···
7
+
# cant use .test, since that gets caught by traefik
9
+
secret = "1234567890";
11
+
dnsServerIP = nodes: nodes.dnsserver.networking.primaryIPAddress;
16
+
meta.maintainers = with lib.maintainers; [
21
+
# The full test is not yet implemented, but once upstream supports a way to
22
+
# configure Pangolin non-interactively, the full test will look like the following:
23
+
# - 'acme': ACME server to replace the real servers at Let's Encrypt.
24
+
# - 'dnsserver': The pebble challenge test server so we can use a private DNS
25
+
# for everything here.
26
+
# - 'VPS': The Pangolin instance, running Gerbil, Traefik, and Badger as well.
27
+
# - 'privateHost': The private server running an HTTP server on its local
28
+
# network that will be tunnelled via Newt to the VPS.
29
+
# - 'client': An outside node that will test if the service hosted in
30
+
# 'privateHost' is publicly accessible.
31
+
# TODO: In the future, we should also have a machine to test the
32
+
# functionality of Olm, as well as a split Pangolin/Gerbil
33
+
# configuration once that is implemented into the module.
38
+
imports = [ ./common/acme/server ];
39
+
networking.nameservers = lib.mkForce [ (dnsServerIP nodes) ];
46
+
firewall.allowedTCPPorts = [
50
+
firewall.allowedUDPPorts = [ 53 ];
52
+
# nixos/lib/testing/network.nix will provide name resolution via /etc/hosts
53
+
# for all nodes based on their host names and domain
54
+
hostName = "dnsserver";
57
+
systemd.services.pebble-challtestsrv = {
58
+
description = "Pebble ACME challenge test server";
59
+
wantedBy = [ "network.target" ];
61
+
ExecStart = "${lib.getExe' pkgs.pebble "pebble-challtestsrv"} -dns01 ':53' -defaultIPv6 '' -defaultIPv4 '${nodes.VPS.networking.primaryIPAddress}'";
62
+
# Required to bind on privileged ports.
63
+
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
71
+
imports = [ ./common/acme/client ];
74
+
hosts.${nodes.VPS.networking.primaryIPAddress} = [
76
+
"pangolin.${domain}"
78
+
nameservers = lib.mkForce [ (dnsServerIP nodes) ];
83
+
"nixos/secrets/pangolin.env".text = ''
84
+
SERVER_SECRET=${secret}
92
+
baseDomain = domain;
93
+
letsEncryptEmail = "pangolin@${domain}";
94
+
openFirewall = true;
95
+
environmentFile = "/etc/nixos/secrets/pangolin.env";
97
+
flags.enable_integration_api = true;
100
+
# set up local ca server, so we can get our certs signed without going on the internet
101
+
traefik.staticConfigOptions.certificatesResolvers.letsencrypt.acme.caServer =
102
+
lib.mkForce "https://${nodes.acme.test-support.acme.caDomain}/dir";
108
+
${(import ./acme/utils.nix).pythonUtils}
110
+
with subtest("start ACME and DNS server"):
112
+
wait_for_running(acme)
113
+
acme.wait_for_open_port(443)
115
+
dnsserver.wait_for_open_port(53)
119
+
with subtest("start Pangolin"):
120
+
VPS.wait_for_unit("pangolin.service")
121
+
VPS.wait_for_open_port(3000)
122
+
VPS.wait_for_open_port(3001)
123
+
VPS.wait_for_open_port(3002)
124
+
VPS.wait_for_open_port(3003)
126
+
with subtest("start Gerbil"):
127
+
VPS.wait_for_unit("gerbil.service")
129
+
with subtest("start Traefik"):
130
+
VPS.wait_for_unit("traefik.service")
131
+
VPS.wait_for_open_port(80)
132
+
VPS.wait_for_open_port(443)
134
+
with subtest("check traefik certs}"):
135
+
download_ca_certs(VPS, "acme.test")
pyrox.dev