pyrox.dev / nixpkgs
lol
fork atom

nixos/acme: Fix cert renewal with built in webserver

Fixes #191794

Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.

Lucas Savva 39796cad 22d41f92

options
unified split
Changed files
+21 -1
nixos
modules
security
acme
default.nix
tests
acme.nix
+1
nixos/modules/security/acme/default.nix 
···

       
325

       
325

       
 

       
        '');


     

       
326

       
326

       
 

       
      } // optionalAttrs (data.listenHTTP != null && toInt (elemAt (splitString ":" data.listenHTTP) 1) < 1024) {


     

       
327

       
327

       
 

       
        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];


     

       

       
328

       
+

       
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];


     

       
328

       
329

       
 

       
      };


     

       
329

       
330

       
 

       



     

       
330

       
331

       
 

       
      # Working directory will be /tmp
+20 -1
nixos/tests/acme.nix 
···

       
173

       
173

       
 

       
      services.nginx.logError = "stderr info";


     

       
174

       
174

       
 

       



     

       
175

       
175

       
 

       
      specialisation = {


     

       

       
176

       
+

       
        # Tests HTTP-01 verification using Lego's built-in web server


     

       

       
177

       
+

       
        http01lego.configuration = { ... }: {


     

       

       
178

       
+

       
          security.acme = {


     

       

       
179

       
+

       
            certs."http.example.test" = {


     

       

       
180

       
+

       
              listenHTTP = ":80";


     

       

       
181

       
+

       
            };


     

       

       
182

       
+

       
          };


     

       

       
183

       
+

       



     

       

       
184

       
+

       
          networking.firewall.allowedTCPPorts = [ 80 ];


     

       

       
185

       
+

       
        };


     

       

       
186

       
+

       



     

       
176

       
187

       
 

       
        # First derivation used to test general ACME features


     

       
177

       
188

       
 

       
        general.configuration = { ... }: let


     

       
178

       
189

       
 

       
          caDomain = nodes.acme.test-support.acme.caDomain;


     
···

       
446

       
457

       
 

       



     

       
447

       
458

       
 

       
      download_ca_certs(client)


     

       
448

       
459

       
 

       



     

       
449

       

       
-

       
      # Perform general tests first


     

       

       
460

       
+

       
      # Perform http-01 w/ lego test first


     

       

       
461

       
+

       
      switch_to(webserver, "http01lego")


     

       

       
462

       
+

       



     

       

       
463

       
+

       
      with subtest("Can request certificate with Lego's built in web server"):


     

       

       
464

       
+

       
          webserver.wait_for_unit("acme-finished-http.example.test.target")


     

       

       
465

       
+

       
          check_fullchain(webserver, "http.example.test")


     

       

       
466

       
+

       
          check_issuer(webserver, "http.example.test", "pebble")


     

       

       
467

       
+

       



     

       

       
468

       
+

       
      # Perform general tests


     

       
450

       
469

       
 

       
      switch_to(webserver, "general")


     

       
451

       
470

       
 

       



     

       
452

       
471

       
 

       
      with subtest("Can request certificate with HTTP-01 challenge"):