···
-
import ./make-test-python.nix ({ pkgs, ... }:
test-certificates = pkgs.runCommandLocal "test-certificates" { } ''
···
-
{ config, pkgs, ... }: {
-
environment.etc.password-file.source = "${test-certificates}/intermediate-password-file";
-
intermediatePasswordFile = "/etc/${config.environment.etc.password-file.target}";
-
dnsNames = [ "caserver" ];
-
root = "${test-certificates}/root_ca.crt";
-
crt = "${test-certificates}/intermediate_ca.crt";
-
key = "${test-certificates}/intermediate_ca.key";
-
dataSource = "/var/lib/step-ca/db";
-
{ config, pkgs, ... }: {
-
security.acme.defaults.server = "https://caserver:8443/acme/acme/directory";
-
security.acme.defaults.email = "root@example.org";
-
security.acme.acceptTerms = true;
-
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
-
networking.firewall.allowedTCPPorts = [ 80 443 ];
-
{ config, pkgs, ... }: {
-
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
-
networking.firewall.allowedTCPPorts = [ 80 443 ];
-
virtualHosts."caclientcaddy".extraConfig = ''
-
respond "Welcome to Caddy!"
-
tls caddy@example.org {
-
ca https://caserver:8443/acme/acme/directory
-
catester = { config, pkgs, ... }: {
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
caserver.wait_for_unit("step-ca.service")
···
catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"")
caclientcaddy.wait_for_unit("caddy.service")
# It's hard to know when caddy has finished the ACME
# dance with step-ca, so we keep trying to curl
catester.wait_until_succeeds("curl https://caclientcaddy/ | grep \"Welcome to Caddy!\"")
pyrox.dev