pyrox.dev
1{ pkgs, ... }:
2{
3 name = "cfssl";
4
5 nodes.machine =
6 {
7 config,
8 lib,
9 pkgs,
10 ...
11 }:
12 {
13 networking.firewall.allowedTCPPorts = [ config.services.cfssl.port ];
14
15 services.cfssl.enable = true;
16 systemd.services.cfssl.after = [ "cfssl-init.service" ];
17
18 systemd.services.cfssl-init = {
19 description = "Initialize the cfssl CA";
20 wantedBy = [ "multi-user.target" ];
21 serviceConfig = {
22 User = "cfssl";
23 Type = "oneshot";
24 WorkingDirectory = config.services.cfssl.dataDir;
25 };
26 script = with pkgs; ''
27 ${cfssl}/bin/cfssl genkey -initca ${
28 pkgs.writeText "ca.json" (
29 builtins.toJSON {
30 hosts = [ "ca.example.com" ];
31 key = {
32 algo = "rsa";
33 size = 4096;
34 };
35 names = [
36 {
37 C = "US";
38 L = "San Francisco";
39 O = "Internet Widgets, LLC";
40 OU = "Certificate Authority";
41 ST = "California";
42 }
43 ];
44 }
45 )
46 } | ${cfssl}/bin/cfssljson -bare ca
47 '';
48 };
49 };
50
51 testScript =
52 let
53 cfsslrequest =
54 with pkgs;
55 writeScript "cfsslrequest" ''
56 curl -f -X POST -H "Content-Type: application/json" -d @${csr} \
57 http://localhost:8888/api/v1/cfssl/newkey | ${cfssl}/bin/cfssljson /tmp/certificate
58 '';
59 csr = pkgs.writeText "csr.json" (
60 builtins.toJSON {
61 CN = "www.example.com";
62 hosts = [
63 "example.com"
64 "www.example.com"
65 ];
66 key = {
67 algo = "rsa";
68 size = 2048;
69 };
70 names = [
71 {
72 C = "US";
73 L = "San Francisco";
74 O = "Example Company, LLC";
75 OU = "Operations";
76 ST = "California";
77 }
78 ];
79 }
80 );
81 in
82 ''
83 machine.wait_for_unit("cfssl.service")
84 machine.wait_until_succeeds("${cfsslrequest}")
85 machine.succeed("ls /tmp/certificate-key.pem")
86 '';
87}