nixpkgs/nixos/tests/cryptpad.nix

{ pkgs, ... }:
let
  certs = pkgs.runCommand "cryptpadSelfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
    mkdir -p $out
    cd $out
    openssl req -x509 -newkey rsa:4096 \
      -keyout key.pem -out cert.pem -nodes -days 3650 \
      -subj '/CN=cryptpad.localhost' \
      -addext 'subjectAltName = DNS.1:cryptpad.localhost, DNS.2:cryptpad-sandbox.localhost'
  '';
  # data sniffed from cryptpad's /checkup network trace, seems to be re-usable
  test_write_data = pkgs.writeText "cryptpadTestData" ''
    {"command":"WRITE_BLOCK","content":{"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","signature":"aXcM9SMO59lwA7q7HbYB+AnzymmxSyy/KhkG/cXIBVzl8v+kkPWXmFuWhcuKfRF8yt3Zc3ktIsHoFyuyDSAwAA==","ciphertext":"AFwCIfBHKdFzDKjMg4cu66qlJLpP+6Yxogbl3o9neiQou5P8h8yJB8qgnQ=="},"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","nonce":"bitSbJMNSzOsg98nEzN80a231PCkBQeH"}
  '';
in
{
  name = "cryptpad";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ martinetd ];
  };

  nodes.machine = {
    services.cryptpad = {
      enable = true;
      configureNginx = true;
      settings = {
        httpUnsafeOrigin = "https://cryptpad.localhost";
        httpSafeOrigin = "https://cryptpad-sandbox.localhost";
      };
    };
    services.nginx = {
      virtualHosts."cryptpad.localhost" = {
        enableACME = false;
        sslCertificate = "${certs}/cert.pem";
        sslCertificateKey = "${certs}/key.pem";
      };
    };
    security = {
      pki.certificateFiles = [ "${certs}/cert.pem" ];
    };
  };

  testScript = ''
    machine.wait_for_unit("cryptpad.service")
    machine.wait_for_unit("nginx.service")
    machine.wait_for_open_port(3000)

    # test home page
    machine.succeed("curl --fail https://cryptpad.localhost -o /tmp/cryptpad_home.html")
    machine.succeed("grep -F 'CryptPad: Collaboration suite' /tmp/cryptpad_home.html")

    # test scripts/build.js actually generated customize content from config
    machine.succeed("grep -F 'meta property=\"og:url\" content=\"https://cryptpad.localhost/index.html' /tmp/cryptpad_home.html")

    # make sure child pages are accessible (e.g. check nginx try_files paths)
    machine.succeed(
        "grep -oE '/(customize|components)[^\"]*' /tmp/cryptpad_home.html"
        "  | while read -r page; do"
        "        curl -O --fail https://cryptpad.localhost$page || exit;"
        "    done")

    # test some API (e.g. check cryptpad main process)
    machine.succeed("curl --fail -d @${test_write_data} -H 'Content-Type: application/json' https://cryptpad.localhost/api/auth")

    # test telemetry has been disabled
    machine.fail("journalctl -u cryptpad | grep TELEMETRY");

    # for future improvements
    machine.log(machine.execute("systemd-analyze security cryptpad.service")[1])
  '';
}
nixos/cryptpad: init This is a full rewrite independent of the previously removed cryptpad module, managing cryptpad's config in RFC0042 along with a shiny test. Upstream cryptpad provides two nginx configs, with many optimizations and complex settings; this uses the easier variant for now but improvements (e.g. serving blocks and js files directly through nginx) should be possible with a bit of work and care about http headers. the /checkup page of cryptpad passes all tests except HSTS, we don't seem to have any nginx config with HSTS enabled in nixpkgs so leave this as is for now. Co-authored-by: Pol Dellaiera <pol.dellaiera@protonmail.com> Co-authored-by: Michael Smith <shmitty@protonmail.com> 2024-07-19 14:45:19 +02:00			`{ pkgs, ... }:`
			`let`
			`certs = pkgs.runCommand "cryptpadSelfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''`
			`mkdir -p $out`
			`cd $out`
			`openssl req -x509 -newkey rsa:4096 \`
			`-keyout key.pem -out cert.pem -nodes -days 3650 \`
			`-subj '/CN=cryptpad.localhost' \`
			`-addext 'subjectAltName = DNS.1:cryptpad.localhost, DNS.2:cryptpad-sandbox.localhost'`
			`'';`
			`# data sniffed from cryptpad's /checkup network trace, seems to be re-usable`
			`test_write_data = pkgs.writeText "cryptpadTestData" ''`
			`{"command":"WRITE_BLOCK","content":{"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","signature":"aXcM9SMO59lwA7q7HbYB+AnzymmxSyy/KhkG/cXIBVzl8v+kkPWXmFuWhcuKfRF8yt3Zc3ktIsHoFyuyDSAwAA==","ciphertext":"AFwCIfBHKdFzDKjMg4cu66qlJLpP+6Yxogbl3o9neiQou5P8h8yJB8qgnQ=="},"publicKey":"O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=","nonce":"bitSbJMNSzOsg98nEzN80a231PCkBQeH"}`
			`'';`
			`in`
			`{`
			`name = "cryptpad";`
			`meta = with pkgs.lib.maintainers; {`
			`maintainers = [ martinetd ];`
			`};`

			`nodes.machine = {`
			`services.cryptpad = {`
			`enable = true;`
			`configureNginx = true;`
			`settings = {`
			`httpUnsafeOrigin = "https://cryptpad.localhost";`
			`httpSafeOrigin = "https://cryptpad-sandbox.localhost";`
			`};`
			`};`
			`services.nginx = {`
			`virtualHosts."cryptpad.localhost" = {`
			`enableACME = false;`
			`sslCertificate = "${certs}/cert.pem";`
			`sslCertificateKey = "${certs}/key.pem";`
			`};`
			`};`
			`security = {`
			`pki.certificateFiles = [ "${certs}/cert.pem" ];`
			`};`
			`};`

			`testScript = ''`
			`machine.wait_for_unit("cryptpad.service")`
			`machine.wait_for_unit("nginx.service")`
			`machine.wait_for_open_port(3000)`

			`# test home page`
			`machine.succeed("curl --fail https://cryptpad.localhost -o /tmp/cryptpad_home.html")`
			`machine.succeed("grep -F 'CryptPad: Collaboration suite' /tmp/cryptpad_home.html")`

			`# test scripts/build.js actually generated customize content from config`
			`machine.succeed("grep -F 'meta property=\"og:url\" content=\"https://cryptpad.localhost/index.html' /tmp/cryptpad_home.html")`

			`# make sure child pages are accessible (e.g. check nginx try_files paths)`
			`machine.succeed(`
			`"grep -oE '/(customize\|components)[^\"]*' /tmp/cryptpad_home.html"`
			`" \| while read -r page; do"`
			`" curl -O --fail https://cryptpad.localhost$page \|\| exit;"`
			`" done")`

			`# test some API (e.g. check cryptpad main process)`
			`machine.succeed("curl --fail -d @${test_write_data} -H 'Content-Type: application/json' https://cryptpad.localhost/api/auth")`

			`# test telemetry has been disabled`
			`machine.fail("journalctl -u cryptpad \| grep TELEMETRY");`
nixos/cryptpad: harden service cryptpad is not directly exposed to the network, but has plenty that can be hardened more properly, so fix that. 2024-07-20 13:32:31 +02:00
			`# for future improvements`
			`machine.log(machine.execute("systemd-analyze security cryptpad.service")[1])`
nixos/cryptpad: init This is a full rewrite independent of the previously removed cryptpad module, managing cryptpad's config in RFC0042 along with a shiny test. Upstream cryptpad provides two nginx configs, with many optimizations and complex settings; this uses the easier variant for now but improvements (e.g. serving blocks and js files directly through nginx) should be possible with a bit of work and care about http headers. the /checkup page of cryptpad passes all tests except HSTS, we don't seem to have any nginx config with HSTS enabled in nixpkgs so leave this as is for now. Co-authored-by: Pol Dellaiera <pol.dellaiera@protonmail.com> Co-authored-by: Michael Smith <shmitty@protonmail.com> 2024-07-19 14:45:19 +02:00			`'';`
			`}`