diff options
author | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:33 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:57 +0000 |
commit | 9ff36293d1e428cd7bf03e8d4b03611b6d361c28 (patch) | |
tree | 1ab51a42b868c55b83f6ccdb80371b9888739dd9 /nixos/tests/certmgr.nix | |
parent | 1c4fcd0d4b0541e674ee56ace1053e23e562cc80 (diff) | |
parent | ddc3c396a51918043bb0faa6f676abd9562be62c (diff) | |
download | nixpkgs-archive.tar nixpkgs-archive.tar.gz nixpkgs-archive.tar.bz2 nixpkgs-archive.tar.lz nixpkgs-archive.tar.xz nixpkgs-archive.tar.zst nixpkgs-archive.zip |
Last good Nixpkgs for Weston+nouveau? archive
I came this commit hash to terwiz[m] on IRC, who is trying to figure out what the last version of Spectrum that worked on their NUC with Nvidia graphics is.
Diffstat (limited to 'nixos/tests/certmgr.nix')
-rw-r--r-- | nixos/tests/certmgr.nix | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/nixos/tests/certmgr.nix b/nixos/tests/certmgr.nix new file mode 100644 index 00000000000..8f5b8948779 --- /dev/null +++ b/nixos/tests/certmgr.nix @@ -0,0 +1,155 @@ +{ system ? builtins.currentSystem, + config ? {}, + pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; +let + mkSpec = { host, service ? null, action }: { + inherit action; + authority = { + file = { + group = "nginx"; + owner = "nginx"; + path = "/var/ssl/${host}-ca.pem"; + }; + label = "www_ca"; + profile = "three-month"; + remote = "localhost:8888"; + }; + certificate = { + group = "nginx"; + owner = "nginx"; + path = "/var/ssl/${host}-cert.pem"; + }; + private_key = { + group = "nginx"; + mode = "0600"; + owner = "nginx"; + path = "/var/ssl/${host}-key.pem"; + }; + request = { + CN = host; + hosts = [ host "www.${host}" ]; + key = { + algo = "rsa"; + size = 2048; + }; + names = [ + { + C = "US"; + L = "San Francisco"; + O = "Example, LLC"; + ST = "CA"; + } + ]; + }; + inherit service; + }; + + mkCertmgrTest = { svcManager, specs, testScript }: makeTest { + name = "certmgr-" + svcManager; + nodes = { + machine = { config, lib, pkgs, ... }: { + networking.firewall.allowedTCPPorts = with config.services; [ cfssl.port certmgr.metricsPort ]; + networking.extraHosts = "127.0.0.1 imp.example.org decl.example.org"; + + services.cfssl.enable = true; + systemd.services.cfssl.after = [ "cfssl-init.service" "networking.target" ]; + + systemd.tmpfiles.rules = [ "d /var/ssl 777 root root" ]; + + systemd.services.cfssl-init = { + description = "Initialize the cfssl CA"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "cfssl"; + Type = "oneshot"; + WorkingDirectory = config.services.cfssl.dataDir; + }; + script = '' + ${pkgs.cfssl}/bin/cfssl genkey -initca ${pkgs.writeText "ca.json" (builtins.toJSON { + hosts = [ "ca.example.com" ]; + key = { + algo = "rsa"; size = 4096; }; + names = [ + { + C = "US"; + L = "San Francisco"; + O = "Internet Widgets, LLC"; + OU = "Certificate Authority"; + ST = "California"; + } + ]; + })} | ${pkgs.cfssl}/bin/cfssljson -bare ca + ''; + }; + + services.nginx = { + enable = true; + virtualHosts = lib.mkMerge (map (host: { + ${host} = { + sslCertificate = "/var/ssl/${host}-cert.pem"; + sslCertificateKey = "/var/ssl/${host}-key.pem"; + extraConfig = '' + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ''; + onlySSL = true; + serverName = host; + root = pkgs.writeTextDir "index.html" "It works!"; + }; + }) [ "imp.example.org" "decl.example.org" ]); + }; + + systemd.services.nginx.wantedBy = lib.mkForce []; + + systemd.services.certmgr.after = [ "cfssl.service" ]; + services.certmgr = { + enable = true; + inherit svcManager; + inherit specs; + }; + + }; + }; + inherit testScript; + }; +in +{ + systemd = mkCertmgrTest { + svcManager = "systemd"; + specs = { + decl = mkSpec { host = "decl.example.org"; service = "nginx"; action ="restart"; }; + imp = toString (pkgs.writeText "test.json" (builtins.toJSON ( + mkSpec { host = "imp.example.org"; service = "nginx"; action = "restart"; } + ))); + }; + testScript = '' + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-ca.pem") + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-key.pem") + machine.wait_until_succeeds("ls /var/ssl/decl.example.org-cert.pem") + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-ca.pem") + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-key.pem") + machine.wait_until_succeeds("ls /var/ssl/imp.example.org-cert.pem") + machine.wait_for_unit("nginx.service") + assert 1 < int(machine.succeed('journalctl -u nginx | grep "Starting Nginx" | wc -l')) + machine.succeed("curl --cacert /var/ssl/imp.example.org-ca.pem https://imp.example.org") + machine.succeed( + "curl --cacert /var/ssl/decl.example.org-ca.pem https://decl.example.org" + ) + ''; + }; + + command = mkCertmgrTest { + svcManager = "command"; + specs = { + test = mkSpec { host = "command.example.org"; action = "touch /tmp/command.executed"; }; + }; + testScript = '' + machine.wait_for_unit("cfssl.service") + machine.wait_until_succeeds("stat /tmp/command.executed") + ''; + }; + +} |