diff --git a/flake.nix b/flake.nix index 20bfb19..ca5d98e 100644 --- a/flake.nix +++ b/flake.nix @@ -65,7 +65,22 @@ pkgs = import nixpkgs { inherit system; overlays = [ - (import ./overlays/nginx-test.nix) + (import ./overlays/nginx-test.nix + # List of all the acme certs from all hosts + # Would be nice to dynamically get this per host + [ + "ildkule.pvv.ntnu.no" + "git.pvv.ntnu.no" + "wiki.pvv.ntnu.no" + "webmail.pvv.ntnu.no" + "postgres.pvv.ntnu.no" + "idp.pvv.ntnu.no" + "matrix.pvv.ntnu.no" + "chat.pvv.ntnu.no" + "brzeczyszczykiewicz.pvv.ntnu.no" + "georg.pvv.ntnu.no" + ] + ) ] ++ config.overlays or [ ]; }; } diff --git a/overlays/nginx-test.nix b/overlays/nginx-test.nix index 4cef5ab..ef82377 100644 --- a/overlays/nginx-test.nix +++ b/overlays/nginx-test.nix @@ -1,11 +1,28 @@ -final: prev: { +acme-certs: final: prev: + let + lib = final.lib; + crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem"; + key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem"; + in { writers = prev.writers // { writeNginxConfig = name: text: final.runCommandLocal name { nginxConfig = prev.writers.writeNginxConfig name text; - nativeBuildInputs = [ final.nginx ]; + nativeBuildInputs = [ final.bubblewrap ]; } '' ln -s "$nginxConfig" "$out" - nginx -t -c "$out" + set +o pipefail + bwrap \ + --ro-bind "${crt}" "/etc/certs/nginx.crt" \ + --ro-bind "${key}" "/etc/certs/nginx.key" \ + --ro-bind "/nix" "/nix" \ + --ro-bind "/etc/hosts" "/etc/hosts" \ + --dir "/run/nginx" \ + --dir "/tmp" \ + --dir "/var/log/nginx" \ + ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs} + ${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs} + ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs} + ${lib.getExe final.nginx} -t -c "$out" |& grep "syntax is ok" ''; }; }