2018-11-11 17:41:11 +09:00
|
|
|
{ system ? builtins.currentSystem,
|
|
|
|
|
config ? {},
|
|
|
|
|
pkgs ? import ../.. { inherit system config; }
|
|
|
|
|
}:
|
2018-08-06 14:28:52 +02:00
|
|
|
|
2019-11-06 18:35:34 +01:00
|
|
|
with import ../lib/testing-python.nix { inherit system pkgs; };
|
2018-08-06 14:28:52 +02:00
|
|
|
let
|
|
|
|
|
mkSpec = { host, service ? null, action }: {
|
|
|
|
|
inherit action;
|
|
|
|
|
authority = {
|
|
|
|
|
file = {
|
2020-01-11 14:25:38 -08:00
|
|
|
group = "nginx";
|
|
|
|
|
owner = "nginx";
|
2018-08-06 14:28:52 +02:00
|
|
|
path = "/tmp/${host}-ca.pem";
|
|
|
|
|
};
|
|
|
|
|
label = "www_ca";
|
|
|
|
|
profile = "three-month";
|
|
|
|
|
remote = "localhost:8888";
|
|
|
|
|
};
|
|
|
|
|
certificate = {
|
2020-01-11 14:25:38 -08:00
|
|
|
group = "nginx";
|
|
|
|
|
owner = "nginx";
|
2018-08-06 14:28:52 +02:00
|
|
|
path = "/tmp/${host}-cert.pem";
|
|
|
|
|
};
|
|
|
|
|
private_key = {
|
2020-01-11 14:25:38 -08:00
|
|
|
group = "nginx";
|
2018-08-06 14:28:52 +02:00
|
|
|
mode = "0600";
|
2020-01-11 14:25:38 -08:00
|
|
|
owner = "nginx";
|
2018-08-06 14:28:52 +02:00
|
|
|
path = "/tmp/${host}-key.pem";
|
|
|
|
|
};
|
|
|
|
|
request = {
|
|
|
|
|
CN = host;
|
|
|
|
|
hosts = [ host "www.${host}" ];
|
|
|
|
|
key = {
|
|
|
|
|
algo = "rsa";
|
|
|
|
|
size = 2048;
|
|
|
|
|
};
|
|
|
|
|
names = [
|
|
|
|
|
{
|
|
|
|
|
C = "US";
|
|
|
|
|
L = "San Francisco";
|
|
|
|
|
O = "Example, LLC";
|
|
|
|
|
ST = "CA";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
inherit service;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
mkCertmgrTest = { svcManager, specs, testScript }: makeTest {
|
|
|
|
|
name = "certmgr-" + svcManager;
|
|
|
|
|
nodes = {
|
|
|
|
|
machine = { config, lib, pkgs, ... }: {
|
|
|
|
|
networking.firewall.allowedTCPPorts = with config.services; [ cfssl.port certmgr.metricsPort ];
|
|
|
|
|
networking.extraHosts = "127.0.0.1 imp.example.org decl.example.org";
|
|
|
|
|
|
|
|
|
|
services.cfssl.enable = true;
|
|
|
|
|
systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ];
|
|
|
|
|
|
|
|
|
|
systemd.services.cfssl-init = {
|
|
|
|
|
description = "Initialize the cfssl CA";
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
User = "cfssl";
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
WorkingDirectory = config.services.cfssl.dataDir;
|
|
|
|
|
};
|
|
|
|
|
script = ''
|
|
|
|
|
${pkgs.cfssl}/bin/cfssl genkey -initca ${pkgs.writeText "ca.json" (builtins.toJSON {
|
|
|
|
|
hosts = [ "ca.example.com" ];
|
|
|
|
|
key = {
|
|
|
|
|
algo = "rsa"; size = 4096; };
|
|
|
|
|
names = [
|
|
|
|
|
{
|
|
|
|
|
C = "US";
|
|
|
|
|
L = "San Francisco";
|
|
|
|
|
O = "Internet Widgets, LLC";
|
|
|
|
|
OU = "Certificate Authority";
|
|
|
|
|
ST = "California";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
})} | ${pkgs.cfssl}/bin/cfssljson -bare ca
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.nginx = {
|
|
|
|
|
enable = true;
|
|
|
|
|
virtualHosts = lib.mkMerge (map (host: {
|
|
|
|
|
${host} = {
|
|
|
|
|
sslCertificate = "/tmp/${host}-cert.pem";
|
|
|
|
|
sslCertificateKey = "/tmp/${host}-key.pem";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
|
'';
|
|
|
|
|
onlySSL = true;
|
|
|
|
|
serverName = host;
|
|
|
|
|
root = pkgs.writeTextDir "index.html" "It works!";
|
|
|
|
|
};
|
|
|
|
|
}) [ "imp.example.org" "decl.example.org" ]);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.nginx.wantedBy = lib.mkForce [];
|
|
|
|
|
|
|
|
|
|
systemd.services.certmgr.after = [ "cfssl.service" ];
|
|
|
|
|
services.certmgr = {
|
|
|
|
|
enable = true;
|
|
|
|
|
inherit svcManager;
|
|
|
|
|
inherit specs;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
inherit testScript;
|
|
|
|
|
};
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
systemd = mkCertmgrTest {
|
|
|
|
|
svcManager = "systemd";
|
|
|
|
|
specs = {
|
|
|
|
|
decl = mkSpec { host = "decl.example.org"; service = "nginx"; action ="restart"; };
|
|
|
|
|
imp = toString (pkgs.writeText "test.json" (builtins.toJSON (
|
|
|
|
|
mkSpec { host = "imp.example.org"; service = "nginx"; action = "restart"; }
|
|
|
|
|
)));
|
|
|
|
|
};
|
|
|
|
|
testScript = ''
|
2019-11-06 18:35:34 +01:00
|
|
|
machine.wait_for_unit("cfssl.service")
|
|
|
|
|
machine.wait_until_succeeds("ls /tmp/decl.example.org-ca.pem")
|
|
|
|
|
machine.wait_until_succeeds("ls /tmp/decl.example.org-key.pem")
|
|
|
|
|
machine.wait_until_succeeds("ls /tmp/decl.example.org-cert.pem")
|
|
|
|
|
machine.wait_until_succeeds("ls /tmp/imp.example.org-ca.pem")
|
|
|
|
|
machine.wait_until_succeeds("ls /tmp/imp.example.org-key.pem")
|
|
|
|
|
machine.wait_until_succeeds("ls /tmp/imp.example.org-cert.pem")
|
|
|
|
|
machine.wait_for_unit("nginx.service")
|
|
|
|
|
assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l'))
|
|
|
|
|
machine.succeed("curl --cacert /tmp/imp.example.org-ca.pem https://imp.example.org")
|
|
|
|
|
machine.succeed("curl --cacert /tmp/decl.example.org-ca.pem https://decl.example.org")
|
2018-08-06 14:28:52 +02:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
command = mkCertmgrTest {
|
|
|
|
|
svcManager = "command";
|
|
|
|
|
specs = {
|
|
|
|
|
test = mkSpec { host = "command.example.org"; action = "touch /tmp/command.executed"; };
|
|
|
|
|
};
|
|
|
|
|
testScript = ''
|
2019-11-06 18:35:34 +01:00
|
|
|
machine.wait_for_unit("cfssl.service")
|
|
|
|
|
machine.wait_until_succeeds("stat /tmp/command.executed")
|
2018-08-06 14:28:52 +02:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
}
|
