From 9b4fbd847ff1756541261061d6b74c8bcfa02ec7 Mon Sep 17 00:00:00 2001
From: Daniel Olsen <daniel.olsen99@gmail.com>
Date: Thu, 11 Apr 2024 21:20:25 +0200
Subject: [PATCH 1/3] treewide: run nginx -t on all nginx config files

---
 flake.nix               |  4 +++-
 overlays/nginx-test.nix | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 overlays/nginx-test.nix

diff --git a/flake.nix b/flake.nix
index e2d0bea..20bfb19 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,7 +64,9 @@
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [ ] ++ config.overlays or [ ];
+            overlays = [
+              (import ./overlays/nginx-test.nix)
+            ] ++ config.overlays or [ ];
           };
         }
         (removeAttrs config [ "modules" "overlays" ])
diff --git a/overlays/nginx-test.nix b/overlays/nginx-test.nix
new file mode 100644
index 0000000..4cef5ab
--- /dev/null
+++ b/overlays/nginx-test.nix
@@ -0,0 +1,11 @@
+final: prev: {
+  writers = prev.writers // {
+    writeNginxConfig = name: text: final.runCommandLocal name {
+      nginxConfig = prev.writers.writeNginxConfig name text;
+      nativeBuildInputs = [ final.nginx ];
+    } ''
+      ln -s "$nginxConfig" "$out"
+      nginx -t -c "$out"
+    '';
+  };
+}
-- 
2.44.1


From 0056029da7a6ea28a81081f5cf2bbf6a3d17dcb5 Mon Sep 17 00:00:00 2001
From: Daniel Olsen <daniel.olsen99@gmail.com>
Date: Thu, 11 Apr 2024 23:19:41 +0200
Subject: [PATCH 2/3] treewide: bubblewrap nginx test

---
 flake.nix               | 17 ++++++++++++++++-
 overlays/nginx-test.nix | 23 ++++++++++++++++++++---
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/flake.nix b/flake.nix
index 20bfb19..ca5d98e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -65,7 +65,22 @@
           pkgs = import nixpkgs {
             inherit system;
             overlays = [
-              (import ./overlays/nginx-test.nix)
+              (import ./overlays/nginx-test.nix
+                # List of all the acme certs from all hosts
+                # Would be nice to dynamically get this per host
+                [
+                  "ildkule.pvv.ntnu.no"
+                  "git.pvv.ntnu.no"
+                  "wiki.pvv.ntnu.no"
+                  "webmail.pvv.ntnu.no"
+                  "postgres.pvv.ntnu.no"
+                  "idp.pvv.ntnu.no"
+                  "matrix.pvv.ntnu.no"
+                  "chat.pvv.ntnu.no"
+                  "brzeczyszczykiewicz.pvv.ntnu.no"
+                  "georg.pvv.ntnu.no"
+                ]
+              )
             ] ++ config.overlays or [ ];
           };
         }
diff --git a/overlays/nginx-test.nix b/overlays/nginx-test.nix
index 4cef5ab..ef82377 100644
--- a/overlays/nginx-test.nix
+++ b/overlays/nginx-test.nix
@@ -1,11 +1,28 @@
-final: prev: {
+acme-certs: final: prev:
+  let
+    lib = final.lib;
+    crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+    key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+  in {
   writers = prev.writers // {
     writeNginxConfig = name: text: final.runCommandLocal name {
       nginxConfig = prev.writers.writeNginxConfig name text;
-      nativeBuildInputs = [ final.nginx ];
+      nativeBuildInputs = [ final.bubblewrap ];
     } ''
       ln -s "$nginxConfig" "$out"
-      nginx -t -c "$out"
+      set +o pipefail
+      bwrap \
+        --ro-bind "${crt}" "/etc/certs/nginx.crt" \
+        --ro-bind "${key}" "/etc/certs/nginx.key" \
+        --ro-bind "/nix" "/nix" \
+        --ro-bind "/etc/hosts" "/etc/hosts" \
+        --dir "/run/nginx" \
+        --dir "/tmp" \
+        --dir "/var/log/nginx" \
+        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
+        ${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
+        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
+        ${lib.getExe final.nginx} -t -c "$out" |& grep "syntax is ok"
     '';
   };
 }
-- 
2.44.1


From 8c72088d9c8c7ec025ca1ab3ddc5fa97567ddf35 Mon Sep 17 00:00:00 2001
From: Daniel Olsen <daniel.olsen99@gmail.com>
Date: Thu, 11 Apr 2024 23:27:37 +0200
Subject: [PATCH 3/3] dynamically get configured acme certs for nginx test

---
 flake.nix | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/flake.nix b/flake.nix
index ca5d98e..2310ce7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -66,20 +66,7 @@
             inherit system;
             overlays = [
               (import ./overlays/nginx-test.nix
-                # List of all the acme certs from all hosts
-                # Would be nice to dynamically get this per host
-                [
-                  "ildkule.pvv.ntnu.no"
-                  "git.pvv.ntnu.no"
-                  "wiki.pvv.ntnu.no"
-                  "webmail.pvv.ntnu.no"
-                  "postgres.pvv.ntnu.no"
-                  "idp.pvv.ntnu.no"
-                  "matrix.pvv.ntnu.no"
-                  "chat.pvv.ntnu.no"
-                  "brzeczyszczykiewicz.pvv.ntnu.no"
-                  "georg.pvv.ntnu.no"
-                ]
+                (builtins.attrNames self.nixosConfigurations.${name}.config.security.acme.certs)
               )
             ] ++ config.overlays or [ ];
           };
-- 
2.44.1