pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / rustls-libssl.nix
at master 2.3 kB view raw
1{ pkgs, lib, ... }: 2let 3 caCert = builtins.readFile ./common/acme/server/ca.cert.pem; 4 certPath = ./common/acme/server/acme.test.cert.pem; 5 keyPath = ./common/acme/server/acme.test.key.pem; 6 hosts = '' 7 192.168.2.101 acme.test 8 ''; 9in 10{ 11 name = "rustls-libssl"; 12 meta.maintainers = with pkgs.lib.maintainers; [ 13 stephank 14 cpu 15 ]; 16 17 nodes = { 18 server = 19 { lib, pkgs, ... }: 20 { 21 networking = { 22 interfaces.eth1 = { 23 ipv4.addresses = [ 24 { 25 address = "192.168.2.101"; 26 prefixLength = 24; 27 } 28 ]; 29 }; 30 extraHosts = hosts; 31 firewall.allowedTCPPorts = [ 443 ]; 32 }; 33 34 security.pki.certificates = [ caCert ]; 35 36 services.nginx = { 37 enable = true; 38 package = pkgs.nginxMainline.override { 39 openssl = pkgs.rustls-libssl; 40 modules = [ ]; # slightly reduces the size of the build 41 }; 42 43 # Hardcoded sole input accepted by rustls-libssl. 44 sslCiphers = "HIGH:!aNULL:!MD5"; 45 46 virtualHosts."acme.test" = { 47 onlySSL = true; 48 sslCertificate = certPath; 49 sslCertificateKey = keyPath; 50 http2 = true; 51 reuseport = true; 52 root = lib.mkForce ( 53 pkgs.runCommandLocal "testdir" { } '' 54 mkdir "$out" 55 cat > "$out/index.html" <<EOF 56 <html><body>Hello World!</body></html> 57 EOF 58 '' 59 ); 60 }; 61 }; 62 }; 63 64 client = 65 { pkgs, ... }: 66 { 67 environment.systemPackages = [ pkgs.curlHTTP3 ]; 68 networking = { 69 interfaces.eth1 = { 70 ipv4.addresses = [ 71 { 72 address = "192.168.2.201"; 73 prefixLength = 24; 74 } 75 ]; 76 }; 77 extraHosts = hosts; 78 }; 79 80 security.pki.certificates = [ caCert ]; 81 }; 82 }; 83 84 testScript = '' 85 start_all() 86 server.wait_for_open_port(443) 87 client.succeed("curl --verbose --http1.1 https://acme.test | grep 'Hello World!'") 88 client.succeed("curl --verbose --http2-prior-knowledge https://acme.test | grep 'Hello World!'") 89 ''; 90}