talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity
nixpkgs/nixos/tests/acme/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

71 lines
2.1 KiB
Nix
Raw Permalink Normal View History

nixos/tests/acme: Refactor test suite Split tests up based on certain use cases: - http01-builtin: Tests most functionality of the core module, such as the systemd and hashing components, whilst utilising lego's built in http01 resolution mechanis. - dns01: Tests only that DNS01 renewal works as expected. - nginx: Tests nginx compatability - httpd: Tests httpd compatability - caddy: Tests caddy compatability
2025-01-20 16:38:12 +00:00
{ runTest }:
nixos/acme: improve scalability - reduce superfluous unit activations The previous setup caused all renewal units to be triggered upon ever so slight changes in config. In larger setups (100+ certificates) adding a new certificate caused high system load and/or large memory consumption issues. The memory issues are already a alleviated with the locking mechanism. However, this then causes long delays upwards of multiple minutes depending on individual runs and also caused superfluous activations. In this change we streamline the overall setup of units: 1. The unit that other services can depend upon is 'acme-{cert}.service'. We call this the 'base unit'. As this one as `RemainAfterExit` set the `acme-finished-{cert}` targets are not required any longer. 2. We now always generate initial self-signed certificates to simplify the dependency structure. This deprecates the `preliminarySelfsigned` option. 3. The `acme-order-renew-{cert}` service gets activated after the base unit and services using certificates have started and performs all acme interactions. When it finishes others services (like web servers) will be notified through the `reloadServices` option or they can use `wantedBy` and `after` dependencies if they implement their own reload units. The renewal timer also triggers this unit. 4. The timer unit is explicitly blocked from being started by s-t-c. 5. Permission management has been cleaned up a bit: there was an inconsistency between having the .lego files set to 600 vs 640 on the exposed side. This is unified to 640 now. 6. Exempt the account target from being restarted by s-t-c. This will happen automatically if something relevant to the account changes.
2025-08-08 16:28:42 +02:00
let
domain = "example.test";
in
nixos/tests/acme: Refactor test suite Split tests up based on certain use cases: - http01-builtin: Tests most functionality of the core module, such as the systemd and hashing components, whilst utilising lego's built in http01 resolution mechanis. - dns01: Tests only that DNS01 renewal works as expected. - nginx: Tests nginx compatability - httpd: Tests httpd compatability - caddy: Tests caddy compatability
2025-01-20 16:38:12 +00:00
{
http01-builtin = runTest ./http01-builtin.nix;
dns01 = runTest ./dns01.nix;
caddy = runTest ./caddy.nix;
nginx = runTest (
import ./webserver.nix {
nixos/acme: improve scalability - reduce superfluous unit activations The previous setup caused all renewal units to be triggered upon ever so slight changes in config. In larger setups (100+ certificates) adding a new certificate caused high system load and/or large memory consumption issues. The memory issues are already a alleviated with the locking mechanism. However, this then causes long delays upwards of multiple minutes depending on individual runs and also caused superfluous activations. In this change we streamline the overall setup of units: 1. The unit that other services can depend upon is 'acme-{cert}.service'. We call this the 'base unit'. As this one as `RemainAfterExit` set the `acme-finished-{cert}` targets are not required any longer. 2. We now always generate initial self-signed certificates to simplify the dependency structure. This deprecates the `preliminarySelfsigned` option. 3. The `acme-order-renew-{cert}` service gets activated after the base unit and services using certificates have started and performs all acme interactions. When it finishes others services (like web servers) will be notified through the `reloadServices` option or they can use `wantedBy` and `after` dependencies if they implement their own reload units. The renewal timer also triggers this unit. 4. The timer unit is explicitly blocked from being started by s-t-c. 5. Permission management has been cleaned up a bit: there was an inconsistency between having the .lego files set to 600 vs 640 on the exposed side. This is unified to 640 now. 6. Exempt the account target from being restarted by s-t-c. This will happen automatically if something relevant to the account changes.
2025-08-08 16:28:42 +02:00
inherit domain;
nixos/tests/acme: Refactor test suite Split tests up based on certain use cases: - http01-builtin: Tests most functionality of the core module, such as the systemd and hashing components, whilst utilising lego's built in http01 resolution mechanis. - dns01: Tests only that DNS01 renewal works as expected. - nginx: Tests nginx compatability - httpd: Tests httpd compatability - caddy: Tests caddy compatability
2025-01-20 16:38:12 +00:00
serverName = "nginx";
group = "nginx";
baseModule = {
services.nginx = {
enable = true;
enableReload = true;
logError = "stderr info";
# This tests a number of things at once:
# - Self-signed certs are in place before the webserver startup
# - Nginx is started before acme renewal is attempted
# - useACMEHost behaves as expected
# - acmeFallbackHost behaves as expected
virtualHosts.default = {
default = true;
addSSL = true;
useACMEHost = "proxied.example.test";
acmeFallbackHost = "localhost:8080";
};
};
nixos/acme: improve scalability - reduce superfluous unit activations The previous setup caused all renewal units to be triggered upon ever so slight changes in config. In larger setups (100+ certificates) adding a new certificate caused high system load and/or large memory consumption issues. The memory issues are already a alleviated with the locking mechanism. However, this then causes long delays upwards of multiple minutes depending on individual runs and also caused superfluous activations. In this change we streamline the overall setup of units: 1. The unit that other services can depend upon is 'acme-{cert}.service'. We call this the 'base unit'. As this one as `RemainAfterExit` set the `acme-finished-{cert}` targets are not required any longer. 2. We now always generate initial self-signed certificates to simplify the dependency structure. This deprecates the `preliminarySelfsigned` option. 3. The `acme-order-renew-{cert}` service gets activated after the base unit and services using certificates have started and performs all acme interactions. When it finishes others services (like web servers) will be notified through the `reloadServices` option or they can use `wantedBy` and `after` dependencies if they implement their own reload units. The renewal timer also triggers this unit. 4. The timer unit is explicitly blocked from being started by s-t-c. 5. Permission management has been cleaned up a bit: there was an inconsistency between having the .lego files set to 600 vs 640 on the exposed side. This is unified to 640 now. 6. Exempt the account target from being restarted by s-t-c. This will happen automatically if something relevant to the account changes.
2025-08-08 16:28:42 +02:00
specialisation.nullroot.configuration = {
services.nginx.virtualHosts."nullroot.${domain}".acmeFallbackHost = "localhost:8081";
};
nixos/tests/acme: Refactor test suite Split tests up based on certain use cases: - http01-builtin: Tests most functionality of the core module, such as the systemd and hashing components, whilst utilising lego's built in http01 resolution mechanis. - dns01: Tests only that DNS01 renewal works as expected. - nginx: Tests nginx compatability - httpd: Tests httpd compatability - caddy: Tests caddy compatability
2025-01-20 16:38:12 +00:00
};
}
);
httpd = runTest (
import ./webserver.nix {
nixos/acme: improve scalability - reduce superfluous unit activations The previous setup caused all renewal units to be triggered upon ever so slight changes in config. In larger setups (100+ certificates) adding a new certificate caused high system load and/or large memory consumption issues. The memory issues are already a alleviated with the locking mechanism. However, this then causes long delays upwards of multiple minutes depending on individual runs and also caused superfluous activations. In this change we streamline the overall setup of units: 1. The unit that other services can depend upon is 'acme-{cert}.service'. We call this the 'base unit'. As this one as `RemainAfterExit` set the `acme-finished-{cert}` targets are not required any longer. 2. We now always generate initial self-signed certificates to simplify the dependency structure. This deprecates the `preliminarySelfsigned` option. 3. The `acme-order-renew-{cert}` service gets activated after the base unit and services using certificates have started and performs all acme interactions. When it finishes others services (like web servers) will be notified through the `reloadServices` option or they can use `wantedBy` and `after` dependencies if they implement their own reload units. The renewal timer also triggers this unit. 4. The timer unit is explicitly blocked from being started by s-t-c. 5. Permission management has been cleaned up a bit: there was an inconsistency between having the .lego files set to 600 vs 640 on the exposed side. This is unified to 640 now. 6. Exempt the account target from being restarted by s-t-c. This will happen automatically if something relevant to the account changes.
2025-08-08 16:28:42 +02:00
inherit domain;
nixos/tests/acme: Refactor test suite Split tests up based on certain use cases: - http01-builtin: Tests most functionality of the core module, such as the systemd and hashing components, whilst utilising lego's built in http01 resolution mechanis. - dns01: Tests only that DNS01 renewal works as expected. - nginx: Tests nginx compatability - httpd: Tests httpd compatability - caddy: Tests caddy compatability
2025-01-20 16:38:12 +00:00
serverName = "httpd";
group = "wwwrun";
baseModule = {
services.httpd = {
enable = true;
# This is the default by virtue of being the first defined vhost.
virtualHosts.default = {
addSSL = true;
useACMEHost = "proxied.example.test";
locations."/.well-known/acme-challenge" = {
proxyPass = "http://localhost:8080/.well-known/acme-challenge";
extraConfig = ''
ProxyPreserveHost On
'';
};
};
};
nixos/acme: improve scalability - reduce superfluous unit activations The previous setup caused all renewal units to be triggered upon ever so slight changes in config. In larger setups (100+ certificates) adding a new certificate caused high system load and/or large memory consumption issues. The memory issues are already a alleviated with the locking mechanism. However, this then causes long delays upwards of multiple minutes depending on individual runs and also caused superfluous activations. In this change we streamline the overall setup of units: 1. The unit that other services can depend upon is 'acme-{cert}.service'. We call this the 'base unit'. As this one as `RemainAfterExit` set the `acme-finished-{cert}` targets are not required any longer. 2. We now always generate initial self-signed certificates to simplify the dependency structure. This deprecates the `preliminarySelfsigned` option. 3. The `acme-order-renew-{cert}` service gets activated after the base unit and services using certificates have started and performs all acme interactions. When it finishes others services (like web servers) will be notified through the `reloadServices` option or they can use `wantedBy` and `after` dependencies if they implement their own reload units. The renewal timer also triggers this unit. 4. The timer unit is explicitly blocked from being started by s-t-c. 5. Permission management has been cleaned up a bit: there was an inconsistency between having the .lego files set to 600 vs 640 on the exposed side. This is unified to 640 now. 6. Exempt the account target from being restarted by s-t-c. This will happen automatically if something relevant to the account changes.
2025-08-08 16:28:42 +02:00
specialisation.nullroot.configuration = {
services.httpd.virtualHosts."nullroot.${domain}" = {
locations."/.well-known/acme-challenge" = {
proxyPass = "http://localhost:8081/.well-known/acme-challenge";
extraConfig = ''
ProxyPreserveHost On
'';
};
};
};
nixos/tests/acme: Refactor test suite Split tests up based on certain use cases: - http01-builtin: Tests most functionality of the core module, such as the systemd and hashing components, whilst utilising lego's built in http01 resolution mechanis. - dns01: Tests only that DNS01 renewal works as expected. - nginx: Tests nginx compatability - httpd: Tests httpd compatability - caddy: Tests caddy compatability
2025-01-20 16:38:12 +00:00
};
}
);
}
Reference in New Issue Copy Permalink