Permalink
Choose a base ref
{{ refName }}
default
Choose a head ref
{{ refName }}
default
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: 50cf2a715665
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
...
head repository: NixOS/nixpkgs
compare: 62711f426536
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
- 5 commits
- 4 files changed
- 1 contributor
Commits on Sep 13, 2017
-
nixos/tests: Add common modules for letsencrypt
These modules implement a way to test ACME based on a test instance of Letsencrypt's Boulder service. The service implementation is in letsencrypt.nix and the second module (resolver.nix) is a support-module for the former, but can also be used for tests not involving ACME. The second module provides a DNS server which hosts a root zone containing all the zones and /etc/hosts entries (except loopback) in the entire test network, so this can be very useful for other modules that need DNS resolution. Originally, I wrote these modules for the Headcounter deployment, but I've refactored them a bit to be generally useful to NixOS users. The original implementation can be found here: https://github.com/headcounter/deployment/tree/89e7feafb/modules/testing Quoting parts from the commit message of the initial implementation of the Letsencrypt module in headcounter/deployment@95dfb31110397567534f2: This module is going to be used for tests where we need to impersonate an ACME service such as the one from Letsencrypt within VM tests, which is the reason why this module is a bit ugly (I only care if it's working not if it's beautiful). While the module isn't used anywhere, it will serve as a pluggable module for testing whether ACME works properly to fetch certificates and also as a replacement for our snakeoil certificate generator. Also quoting parts of the commit where I have refactored the same module in headcounter/deployment@85fa481: Now we have a fully pluggable module which automatically discovers in which network it's used via the nodes attribute. The test environment of Boulder used "dns-test-srv", which is a fake DNS server that's resolving almost everything to 127.0.0.1. On our setup this is not useful, so instead we're now running a local BIND name server which has a fake root zone and uses the mentioned node attribute to automatically discover other zones in the network of machines and generate delegations from the root zone to the respective zones with the primaryIPAddress of the node. ... We want to use real letsencrypt.org FQDNs here, so we can't get away with the snakeoil test certificates from the upstream project but now roll our own. This not only has the benefit that we can easily pass the snakeoil certificate to other nodes, but we can (and do) also use it for an nginx proxy that's now serving HTTPS for the Boulder web front end. The Headcounter deployment tests are simulating a production scenario with real IPs and nameservers so it won't need to rely on networking.extraHost. However in this implementation we don't necessarily want to do that, so I've added auto-discovery of networking.extraHosts in the resolver module. Another change here is that the letsencrypt module now falls back to using a local resolver, the Headcounter implementation on the other hand always required to add an extra test node which serves as a resolver. I could have squashed both modules into the final ACME test, but that would make it not very reusable, so that's the main reason why I put these modules in tests/common. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Configuration menu - View commit details
-
Copy full SHA for b3162a1 - Browse repository at this point
Copy the full SHA b3162a1View commit details -
nixos/tests: Add a basic test for ACME
The test here is pretty basic and only tests nginx, but it should get us started to write tests for different webservers and different ACME implementations. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Configuration menu - View commit details
-
Copy full SHA for 11b3ae7 - Browse repository at this point
Copy the full SHA 11b3ae7View commit details -
nixos/tests/letsencrypt: Fix nginx options
The enableSSL option has been deprecated in a912a6a, so we switch to using onlySSL. I've also explicitly disabled enableACME, because this is the default and we don't actually want to have ACME enabled for a host which runs an actual ACME server. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Configuration menu - View commit details
-
Copy full SHA for bda3831 - Browse repository at this point
Copy the full SHA bda3831View commit details -
nixos/tests/acme: Patch certifi with cacert
Since 67651d8 the requests package now depends on certifi, which in turn provides the CA root certificates that we need to replace. It might also be a good idea to actually patch certifi with our version of cacert by default so that if we want to override and/or add something we only need to do it once. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Cc: @fpletz, @k0ral, @FRidh
3Configuration menu - View commit details
-
Copy full SHA for 01fffd9 - Browse repository at this point
Copy the full SHA 01fffd9View commit details -
Merge pull request #27683 (add test for ACME)
This is a rebased version of the pull request with small fixes due to changes in recent master. Original description from the pull request: Currently this is only a very basic test which gets certificates via the enableACME option of the nginx module. However the main reason why I'm not directly merging and putting this up for review is that the complexity here lies in the support-modules needed for the test. The support modules are for running a Boulder instance along with a DNS resolver (as a separate module). For details about the implementation, see the commit messages and the comments at the start of the respective support modules. I'm merging this first of all because other than @abbradar, none of the other requested reviewers did comment on the changes and second because the change here is adding a test, so even if the implementation would be so disgusting and crappy it's better than having no test at all. The comment of @abbradar was: Can't we factor Boulder into a proper package and a NixOS service? Maybe not very general purpose for now but still -- putting everything into one test seems painful to me. My objection to this is that the components are heavily patched and some of them don't even have a release, so I'm not sure whether infesting pkgs/ with them is really a good idea. Nevertheless, we can still do that later. Cc: @fpletz, @domenkozar, @bjornfor
Configuration menu - View commit details
-
Copy full SHA for 62711f4 - Browse repository at this point
Copy the full SHA 62711f4View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 50cf2a715665...62711f426536