nixos/tests: add step-ca test
This commit is contained in:
parent
84a49fca51
commit
9d01ce82ac
@ -1,4 +1,4 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, nixosTests, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.step-ca;
|
cfg = config.services.step-ca;
|
||||||
settingsFormat = (pkgs.formats.json { });
|
settingsFormat = (pkgs.formats.json { });
|
||||||
@ -82,6 +82,8 @@ in
|
|||||||
});
|
});
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
passthru.tests.step-ca = nixosTests.step-ca;
|
||||||
|
|
||||||
assertions =
|
assertions =
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
|
@ -425,6 +425,7 @@ in
|
|||||||
sslh = handleTest ./sslh.nix {};
|
sslh = handleTest ./sslh.nix {};
|
||||||
sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {};
|
sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {};
|
||||||
sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {};
|
sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {};
|
||||||
|
step-ca = handleTestOn ["x86_64-linux"] ./step-ca.nix {};
|
||||||
strongswan-swanctl = handleTest ./strongswan-swanctl.nix {};
|
strongswan-swanctl = handleTest ./strongswan-swanctl.nix {};
|
||||||
sudo = handleTest ./sudo.nix {};
|
sudo = handleTest ./sudo.nix {};
|
||||||
sway = handleTest ./sway.nix {};
|
sway = handleTest ./sway.nix {};
|
||||||
|
76
nixos/tests/step-ca.nix
Normal file
76
nixos/tests/step-ca.nix
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
import ./make-test-python.nix ({ pkgs, ... }:
|
||||||
|
let
|
||||||
|
test-certificates = pkgs.runCommandLocal "test-certificates" { } ''
|
||||||
|
mkdir -p $out
|
||||||
|
echo insecure-root-password > $out/root-password-file
|
||||||
|
echo insecure-intermediate-password > $out/intermediate-password-file
|
||||||
|
${pkgs.step-cli}/bin/step certificate create "Example Root CA" $out/root_ca.crt $out/root_ca.key --password-file=$out/root-password-file --profile root-ca
|
||||||
|
${pkgs.step-cli}/bin/step certificate create "Example Intermediate CA 1" $out/intermediate_ca.crt $out/intermediate_ca.key --password-file=$out/intermediate-password-file --ca-password-file=$out/root-password-file --profile intermediate-ca --ca $out/root_ca.crt --ca-key $out/root_ca.key
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
nodes =
|
||||||
|
{
|
||||||
|
caserver =
|
||||||
|
{ config, pkgs, ... }: {
|
||||||
|
services.step-ca = {
|
||||||
|
enable = true;
|
||||||
|
address = "0.0.0.0";
|
||||||
|
port = 8443;
|
||||||
|
openFirewall = true;
|
||||||
|
intermediatePasswordFile = "${test-certificates}/intermediate-password-file";
|
||||||
|
settings = {
|
||||||
|
dnsNames = [ "caserver" ];
|
||||||
|
root = "${test-certificates}/root_ca.crt";
|
||||||
|
crt = "${test-certificates}/intermediate_ca.crt";
|
||||||
|
key = "${test-certificates}/intermediate_ca.key";
|
||||||
|
db = {
|
||||||
|
type = "badger";
|
||||||
|
dataSource = "/var/lib/step-ca/db";
|
||||||
|
};
|
||||||
|
authority = {
|
||||||
|
provisioners = [
|
||||||
|
{
|
||||||
|
type = "ACME";
|
||||||
|
name = "acme";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
caclient =
|
||||||
|
{ config, pkgs, ... }: {
|
||||||
|
security.acme.server = "https://caserver:8443/acme/acme/directory";
|
||||||
|
security.acme.email = "root@example.org";
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
|
|
||||||
|
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts = {
|
||||||
|
"caclient" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
catester = { config, pkgs, ... }: {
|
||||||
|
security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript =
|
||||||
|
''
|
||||||
|
catester.start()
|
||||||
|
caserver.wait_for_unit("step-ca.service")
|
||||||
|
caclient.wait_for_unit("acme-finished-caclient.target")
|
||||||
|
catester.succeed("curl https://caclient/ | grep \"Welcome to nginx!\"")
|
||||||
|
'';
|
||||||
|
})
|
@ -7,6 +7,7 @@
|
|||||||
, PCSC
|
, PCSC
|
||||||
, pkg-config
|
, pkg-config
|
||||||
, hsmSupport ? true
|
, hsmSupport ? true
|
||||||
|
, nixosTests
|
||||||
}:
|
}:
|
||||||
|
|
||||||
buildGoModule rec {
|
buildGoModule rec {
|
||||||
@ -46,6 +47,8 @@ buildGoModule rec {
|
|||||||
# panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted
|
# panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted
|
||||||
__darwinAllowLocalNetworking = true;
|
__darwinAllowLocalNetworking = true;
|
||||||
|
|
||||||
|
passthru.tests.step-ca = nixosTests.step-ca;
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
description = "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH";
|
description = "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH";
|
||||||
homepage = "https://smallstep.com/certificates/";
|
homepage = "https://smallstep.com/certificates/";
|
||||||
|
Loading…
Reference in New Issue
Block a user