forked from Drift/pvv-nixos-config
treewide: bubblewrap nginx test
This commit is contained in:
parent
9b4fbd847f
commit
0056029da7
17
flake.nix
17
flake.nix
|
|
@ -65,7 +65,22 @@
|
||||||
pkgs = import nixpkgs {
|
pkgs = import nixpkgs {
|
||||||
inherit system;
|
inherit system;
|
||||||
overlays = [
|
overlays = [
|
||||||
(import ./overlays/nginx-test.nix)
|
(import ./overlays/nginx-test.nix
|
||||||
|
# List of all the acme certs from all hosts
|
||||||
|
# Would be nice to dynamically get this per host
|
||||||
|
[
|
||||||
|
"ildkule.pvv.ntnu.no"
|
||||||
|
"git.pvv.ntnu.no"
|
||||||
|
"wiki.pvv.ntnu.no"
|
||||||
|
"webmail.pvv.ntnu.no"
|
||||||
|
"postgres.pvv.ntnu.no"
|
||||||
|
"idp.pvv.ntnu.no"
|
||||||
|
"matrix.pvv.ntnu.no"
|
||||||
|
"chat.pvv.ntnu.no"
|
||||||
|
"brzeczyszczykiewicz.pvv.ntnu.no"
|
||||||
|
"georg.pvv.ntnu.no"
|
||||||
|
]
|
||||||
|
)
|
||||||
] ++ config.overlays or [ ];
|
] ++ config.overlays or [ ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,28 @@
|
||||||
final: prev: {
|
acme-certs: final: prev:
|
||||||
|
let
|
||||||
|
lib = final.lib;
|
||||||
|
crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
|
||||||
|
key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
|
||||||
|
in {
|
||||||
writers = prev.writers // {
|
writers = prev.writers // {
|
||||||
writeNginxConfig = name: text: final.runCommandLocal name {
|
writeNginxConfig = name: text: final.runCommandLocal name {
|
||||||
nginxConfig = prev.writers.writeNginxConfig name text;
|
nginxConfig = prev.writers.writeNginxConfig name text;
|
||||||
nativeBuildInputs = [ final.nginx ];
|
nativeBuildInputs = [ final.bubblewrap ];
|
||||||
} ''
|
} ''
|
||||||
ln -s "$nginxConfig" "$out"
|
ln -s "$nginxConfig" "$out"
|
||||||
nginx -t -c "$out"
|
set +o pipefail
|
||||||
|
bwrap \
|
||||||
|
--ro-bind "${crt}" "/etc/certs/nginx.crt" \
|
||||||
|
--ro-bind "${key}" "/etc/certs/nginx.key" \
|
||||||
|
--ro-bind "/nix" "/nix" \
|
||||||
|
--ro-bind "/etc/hosts" "/etc/hosts" \
|
||||||
|
--dir "/run/nginx" \
|
||||||
|
--dir "/tmp" \
|
||||||
|
--dir "/var/log/nginx" \
|
||||||
|
${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
|
||||||
|
${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
|
||||||
|
${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
|
||||||
|
${lib.getExe final.nginx} -t -c "$out" |& grep "syntax is ok"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue