nixos/tests/step-ca.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / step-ca.nix
at master 5.0 kB view raw
  1import ./make-test-python.nix (
  2  { pkgs, ... }:
  3  let
  4    test-certificates = pkgs.runCommandLocal "test-certificates" { } ''
  5      mkdir -p $out
  6      echo insecure-root-password > $out/root-password-file
  7      echo insecure-intermediate-password > $out/intermediate-password-file
  8      ${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca
  9      ${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key
 10    '';
 11  in
 12  {
 13    name = "step-ca";
 14    nodes = {
 15      caserver =
 16        { config, pkgs, ... }:
 17        {
 18          environment.etc.password-file.source = "${test-certificates}/intermediate-password-file";
 19          services.step-ca = {
 20            enable = true;
 21            address = "[::]";
 22            port = 8443;
 23            openFirewall = true;
 24            intermediatePasswordFile = "/etc/${config.environment.etc.password-file.target}";
 25            settings = {
 26              dnsNames = [ "caserver" ];
 27              root = "${test-certificates}/root_ca.crt";
 28              crt = "${test-certificates}/intermediate_ca.crt";
 29              key = "${test-certificates}/intermediate_ca.key";
 30              db = {
 31                type = "badger";
 32                dataSource = "/var/lib/step-ca/db";
 33              };
 34              authority = {
 35                provisioners = [
 36                  {
 37                    type = "ACME";
 38                    name = "acme";
 39                  }
 40                ];
 41              };
 42            };
 43          };
 44        };
 45
 46      caclient =
 47        { config, pkgs, ... }:
 48        {
 49          security.acme.defaults.server = "https://caserver:8443/acme/acme/directory";
 50          security.acme.defaults.email = "root@example.org";
 51          security.acme.acceptTerms = true;
 52
 53          security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
 54
 55          networking.firewall.allowedTCPPorts = [
 56            80
 57            443
 58          ];
 59
 60          services.nginx = {
 61            enable = true;
 62            virtualHosts = {
 63              "caclient" = {
 64                forceSSL = true;
 65                enableACME = true;
 66              };
 67            };
 68          };
 69        };
 70
 71      caclientcaddy =
 72        { config, pkgs, ... }:
 73        {
 74          security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
 75
 76          networking.firewall.allowedTCPPorts = [
 77            80
 78            443
 79          ];
 80
 81          services.caddy = {
 82            enable = true;
 83            virtualHosts."caclientcaddy".extraConfig = ''
 84              respond "Welcome to Caddy!"
 85
 86              tls caddy@example.org {
 87                ca https://caserver:8443/acme/acme/directory
 88              }
 89            '';
 90          };
 91        };
 92
 93      caclienth2o =
 94        { config, pkgs, ... }:
 95        {
 96          security.acme = {
 97            acceptTerms = true;
 98            defaults = {
 99              server = "https://caserver:8443/acme/acme/directory";
100              email = "root@example.org";
101            };
102          };
103          security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
104
105          networking.firewall.allowedTCPPorts = [
106            80
107            443
108          ];
109
110          services.h2o = {
111            enable = true;
112            hosts."caclienth2o" = {
113              tls.policy = "force";
114              acme.enable = true;
115              settings = {
116                paths."/" = {
117                  "file.file" = "${pkgs.writeTextFile {
118                    name = "h2o_welcome.txt";
119                    text = "Welcome to H2O!";
120                  }}";
121                };
122              };
123            };
124          };
125        };
126
127      catester =
128        { config, pkgs, ... }:
129        {
130          security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
131        };
132    };
133
134    testScript = # python
135      ''
136        catester.start()
137        caserver.wait_for_unit("step-ca.service")
138        caserver.wait_until_succeeds("journalctl -o cat -u step-ca.service | grep '${pkgs.step-ca.version}'")
139
140        caclient.wait_for_unit("acme-caclient.service")
141        # The order is run asynchonously, keep trying.
142        catester.wait_until_succeeds("curl https://caclient/ | grep \"Welcome to nginx!\"")
143
144        caclientcaddy.wait_for_unit("caddy.service")
145        # It’s hard to know when Caddy has finished the ACME dance with
146        # step-ca, so we keep trying cURL until success.
147        catester.wait_until_succeeds("curl https://caclientcaddy/ | grep \"Welcome to Caddy!\"")
148
149        caclienth2o.wait_for_unit("acme-caclienth2o.service")
150        caclienth2o.wait_for_unit("h2o.service")
151        catester.wait_until_succeeds("curl https://caclienth2o/ | grep \"Welcome to H2O!\"")
152      '';
153  }
154)