nixos/tests: Add a basic test for ACME

The test here is pretty basic and only tests nginx, but it should get us
started to write tests for different webservers and different ACME
implementations.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

2 files changed, 63 insertions, 0 deletions

diff --git a/nixos/release.nix b/nixos/release.nix
index 34198a9506470..38c446c1f8a46 100644
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -214,6 +214,7 @@ in rec {
   # Run the tests for each platform.  You can run a test by doing
   # e.g. ‘nix-build -A tests.login.x86_64-linux’, or equivalently,
   # ‘nix-build tests/login.nix -A result’.
+  tests.acme = callTest tests/acme.nix {};
   tests.avahi = callTest tests/avahi.nix {};
   tests.bittorrent = callTest tests/bittorrent.nix {};
   tests.blivet = callTest tests/blivet.nix {};
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix
new file mode 100644
index 0000000000000..a48f4d75ae3ee
--- /dev/null
+++ b/nixos/tests/acme.nix
@@ -0,0 +1,62 @@
+let
+  commonConfig = { config, lib, pkgs, nodes, ... }: {
+    networking.nameservers = [
+      nodes.letsencrypt.config.networking.primaryIPAddress
+    ];
+
+    nixpkgs.overlays = lib.singleton (self: super: {
+      cacert = super.cacert.overrideDerivation (drv: {
+        installPhase = (drv.installPhase or "") + ''
+          cat "${nodes.letsencrypt.config.test-support.letsencrypt.caCert}" \
+            >> "$out/etc/ssl/certs/ca-bundle.crt"
+        '';
+      });
+
+      pythonPackages = (super.python.override {
+        packageOverrides = lib.const (pysuper: {
+          requests = pysuper.requests.overrideDerivation (drv: {
+            postPatch = (drv.postPatch or "") + ''
+              cat "${self.cacert}/etc/ssl/certs/ca-bundle.crt" \
+                > requests/cacert.pem
+            '';
+          });
+        });
+      }).pkgs;
+    });
+  };
+
+in import ./make-test.nix {
+  name = "acme";
+
+  nodes = {
+    letsencrypt = ./common/letsencrypt.nix;
+
+    webserver = { config, pkgs, ... }: {
+      imports = [ commonConfig ];
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+      networking.extraHosts = ''
+        ${config.networking.primaryIPAddress} example.com
+      '';
+
+      services.nginx.enable = true;
+      services.nginx.virtualHosts."example.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".root = pkgs.runCommand "docroot" {} ''
+          mkdir -p "$out"
+          echo hello world > "$out/index.html"
+        '';
+      };
+    };
+
+    client = commonConfig;
+  };
+
+  testScript = ''
+    $letsencrypt->waitForUnit("boulder.service");
+    startAll;
+    $webserver->waitForUnit("acme-certificates.target");
+    $client->succeed('curl https://example.com/ | grep -qF "hello world"');
+  '';
+}