nixos/tests/step-ca.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / step-ca.nix
at 23.11-pre 2.8 kB view raw
 1import ./make-test-python.nix ({ pkgs, ... }:
 2  let
 3    test-certificates = pkgs.runCommandLocal "test-certificates" { } ''
 4      mkdir -p $out
 5      echo insecure-root-password > $out/root-password-file
 6      echo insecure-intermediate-password > $out/intermediate-password-file
 7      ${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca
 8      ${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key
 9    '';
10  in
11  {
12    name = "step-ca";
13    nodes =
14      {
15        caserver =
16          { config, pkgs, ... }: {
17            services.step-ca = {
18              enable = true;
19              address = "0.0.0.0";
20              port = 8443;
21              openFirewall = true;
22              intermediatePasswordFile = "${test-certificates}/intermediate-password-file";
23              settings = {
24                dnsNames = [ "caserver" ];
25                root = "${test-certificates}/root_ca.crt";
26                crt = "${test-certificates}/intermediate_ca.crt";
27                key = "${test-certificates}/intermediate_ca.key";
28                db = {
29                  type = "badger";
30                  dataSource = "/var/lib/step-ca/db";
31                };
32                authority = {
33                  provisioners = [
34                    {
35                      type = "ACME";
36                      name = "acme";
37                    }
38                  ];
39                };
40              };
41            };
42          };
43
44        caclient =
45          { config, pkgs, ... }: {
46            security.acme.defaults.server = "https://caserver:8443/acme/acme/directory";
47            security.acme.defaults.email = "root@example.org";
48            security.acme.acceptTerms = true;
49
50            security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
51
52            networking.firewall.allowedTCPPorts = [ 80 443 ];
53
54            services.nginx = {
55              enable = true;
56              virtualHosts = {
57                "caclient" = {
58                  forceSSL = true;
59                  enableACME = true;
60                };
61              };
62            };
63          };
64
65        catester = { config, pkgs, ... }: {
66          security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
67        };
68      };
69
70    testScript =
71      ''
72        catester.start()
73        caserver.wait_for_unit("step-ca.service")
74        caclient.wait_for_unit("acme-finished-caclient.target")
75        catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"")
76      '';
77  })