···

       
11
       
11
       
 
       
      file = {

     

       
12
       
12
       
 
       
        group = "nginx";

     

       
13
       
13
       
 
       
        owner = "nginx";

     

       
14
       
14
       
-
       
        path = "/tmp/${host}-ca.pem";

     

       
14
       
14
       
+
       
        path = "/var/ssl/${host}-ca.pem";

     

       
15
       
15
       
 
       
      };

     

       
16
       
16
       
 
       
      label = "www_ca";

     

       
17
       
17
       
 
       
      profile = "three-month";

     
···

       
20
       
20
       
 
       
    certificate = {

     

       
21
       
21
       
 
       
      group = "nginx";

     

       
22
       
22
       
 
       
      owner = "nginx";

     

       
23
       
23
       
-
       
      path = "/tmp/${host}-cert.pem";

     

       
23
       
23
       
+
       
      path = "/var/ssl/${host}-cert.pem";

     

       
24
       
24
       
 
       
    };

     

       
25
       
25
       
 
       
    private_key = {

     

       
26
       
26
       
 
       
      group = "nginx";

     

       
27
       
27
       
 
       
      mode = "0600";

     

       
28
       
28
       
 
       
      owner = "nginx";

     

       
29
       
29
       
-
       
      path = "/tmp/${host}-key.pem";

     

       
29
       
29
       
+
       
      path = "/var/ssl/${host}-key.pem";

     

       
30
       
30
       
 
       
    };

     

       
31
       
31
       
 
       
    request = {

     

       
32
       
32
       
 
       
      CN = host;

     
···

       
56
       
56
       
 
       


     

       
57
       
57
       
 
       
        services.cfssl.enable = true;

     

       
58
       
58
       
 
       
        systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ];

     

       
59
       
59
       
+
       


     

       
60
       
60
       
+
       
        systemd.tmpfiles.rules = [ "d /var/ssl 777 root root" ];

     

       
59
       
61
       
 
       


     

       
60
       
62
       
 
       
        systemd.services.cfssl-init = {

     

       
61
       
63
       
 
       
          description = "Initialize the cfssl CA";

     
···

       
87
       
89
       
 
       
          enable = true;

     

       
88
       
90
       
 
       
          virtualHosts = lib.mkMerge (map (host: {

     

       
89
       
91
       
 
       
            ${host} = {

     

       
90
       
90
       
-
       
              sslCertificate = "/tmp/${host}-cert.pem";

     

       
91
       
91
       
-
       
              sslCertificateKey = "/tmp/${host}-key.pem";

     

       
92
       
92
       
+
       
              sslCertificate = "/var/ssl/${host}-cert.pem";

     

       
93
       
93
       
+
       
              sslCertificateKey = "/var/ssl/${host}-key.pem";

     

       
92
       
94
       
 
       
              extraConfig = ''

     

       
93
       
95
       
 
       
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

     

       
94
       
96
       
 
       
              '';

     
···

       
124
       
126
       
 
       
    };

     

       
125
       
127
       
 
       
    testScript = ''

     

       
126
       
128
       
 
       
      machine.wait_for_unit("cfssl.service")

     

       
127
       
127
       
-
       
      machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem")

     

       
128
       
128
       
-
       
      machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem")

     

       
129
       
129
       
-
       
      machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem")

     

       
130
       
130
       
-
       
      machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem")

     

       
131
       
131
       
-
       
      machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem")

     

       
132
       
132
       
-
       
      machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem")

     

       
129
       
129
       
+
       
      machine.wait_until_succeeds("ls /var/ssl/decl.example.org-ca.pem")

     

       
130
       
130
       
+
       
      machine.wait_until_succeeds("ls /var/ssl/decl.example.org-key.pem")

     

       
131
       
131
       
+
       
      machine.wait_until_succeeds("ls /var/ssl/decl.example.org-cert.pem")

     

       
132
       
132
       
+
       
      machine.wait_until_succeeds("ls /var/ssl/imp.example.org-ca.pem")

     

       
133
       
133
       
+
       
      machine.wait_until_succeeds("ls /var/ssl/imp.example.org-key.pem")

     

       
134
       
134
       
+
       
      machine.wait_until_succeeds("ls /var/ssl/imp.example.org-cert.pem")

     

       
133
       
135
       
 
       
      machine.wait_for_unit("nginx.service")

     

       
134
       
136
       
 
       
      assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l'))

     

       
135
       
135
       
-
       
      machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org")

     

       
136
       
136
       
-
       
      machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org")

     

       
137
       
137
       
+
       
      machine.succeed("curl --cacert /var/ssl/imp.example.org-ca.pem https://imp.example.org")

     

       
138
       
138
       
+
       
      machine.succeed(

     

       
139
       
139
       
+
       
          "curl --cacert /var/ssl/decl.example.org-ca.pem https://decl.example.org"

     

       
140
       
140
       
+
       
      )

     

       
137
       
141
       
 
       
    '';

     

       
138
       
142
       
 
       
  };

     

       
139
       
143