I'm merging this without review, since the tests run by ofborg are
succeeding. In addition to that, it's fixing a currently broken test so
the worst that could happen is that the test still does not work.
The test fails because the way the configuration switch was implemented
back then was by using a dummy configuration and simply activating that
dummy configuration from within the test script.
Nowadays, this doesn't work anymore and fails to typecheck because the
dummy "newServer" will inherit the same value for networking.hostName,
which in turn will generate two attributes for "server":
> testScriptWithTypes:43: error: Name "server" already defined on line 43
> [no-redef]
> client1: Machine; client2: Machine; server: Machine; server: Machine;
Fortunately, we don't need to do workarounds like this anymore and there
is the "specialisation" option, which allows to do this in a less ugly
way (and it also works with mypy).
Signed-off-by: aszlig <aszlig@nix.build>
* Update Cargo.lock from upstream.
* Adapt expression to upstream source tree layout changes.
* Apply patch to restore x86_64 v1 support
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
Also updates the NixOS test:
* Stop kanidm to recover the idm_admin account
* Group all tests into subtest blocks
* Add TODO to wait for unix socket on unixd for the next release
Co-Authored-By: Raito Bezarius <masterancpp@gmail.com>
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
PROXY protocol is a convenient way to carry information about the
originating address/port of a TCP connection across multiple layers of
proxies/NAT, etc.
Currently, it is possible to make use of it in NGINX's NixOS module, but
is painful when we want to enable it "globally".
Technically, this is achieved by reworking the defaultListen options and
the objective is to have a coherent way to specify default listeners in
the current API design.
See `mkDefaultListenVhost` and `defaultListen` for the details.
It adds a safeguard against running a NGINX with no HTTP listeners (e.g.
only PROXY listeners) while asking for ACME certificates over HTTP-01.
An interesting usecase of PROXY protocol is to enable seamless IPv4 to
IPv6 proxy with origin IPv4 address for IPv6-only NGINX servers, it is
demonstrated how to achieve this in the tests, using sniproxy.
Finally, the tests covers:
- NGINX `defaultListen` mechanisms are not broken by these changes;
- NGINX PROXY protocol listeners are working in a final usecase
(sniproxy);
- uses snakeoil TLS certs from ACME setup with wildcard certificates;
In the future, it is desirable to spoof-attack NGINX in this scenario to
ascertain that `set_real_ip_from` and all the layers are working as
intended and preventing any user from setting their origin IP address to
any arbitrary, opening up the NixOS module to bad™ vulnerabilities.
For now, it is quite hard to achieve while being minimalistic about the
tests dependencies.
