···
1
-
import ./make-test-python.nix ({ pkgs, ... }:
1
+
import ./make-test-python.nix (
test-certificates = pkgs.runCommandLocal "test-certificates" { } ''
···
16
-
{ config, pkgs, ... }: {
17
-
environment.etc.password-file.source = "${test-certificates}/intermediate-password-file";
18
-
services.step-ca = {
22
-
openFirewall = true;
23
-
intermediatePasswordFile = "/etc/${config.environment.etc.password-file.target}";
25
-
dnsNames = [ "caserver" ];
26
-
root = "${test-certificates}/root_ca.crt";
27
-
crt = "${test-certificates}/intermediate_ca.crt";
28
-
key = "${test-certificates}/intermediate_ca.key";
31
-
dataSource = "/var/lib/step-ca/db";
16
+
{ config, pkgs, ... }:
18
+
environment.etc.password-file.source = "${test-certificates}/intermediate-password-file";
19
+
services.step-ca = {
23
+
openFirewall = true;
24
+
intermediatePasswordFile = "/etc/${config.environment.etc.password-file.target}";
26
+
dnsNames = [ "caserver" ];
27
+
root = "${test-certificates}/root_ca.crt";
28
+
crt = "${test-certificates}/intermediate_ca.crt";
29
+
key = "${test-certificates}/intermediate_ca.key";
32
+
dataSource = "/var/lib/step-ca/db";
46
-
{ config, pkgs, ... }: {
47
-
security.acme.defaults.server = "https://caserver:8443/acme/acme/directory";
48
-
security.acme.defaults.email = "root@example.org";
49
-
security.acme.acceptTerms = true;
47
+
{ config, pkgs, ... }:
49
+
security.acme.defaults.server = "https://caserver:8443/acme/acme/directory";
50
+
security.acme.defaults.email = "root@example.org";
51
+
security.acme.acceptTerms = true;
51
-
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
53
+
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
53
-
networking.firewall.allowedTCPPorts = [ 80 443 ];
55
+
networking.firewall.allowedTCPPorts = [
67
-
{ config, pkgs, ... }: {
68
-
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
72
+
{ config, pkgs, ... }:
74
+
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
70
-
networking.firewall.allowedTCPPorts = [ 80 443 ];
76
+
networking.firewall.allowedTCPPorts = [
74
-
virtualHosts."caclientcaddy".extraConfig = ''
75
-
respond "Welcome to Caddy!"
83
+
virtualHosts."caclientcaddy".extraConfig = ''
84
+
respond "Welcome to Caddy!"
77
-
tls caddy@example.org {
78
-
ca https://caserver:8443/acme/acme/directory
86
+
tls caddy@example.org {
87
+
ca https://caserver:8443/acme/acme/directory
84
-
catester = { config, pkgs, ... }: {
94
+
{ config, pkgs, ... }:
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
100
+
testScript = # python
caserver.wait_for_unit("step-ca.service")
···
catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"")
caclientcaddy.wait_for_unit("caddy.service")
# It's hard to know when caddy has finished the ACME
# dance with step-ca, so we keep trying to curl
catester.wait_until_succeeds("curl https://caclientcaddy/ | grep \"Welcome to Caddy!\"")
pyrox.dev