Unverified Commit afee6318 authored by Jeremy Fleischman's avatar Jeremy Fleischman
Browse files

nixos/step-ca: use `pathWith` for `intermediatePasswordFile` 

This lets us remove an assertion, because `pathWith` can require that a
file not be in the store.

Note that the old assertion didn't quite do what we wanted: it prevented
you from using top level store paths (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates`), but was
ok with sub-files (such as
`/nix/store/gg8578vvbcf1wpqvk85bigi5s4pvylkk-test-certificates/intermediate-password-file`).

Now that we're stricter, we need some way to populate
`intermediatePasswordFile` in our test without making the type unhappy.
I opted to solve that by creating a file in `/etc`.
parent d8b348c8

nixos/modules/services/security/step-ca.nix

+4 −12
Original line number Diff line number Diff line
@@ -60,7 +60,10 @@ in 
        '';

      };

      intermediatePasswordFile = lib.mkOption {

        type = lib.types.path;

        type = lib.types.pathWith {

          inStore = false;

          absolute = true;

        };

        example = "/run/keys/smallstep-password";

        description = ''

          Path to the file containing the password for the intermediate
@@ -86,17 +89,6 @@ in 
      );

    in

    {

      assertions = [

        {

          assertion = !lib.isStorePath cfg.intermediatePasswordFile;

          message = ''

            <option>services.step-ca.intermediatePasswordFile</option> points to

            a file in the Nix store. You should use a quoted absolute path to

            prevent this.

          '';

        }

      ];



      systemd.packages = [ cfg.package ];



      # configuration file indirection is needed to support reloading

nixos/tests/step-ca.nix

+2 −1
Original line number Diff line number Diff line
@@ -14,12 +14,13 @@ import ./make-test-python.nix ({ pkgs, ... }: 
      {

        caserver =

          { config, pkgs, ... }: {

            environment.etc.password-file.source = "${test-certificates}/intermediate-password-file";

            services.step-ca = {

              enable = true;

              address = "[::]";

              port = 8443;

              openFirewall = true;

              intermediatePasswordFile = "${test-certificates}/intermediate-password-file";

              intermediatePasswordFile = "/etc/${config.environment.etc.password-file.target}";

              settings = {

                dnsNames = [ "caserver" ];

                root = "${test-certificates}/root_ca.crt";