CA certificates in NixOS tests generated declaratively #384

New issue

Open

opened 2025-06-16 14:18:24 +02:00 by kiara · 0 comments

kiara commented

2025-06-16 14:18:24 +02:00

Owner

As a developer,
I want for CA certificates in NixOS tests to be generated declaratively,
so that it becomes easier to test our software.

notes

context:

This is a hack to accept the root CA used by Pebble on the client machine. Pebble randomizes everything, so the only way to get it is to call the /roots/0 endpoint at runtime, leaving not much margin for a nice Nixy way of adding the certificate. There is no way around it as this is by design in Pebble, showing in fact that Pebble was not the appropriate tool for our use and that nixpkgs does not in fact provide an easy way to generate usable certificates in NixOS tests. I suggest we merge this, and track the task to set it up in a cleaner way. I would tackle this in a subsequent PR, and hopefully even contribute this BetterWay(tm) to nixpkgs.

**As** a developer, **I want** for CA certificates in NixOS tests to be generated declaratively, **so that** it becomes easier to test our software. ## notes [context](https://git.fediversity.eu/Fediversity/Fediversity/src/commit/d3c19b344d34f265b7b35b1450a1c04110ba843e/deployment/check/panel/nixosTest.nix#L270-L293): > This is a hack to accept the root CA used by Pebble on the client machine. Pebble randomizes everything, so the only way to get it is to call the /roots/0 endpoint at runtime, leaving not much margin for a nice Nixy way of adding the certificate. There is no way around it as this is by design in Pebble, showing in fact that Pebble was not the appropriate tool for our use and that nixpkgs does not in fact provide an easy way to generate _usable_ certificates in NixOS tests. I suggest we merge this, and track the task to set it up in a cleaner way. I would tackle this in a subsequent PR, and hopefully even contribute this BetterWay(tm) to nixpkgs.