982c5a1f0e
- Use an acme user and group, allow group override only - Use hashes to determine when certs actually need to regenerate - Avoid running lego more than necessary - Harden permissions - Support "systemctl clean" for cert regeneration - Support reuse of keys between some configuration changes - Permissions fix services solves for previously root owned certs - Add a note about multiple account creation and emails - Migrate extraDomains to a list - Deprecate user option - Use minica for self-signed certs - Rewrite all tests I thought of a few more cases where things may go wrong, and added tests to cover them. In particular, the web server reload services were depending on the target - which stays alive, meaning that the renewal timer wouldn't be triggering a reload and old certs would stay on the web servers. I encountered some problems ensuring that the reload took place without accidently triggering it as part of the test. The sync commands I added ended up being essential and I'm not sure why, it seems like either node.succeed ends too early or there's an oddity of the vm's filesystem I'm not aware of. - Fix duplicate systemd rules on reload services Since useACMEHost is not unique to every vhost, if one cert was reused many times it would create duplicate entries in ${server}-config-reload.service for wants, before and ConditionPathExists
78 lines
2.2 KiB
Nix
78 lines
2.2 KiB
Nix
let
|
|
certs = import ./common/acme/server/snakeoil-certs.nix;
|
|
domain = certs.domain;
|
|
in
|
|
import ./make-test-python.nix {
|
|
name = "postfix";
|
|
|
|
machine = { pkgs, ... }: {
|
|
imports = [ common/user-account.nix ];
|
|
services.postfix = {
|
|
enable = true;
|
|
enableSubmission = true;
|
|
enableSubmissions = true;
|
|
sslCACert = certs.ca.cert;
|
|
sslCert = certs.${domain}.cert;
|
|
sslKey = certs.${domain}.key;
|
|
submissionsOptions = {
|
|
smtpd_sasl_auth_enable = "yes";
|
|
smtpd_client_restrictions = "permit";
|
|
milter_macro_daemon_name = "ORIGINATING";
|
|
};
|
|
};
|
|
|
|
security.pki.certificateFiles = [
|
|
certs.ca.cert
|
|
];
|
|
|
|
networking.extraHosts = ''
|
|
127.0.0.1 ${domain}
|
|
'';
|
|
|
|
environment.systemPackages = let
|
|
sendTestMail = pkgs.writeScriptBin "send-testmail" ''
|
|
#!${pkgs.python3.interpreter}
|
|
import smtplib
|
|
|
|
with smtplib.SMTP('${domain}') as smtp:
|
|
smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test\n\nTest data.')
|
|
smtp.quit()
|
|
'';
|
|
|
|
sendTestMailStarttls = pkgs.writeScriptBin "send-testmail-starttls" ''
|
|
#!${pkgs.python3.interpreter}
|
|
import smtplib
|
|
import ssl
|
|
|
|
ctx = ssl.create_default_context()
|
|
|
|
with smtplib.SMTP('${domain}') as smtp:
|
|
smtp.ehlo()
|
|
smtp.starttls(context=ctx)
|
|
smtp.ehlo()
|
|
smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test STARTTLS\n\nTest data.')
|
|
smtp.quit()
|
|
'';
|
|
|
|
sendTestMailSmtps = pkgs.writeScriptBin "send-testmail-smtps" ''
|
|
#!${pkgs.python3.interpreter}
|
|
import smtplib
|
|
import ssl
|
|
|
|
ctx = ssl.create_default_context()
|
|
|
|
with smtplib.SMTP_SSL(host='${domain}', context=ctx) as smtp:
|
|
smtp.sendmail('root@localhost', 'alice@localhost', 'Subject: Test SMTPS\n\nTest data.')
|
|
smtp.quit()
|
|
'';
|
|
in [ sendTestMail sendTestMailStarttls sendTestMailSmtps ];
|
|
};
|
|
|
|
testScript = ''
|
|
machine.wait_for_unit("postfix.service")
|
|
machine.succeed("send-testmail")
|
|
machine.succeed("send-testmail-starttls")
|
|
machine.succeed("send-testmail-smtps")
|
|
'';
|
|
}
|