Compare commits

...

4 Commits

Author SHA1 Message Date
ae4ace9fa2 Merge pull request 'treewide: run nginx -t on all nginx config files' (!32) from test-nginx-overlay into main
Some checks failed
Eval nix flake / evals (push) Failing after 1m46s
Reviewed-on: #32
2024-04-11 23:39:42 +02:00
8c72088d9c dynamically get configured acme certs for nginx test
Some checks failed
Eval nix flake / evals (push) Failing after 1m44s
Eval nix flake / evals (pull_request) Failing after 1m51s
2024-04-11 23:29:05 +02:00
0056029da7 treewide: bubblewrap nginx test 2024-04-11 23:28:54 +02:00
9b4fbd847f treewide: run nginx -t on all nginx config files 2024-04-11 23:28:54 +02:00
2 changed files with 33 additions and 1 deletions

View File

@ -64,7 +64,11 @@
pkgs = import nixpkgs {
inherit system;
overlays = [ ] ++ config.overlays or [ ];
overlays = [
(import ./overlays/nginx-test.nix
(builtins.attrNames self.nixosConfigurations.${name}.config.security.acme.certs)
)
] ++ config.overlays or [ ];
};
}
(removeAttrs config [ "modules" "overlays" ])

28
overlays/nginx-test.nix Normal file
View File

@ -0,0 +1,28 @@
acme-certs: final: prev:
let
lib = final.lib;
crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
in {
writers = prev.writers // {
writeNginxConfig = name: text: final.runCommandLocal name {
nginxConfig = prev.writers.writeNginxConfig name text;
nativeBuildInputs = [ final.bubblewrap ];
} ''
ln -s "$nginxConfig" "$out"
set +o pipefail
bwrap \
--ro-bind "${crt}" "/etc/certs/nginx.crt" \
--ro-bind "${key}" "/etc/certs/nginx.key" \
--ro-bind "/nix" "/nix" \
--ro-bind "/etc/hosts" "/etc/hosts" \
--dir "/run/nginx" \
--dir "/tmp" \
--dir "/var/log/nginx" \
${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
${lib.getExe final.nginx} -t -c "$out" |& grep "syntax is ok"
'';
};
}