pyrox.dev
1import ./make-test-python.nix (
2 { pkgs, ... }:
3 {
4 name = "cfssl";
5
6 nodes.machine =
7 {
8 config,
9 lib,
10 pkgs,
11 ...
12 }:
13 {
14 networking.firewall.allowedTCPPorts = [ config.services.cfssl.port ];
15
16 services.cfssl.enable = true;
17 systemd.services.cfssl.after = [ "cfssl-init.service" ];
18
19 systemd.services.cfssl-init = {
20 description = "Initialize the cfssl CA";
21 wantedBy = [ "multi-user.target" ];
22 serviceConfig = {
23 User = "cfssl";
24 Type = "oneshot";
25 WorkingDirectory = config.services.cfssl.dataDir;
26 };
27 script = with pkgs; ''
28 ${cfssl}/bin/cfssl genkey -initca ${
29 pkgs.writeText "ca.json" (
30 builtins.toJSON {
31 hosts = [ "ca.example.com" ];
32 key = {
33 algo = "rsa";
34 size = 4096;
35 };
36 names = [
37 {
38 C = "US";
39 L = "San Francisco";
40 O = "Internet Widgets, LLC";
41 OU = "Certificate Authority";
42 ST = "California";
43 }
44 ];
45 }
46 )
47 } | ${cfssl}/bin/cfssljson -bare ca
48 '';
49 };
50 };
51
52 testScript =
53 let
54 cfsslrequest =
55 with pkgs;
56 writeScript "cfsslrequest" ''
57 curl -f -X POST -H "Content-Type: application/json" -d @${csr} \
58 http://localhost:8888/api/v1/cfssl/newkey | ${cfssl}/bin/cfssljson /tmp/certificate
59 '';
60 csr = pkgs.writeText "csr.json" (
61 builtins.toJSON {
62 CN = "www.example.com";
63 hosts = [
64 "example.com"
65 "www.example.com"
66 ];
67 key = {
68 algo = "rsa";
69 size = 2048;
70 };
71 names = [
72 {
73 C = "US";
74 L = "San Francisco";
75 O = "Example Company, LLC";
76 OU = "Operations";
77 ST = "California";
78 }
79 ];
80 }
81 );
82 in
83 ''
84 machine.wait_for_unit("cfssl.service")
85 machine.wait_until_succeeds("${cfsslrequest}")
86 machine.succeed("ls /tmp/certificate-key.pem")
87 '';
88 }
89)