nixos/tests/cfssl.nix

   1 import ./make-test-python.nix ({ pkgs, ...} : {
   2   name = "cfssl";
   3
   4   nodes.machine = { config, lib, pkgs, ... }:
   5   {
   6     networking.firewall.allowedTCPPorts = [ config.services.cfssl.port ];
   7
   8     services.cfssl.enable = true;
   9     systemd.services.cfssl.after = [ "cfssl-init.service" ];
  10
  11     systemd.services.cfssl-init = {
  12       description = "Initialize the cfssl CA";
  13       wantedBy    = [ "multi-user.target" ];
  14       serviceConfig = {
  15         User             = "cfssl";
  16         Type             = "oneshot";
  17         WorkingDirectory = config.services.cfssl.dataDir;
  18       };
  19       script = with pkgs; ''
  20         ${cfssl}/bin/cfssl genkey -initca ${pkgs.writeText "ca.json" (builtins.toJSON {
  21           hosts = [ "ca.example.com" ];
  22           key = {
  23             algo = "rsa"; size = 4096; };
  24             names = [
  25               {
  26                 C = "US";
  27                 L = "San Francisco";
  28                 O = "Internet Widgets, LLC";
  29                 OU = "Certificate Authority";
  30                 ST = "California";
  31               }
  32             ];
  33         })} | ${cfssl}/bin/cfssljson -bare ca
  34       '';
  35     };
  36   };
  37
  38   testScript =
  39   let
  40     cfsslrequest = with pkgs; writeScript "cfsslrequest" ''
  41       curl -f -X POST -H "Content-Type: application/json" -d @${csr} \
  42         http://localhost:8888/api/v1/cfssl/newkey | ${cfssl}/bin/cfssljson /tmp/certificate
  43     '';
  44     csr = pkgs.writeText "csr.json" (builtins.toJSON {
  45       CN = "www.example.com";
  46       hosts = [ "example.com" "www.example.com" ];
  47       key = {
  48         algo = "rsa";
  49         size = 2048;
  50       };
  51       names = [
  52         {
  53           C = "US";
  54           L = "San Francisco";
  55           O = "Example Company, LLC";
  56           OU = "Operations";
  57           ST = "California";
  58         }
  59       ];
  60     });
  61   in
  62     ''
  63       machine.wait_for_unit("cfssl.service")
  64       machine.wait_until_succeeds("${cfsslrequest}")
  65       machine.succeed("ls /tmp/certificate-key.pem")
  66     '';
  67 })