dadd17ab
tests/keycloak: working base test without client 2024-08-25 02:38:40 +02:00
Hendrik Sokolowski 31eb82a4e7
raise memory assigned to test-nachtigall, auto-create database user for keycloak 2024-08-25 02:38:39 +02:00
Hendrik Sokolowski 6c9434d3a0
disable DHCP entirely 2024-08-25 02:38:39 +02:00
Hendrik Sokolowski 3451e9dead
drop explicit dependencies on postgres mounts 2024-08-25 02:38:39 +02:00
b12f c469a8a2dc
tests/keycloak: add non-working ssh config for clients 2024-08-25 02:38:39 +02:00
b12f eb337ddd47
tests/keycloak: certificate fetching with step-ca works 2024-08-25 02:38:39 +02:00
b12f f96b31a8a9
tests: add working test for website 2024-08-25 02:38:39 +02:00
teutat3s b6be95d032
Merge pull request 'Maintenance + security updates for element, forgejo, mastodon, matrix-synapse' (#221) from flake-updates into main 
Reviewed-on: #221
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
 2024-08-24 01:11:41 +00:00
teutat3s 50eb1d4f32
flake.lock: Update
All checks were successful
Flake checks / Check (pull_request) Successful in 16m23s
Details 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/3f1dae074a12feb7327b4bf43cbac0d124488bb7' (2024-07-30)
  → 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41' (2024-08-10)
• Updated input 'nix-darwin':
    'github:lnl7/nix-darwin/91010a5613ffd7ee23ee9263213157a1c422b705' (2024-08-06)
  → 'github:lnl7/nix-darwin/a8968d88e5a537b0491f68ce910749cd870bdbef' (2024-08-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/883180e6550c1723395a3a342f830bfc5c371f6b' (2024-08-05)
  → 'github:nixos/nixpkgs/224042e9a3039291f22f4f2ded12af95a616cca0' (2024-08-21)
• Updated input 'unstable':
    'github:nixos/nixpkgs/cb9a96f23c491c081b38eab96d22fa958043c9fa' (2024-08-04)
  → 'github:nixos/nixpkgs/c374d94f1536013ca8e92341b540eba4c22f9c62' (2024-08-21)
 2024-08-22 11:59:47 +02:00
11 changed files with 386 additions and 370 deletions
Show stats Expand all files Collapse all files

24
flake.lock
View file

@ -14,11 +14,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1722339003, "lastModified": 1723293904,
"narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=", "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7", "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -299,11 +299,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722924007, "lastModified": 1724299755,
"narHash": "sha256-+CQDamNwqO33REJLft8c26NbUi2Td083hq6SvAm2xkU=", "narHash": "sha256-P5zMA17kD9tqiqMuNXwupkM7buM3gMNtoZ1VuJTRDE4=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "91010a5613ffd7ee23ee9263213157a1c422b705", "rev": "a8968d88e5a537b0491f68ce910749cd870bdbef",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -330,11 +330,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1722869614, "lastModified": 1724242322,
"narHash": "sha256-7ojM1KSk3mzutD7SkrdSflHXEujPvW1u7QuqWoTLXQU=", "narHash": "sha256-HMpK7hNjhEk4z5SFg5UtxEio9OWFocHdaQzCfW1pE7w=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "883180e6550c1723395a3a342f830bfc5c371f6b", "rev": "224042e9a3039291f22f4f2ded12af95a616cca0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -519,11 +519,11 @@
}, },
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1722813957, "lastModified": 1724224976,
"narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
"type": "github" "type": "github"
}, },
"original": { "original": {

27
flake.nix
View file

@ -79,14 +79,25 @@
master = import inputs.master { inherit system; }; master = import inputs.master { inherit system; };
}; };
packages = let packages =
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { }; let
testDir = builtins.attrNames (builtins.readDir ./tests); nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir; testDir = builtins.attrNames (builtins.readDir ./tests);
in builtins.listToAttrs (map (x: { testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
name = "test-${lib.strings.removeSuffix ".nix" x}"; in
value = nixos-lib.runTest (import (./tests + "/${x}") { inherit self; inherit pkgs; inherit lib; inherit config; }); builtins.listToAttrs (
}) testFiles); map (x: {
name = "test-${lib.strings.removeSuffix ".nix" x}";
value = nixos-lib.runTest (
import (./tests + "/${x}") {
inherit self;
inherit pkgs;
inherit lib;
inherit config;
}
);
}) testFiles
);
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [

456
modules/backups/default.nix
View file

@ -7,247 +7,257 @@
}: }:
{ {
options.pub-solar-os.backups = { options.pub-solar-os.backups = {
stores = with lib; mkOption { stores =
description = '' with lib;
Periodic backups to create with Restic. mkOption {
''; description = ''
type = types.attrsOf (types.submodule ({ name, ... }: { Periodic backups to create with Restic.
options = { '';
passwordFile = mkOption { type = types.attrsOf (
type = types.str; types.submodule (
description = '' { name, ... }:
Read the repository password from a file. {
''; options = {
example = "/etc/nixos/restic-password"; passwordFile = mkOption {
}; type = types.str;
description = ''
Read the repository password from a file.
'';
example = "/etc/nixos/restic-password";
};
repository = mkOption { repository = mkOption {
type = with types; nullOr str; type = with types; nullOr str;
default = null; default = null;
description = '' description = ''
repository to backup to. repository to backup to.
''; '';
example = "sftp:backup@192.168.1.100:/backups/${name}"; example = "sftp:backup@192.168.1.100:/backups/${name}";
}; };
}; };
})); }
)
);
default = { }; default = { };
example = { example = {
remotebackup = { remotebackup = {
repository = "sftp:backup@host:/backups/home"; repository = "sftp:backup@host:/backups/home";
passwordFile = "/etc/nixos/secrets/restic-password"; passwordFile = "/etc/nixos/secrets/restic-password";
};
}; };
}; };
};
backups = with lib; mkOption { backups =
description = '' with lib;
Periodic backups to create with Restic. mkOption {
''; description = ''
type = types.attrsOf (types.submodule ({ name, ... }: { Periodic backups to create with Restic.
options = { '';
paths = mkOption { type = types.attrsOf (
# This is nullable for legacy reasons only. We should consider making it a pure listOf types.submodule (
# after some time has passed since this comment was added. { name, ... }:
type = types.nullOr (types.listOf types.str); {
default = [ ]; options = {
description = '' paths = mkOption {
Which paths to backup, in addition to ones specified via # This is nullable for legacy reasons only. We should consider making it a pure listOf
`dynamicFilesFrom`. If null or an empty array and # after some time has passed since this comment was added.
`dynamicFilesFrom` is also null, no backup command will be run. type = types.nullOr (types.listOf types.str);
This can be used to create a prune-only job. default = [ ];
''; description = ''
example = [ Which paths to backup, in addition to ones specified via
"/var/lib/postgresql" `dynamicFilesFrom`. If null or an empty array and
"/home/user/backup" `dynamicFilesFrom` is also null, no backup command will be run.
]; This can be used to create a prune-only job.
'';
example = [
"/var/lib/postgresql"
"/home/user/backup"
];
};
exclude = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Patterns to exclude when backing up. See
https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files for
details on syntax.
'';
example = [
"/var/cache"
"/home/*/.cache"
".git"
];
};
timerConfig = mkOption {
type = types.nullOr (types.attrsOf unitOption);
default = {
OnCalendar = "daily";
Persistent = true;
};
description = ''
When to run the backup. See {manpage}`systemd.timer(5)` for
details. If null no timer is created and the backup will only
run when explicitly started.
'';
example = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
Persistent = true;
};
};
user = mkOption {
type = types.str;
default = "root";
description = ''
As which user the backup should run.
'';
example = "postgresql";
};
extraBackupArgs = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra arguments passed to restic backup.
'';
example = [ "--exclude-file=/etc/nixos/restic-ignore" ];
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra extended options to be passed to the restic --option flag.
'';
example = [ "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" ];
};
initialize = mkOption {
type = types.bool;
default = false;
description = ''
Create the repository if it doesn't exist.
'';
};
pruneOpts = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of options (--keep-\* et al.) for 'restic forget
--prune', to automatically prune old snapshots. The
'forget' command is run *after* the 'backup' command, so
keep that in mind when constructing the --keep-\* options.
'';
example = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
runCheck = mkOption {
type = types.bool;
default = (builtins.length config.services.restic.backups.${name}.checkOpts > 0);
defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0'';
description = "Whether to run the `check` command with the provided `checkOpts` options.";
example = true;
};
checkOpts = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of options for 'restic check'.
'';
example = [ "--with-cache" ];
};
dynamicFilesFrom = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that produces a list of files to back up. The
results of this command are given to the '--files-from'
option. The result is merged with paths specified via `paths`.
'';
example = "find /home/matt/git -type d -name .git";
};
backupPrepareCommand = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that must run before starting the backup process.
'';
};
backupCleanupCommand = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that must run after finishing the backup process.
'';
};
package = mkPackageOption pkgs "restic" { };
createWrapper = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to generate and add a script to the system path, that has the same environment variables set
as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without
having to manually specify most options.
'';
};
};
}
)
);
default = { };
example = {
localbackup = {
paths = [ "/home" ];
exclude = [ "/home/*/.cache" ];
initialize = true;
}; };
remotebackup = {
exclude = mkOption { paths = [ "/home" ];
type = types.listOf types.str; extraOptions = [
default = [ ]; "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'"
description = ''
Patterns to exclude when backing up. See
https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files for
details on syntax.
'';
example = [
"/var/cache"
"/home/*/.cache"
".git"
]; ];
}; timerConfig = {
timerConfig = mkOption {
type = types.nullOr (types.attrsOf unitOption);
default = {
OnCalendar = "daily";
Persistent = true;
};
description = ''
When to run the backup. See {manpage}`systemd.timer(5)` for
details. If null no timer is created and the backup will only
run when explicitly started.
'';
example = {
OnCalendar = "00:05"; OnCalendar = "00:05";
RandomizedDelaySec = "5h"; RandomizedDelaySec = "5h";
Persistent = true;
}; };
}; };
user = mkOption {
type = types.str;
default = "root";
description = ''
As which user the backup should run.
'';
example = "postgresql";
};
extraBackupArgs = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra arguments passed to restic backup.
'';
example = [
"--exclude-file=/etc/nixos/restic-ignore"
];
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra extended options to be passed to the restic --option flag.
'';
example = [
"sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
];
};
initialize = mkOption {
type = types.bool;
default = false;
description = ''
Create the repository if it doesn't exist.
'';
};
pruneOpts = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of options (--keep-\* et al.) for 'restic forget
--prune', to automatically prune old snapshots. The
'forget' command is run *after* the 'backup' command, so
keep that in mind when constructing the --keep-\* options.
'';
example = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
runCheck = mkOption {
type = types.bool;
default = (builtins.length config.services.restic.backups.${name}.checkOpts > 0);
defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0'';
description = "Whether to run the `check` command with the provided `checkOpts` options.";
example = true;
};
checkOpts = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of options for 'restic check'.
'';
example = [
"--with-cache"
];
};
dynamicFilesFrom = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that produces a list of files to back up. The
results of this command are given to the '--files-from'
option. The result is merged with paths specified via `paths`.
'';
example = "find /home/matt/git -type d -name .git";
};
backupPrepareCommand = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that must run before starting the backup process.
'';
};
backupCleanupCommand = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that must run after finishing the backup process.
'';
};
package = mkPackageOption pkgs "restic" { };
createWrapper = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to generate and add a script to the system path, that has the same environment variables set
as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without
having to manually specify most options.
'';
};
};
}));
default = { };
example = {
localbackup = {
paths = [ "/home" ];
exclude = [ "/home/*/.cache" ];
initialize = true;
};
remotebackup = {
paths = [ "/home" ];
extraOptions = [
"sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
}; };
}; };
};
}; };
config = { config = {
services.restic.backups = let services.restic.backups =
stores = config.pub-solar-os.backups.stores; let
backups = config.pub-solar-os.backups.backups; stores = config.pub-solar-os.backups.stores;
backups = config.pub-solar-os.backups.backups;
storeNames = builtins.attrNames stores; storeNames = builtins.attrNames stores;
backupNames = builtins.attrNames backups; backupNames = builtins.attrNames backups;
createBackups = backupName: map createBackups =
(storeName: { backupName:
name = "${backupName}-${storeName}"; map (storeName: {
value = stores."${storeName}" // backups."${backupName}"; name = "${backupName}-${storeName}";
}) value = stores."${storeName}" // backups."${backupName}";
storeNames; }) storeNames;
in builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames)); in
builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames));
}; };
} }

4
modules/core/nix.nix
View file

@ -6,9 +6,7 @@
... ...
}: }:
{ {
nixpkgs.config = lib.mkDefault { nixpkgs.config = lib.mkDefault { allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ]; };
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
};
nix = { nix = {
# Use default version alias for nix package # Use default version alias for nix package

4
modules/keycloak/default.nix
View file

@ -42,9 +42,7 @@
}; };
}; };
nixpkgs.config = lib.mkDefault { nixpkgs.config = lib.mkDefault { permittedInsecurePackages = [ "keycloak-23.0.6" ]; };
permittedInsecurePackages = [ "keycloak-23.0.6" ];
};
# keycloak # keycloak
services.keycloak = { services.keycloak = {

55
tests/keycloak.nix
View file

@ -4,8 +4,10 @@
lib, lib,
config, config,
... ...
}: let }:
in { let
in
{
name = "keycloak"; name = "keycloak";
hostPkgs = pkgs; hostPkgs = pkgs;
@ -42,9 +44,7 @@ in {
./support/global.nix ./support/global.nix
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
"f /tmp/dbf 1777 root root 10d password"
];
virtualisation.memorySize = 4096; virtualisation.memorySize = 4096;
@ -65,27 +65,30 @@ in {
enableOCR = true; enableOCR = true;
testScript = {nodes, ...}: let testScript =
user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username}; { nodes, ... }:
#uid = toString user.uid; let
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus"; user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
gdbus = "${bus} gdbus"; #uid = toString user.uid;
su = command: "su - ${user.name} -c '${command}'"; bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
gseval = "call --session -d org.gnome.Shell -o /org/gnome/Shell -m org.gnome.Shell.Eval"; gdbus = "${bus} gdbus";
wmClass = su "${gdbus} ${gseval} global.display.focus_window.wm_class"; su = command: "su - ${user.name} -c '${command}'";
in '' gseval = "call --session -d org.gnome.Shell -o /org/gnome/Shell -m org.gnome.Shell.Eval";
start_all() wmClass = su "${gdbus} ${gseval} global.display.focus_window.wm_class";
in
''
start_all()
nachtigall.wait_for_unit("system.slice") nachtigall.wait_for_unit("system.slice")
nachtigall.succeed("ping 127.0.0.1 -c 2") nachtigall.succeed("ping 127.0.0.1 -c 2")
nachtigall.wait_for_unit("nginx.service") nachtigall.wait_for_unit("nginx.service")
nachtigall.wait_for_unit("keycloak.service") nachtigall.wait_for_unit("keycloak.service")
nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/") nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/") nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")
client.wait_for_unit("system.slice") client.wait_for_unit("system.slice")
client.sleep(30) client.sleep(30)
# client.wait_until_succeeds("${wmClass} | grep -q 'firefox'") # client.wait_until_succeeds("${wmClass} | grep -q 'firefox'")
client.screenshot("screen") client.screenshot("screen")
''; '';
} }

61
tests/support/ca.nix
View file

@ -3,14 +3,11 @@
lib, lib,
config, config,
... ...
}: { }:
imports = [ {
./global.nix imports = [ ./global.nix ];
];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [ "f /tmp/step-ca-intermediate-pw 1777 root root 10d password" ];
"f /tmp/step-ca-intermediate-pw 1777 root root 10d password"
];
networking.interfaces.eth0.ipv4.addresses = [ networking.interfaces.eth0.ipv4.addresses = [
{ {
@ -19,30 +16,32 @@
} }
]; ];
services.step-ca = let services.step-ca =
certificates = pkgs.stdenv.mkDerivation { let
name = "certificates"; certificates = pkgs.stdenv.mkDerivation {
src = ./step; name = "certificates";
installPhase = '' src = ./step;
mkdir -p $out; installPhase = ''
cp -r certs $out/ mkdir -p $out;
cp -r secrets $out/ cp -r certs $out/
''; cp -r secrets $out/
}; '';
in { };
enable = true; in
openFirewall = true; {
intermediatePasswordFile = "/tmp/step-ca-intermediate-pw"; enable = true;
port = 443; openFirewall = true;
address = "0.0.0.0"; intermediatePasswordFile = "/tmp/step-ca-intermediate-pw";
settings = (builtins.fromJSON (builtins.readFile ./step/config/ca.json)) // { port = 443;
root = "${certificates}/certs/root_ca.crt"; address = "0.0.0.0";
crt = "${certificates}/certs/intermediate_ca.crt"; settings = (builtins.fromJSON (builtins.readFile ./step/config/ca.json)) // {
key = "${certificates}/secrets/intermediate_ca_key"; root = "${certificates}/certs/root_ca.crt";
db = { crt = "${certificates}/certs/intermediate_ca.crt";
type = "badgerv2"; key = "${certificates}/secrets/intermediate_ca_key";
dataSource = "/var/lib/step-ca/db"; db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
};
}; };
}; };
};
} }

4
tests/support/client.nix
View file

@ -5,9 +5,7 @@
... ...
}: }:
{ {
imports = [ imports = [ ./global.nix ];
./global.nix
];
services.xserver.enable = true; services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;

29
tests/support/global.nix
View file

@ -3,14 +3,13 @@
lib, lib,
config, config,
... ...
}: { }:
{
pub-solar-os.networking.domain = "test.pub.solar"; pub-solar-os.networking.domain = "test.pub.solar";
security.acme.defaults.server = "https://ca.${config.pub-solar-os.networking.domain}/acme/acme/directory"; security.acme.defaults.server = "https://ca.${config.pub-solar-os.networking.domain}/acme/acme/directory";
security.pki.certificates = [ security.pki.certificates = [ (builtins.readFile ./step/certs/root_ca.crt) ];
(builtins.readFile ./step/certs/root_ca.crt)
];
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -24,16 +23,18 @@
security.pam.services.sshd.allowNullPassword = true; security.pam.services.sshd.allowNullPassword = true;
virtualisation.forwardPorts = let virtualisation.forwardPorts =
address = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address; let
lastAddressPart = builtins.elemAt (lib.strings.splitString "." address) 3; address = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address;
in [ lastAddressPart = builtins.elemAt (lib.strings.splitString "." address) 3;
{ in
from = "host"; [
host.port = 2000 + (lib.strings.toInt lastAddressPart); {
guest.port = 22; from = "host";
} host.port = 2000 + (lib.strings.toInt lastAddressPart);
]; guest.port = 22;
}
];
networking.interfaces.eth0.useDHCP = false; networking.interfaces.eth0.useDHCP = false;

82
tests/support/step/config/ca.json
View file

@ -1,46 +1,44 @@
{ {
"federatedRoots": null, "federatedRoots": null,
"address": ":443", "address": ":443",
"insecureAddress": "", "insecureAddress": "",
"dnsNames": [ "dnsNames": ["ca.test.pub.solar"],
"ca.test.pub.solar" "logger": {
], "format": "text"
"logger": { },
"format": "text" "db": {
}, "type": "badgerv2",
"db": { "badgerFileLoadingMode": ""
"type": "badgerv2", },
"badgerFileLoadingMode": "" "authority": {
}, "provisioners": [
"authority": {
"provisioners": [
{ {
"name": "acme", "name": "acme",
"type": "ACME" "type": "ACME"
}, },
{ {
"type": "JWK", "type": "JWK",
"name": "test.pub.solar", "name": "test.pub.solar",
"key": { "key": {
"use": "sig", "use": "sig",
"kty": "EC", "kty": "EC",
"kid": "lM-BJXRwwQcdgxLqAS4Za23A2YatZpwXx-PP5NIt8JM", "kid": "lM-BJXRwwQcdgxLqAS4Za23A2YatZpwXx-PP5NIt8JM",
"crv": "P-256", "crv": "P-256",
"alg": "ES256", "alg": "ES256",
"x": "ouB2mP04Kt8rDa10C8ZzYyzA36rrz-k0c4_ud1hVjyg", "x": "ouB2mP04Kt8rDa10C8ZzYyzA36rrz-k0c4_ud1hVjyg",
"y": "RbXKcudQRPEFqjG_5AxuqCQXn7pyRToQCwC4MrwLVUQ" "y": "RbXKcudQRPEFqjG_5AxuqCQXn7pyRToQCwC4MrwLVUQ"
}, },
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiNWR5T2puR2Y5aFFNRlc1U25fRWhzUSJ9.a3xtSBuMmzZCMsdfHAXMgFpe9bq8A6bGGOoW9F2Gw7AhxL4bG-AlgA.IA68rSJSGTAKnaVS.XDQc4da-8D9Ykfw-8S4uphsauq5gsEm4qp7zKQUIvcjUlnPAtiHP3xiiBie29ncdg8rKmyzprEEOpTNvXtQl7LsPsHXyKV3SqsTnJecvim9YXGDneAHyWe-XF6hyCZAfSoFbFMgLDKR6d44hMht3ueazL_TPlkFUBLrJbsW782MfdfF3nzcaDf_JDuhKsKHDmKqZyNXDzwf6rINe8adrf5gqaLM2_sGhk7i3XyXygn8HHVw1Dj_w2gPOVm4MS7CO_NgikPqAtGuXDhpWZfXte-FlnMO6d9xQF67b0cwB8kmColPSp1zRiCKPAk9vof8Nn-gGE_aw8zxPi0CJkoY.xbuqSSspgLc_Uw17uiRF7Q" "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiNWR5T2puR2Y5aFFNRlc1U25fRWhzUSJ9.a3xtSBuMmzZCMsdfHAXMgFpe9bq8A6bGGOoW9F2Gw7AhxL4bG-AlgA.IA68rSJSGTAKnaVS.XDQc4da-8D9Ykfw-8S4uphsauq5gsEm4qp7zKQUIvcjUlnPAtiHP3xiiBie29ncdg8rKmyzprEEOpTNvXtQl7LsPsHXyKV3SqsTnJecvim9YXGDneAHyWe-XF6hyCZAfSoFbFMgLDKR6d44hMht3ueazL_TPlkFUBLrJbsW782MfdfF3nzcaDf_JDuhKsKHDmKqZyNXDzwf6rINe8adrf5gqaLM2_sGhk7i3XyXygn8HHVw1Dj_w2gPOVm4MS7CO_NgikPqAtGuXDhpWZfXte-FlnMO6d9xQF67b0cwB8kmColPSp1zRiCKPAk9vof8Nn-gGE_aw8zxPi0CJkoY.xbuqSSspgLc_Uw17uiRF7Q"
} }
] ]
}, },
"tls": { "tls": {
"cipherSuites": [ "cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
], ],
"minVersion": 1.2, "minVersion": 1.2,
"maxVersion": 1.3, "maxVersion": 1.3,
"renegotiation": false "renegotiation": false
} }
} }

8
tests/support/step/config/defaults.json
View file

@ -1,6 +1,6 @@
{ {
"ca-url": "https://ca.test.pub.solar", "ca-url": "https://ca.test.pub.solar",
"ca-config": "/home/b12f/.step/config/ca.json", "ca-config": "/home/b12f/.step/config/ca.json",
"fingerprint": "4d6a1a918355380acbd0256a2203d0a0da8436bb788e8f19326589045c3cd842", "fingerprint": "4d6a1a918355380acbd0256a2203d0a0da8436bb788e8f19326589045c3cd842",
"root": "/home/b12f/.step/certs/root_ca.crt" "root": "/home/b12f/.step/certs/root_ca.crt"
} }