2024-01-12 08:22:46 +01:00
|
|
|
{ pkgs, lib, ... }:
|
|
|
|
{
|
|
|
|
test = pkgs.nixosTest {
|
|
|
|
name = "ssl-test";
|
|
|
|
|
|
|
|
nodes.server = { config, pkgs, ... }: {
|
|
|
|
imports = [
|
|
|
|
../../modules/blocks/ssl.nix
|
|
|
|
];
|
|
|
|
|
2024-01-25 07:41:18 +01:00
|
|
|
users.users = {
|
|
|
|
user1 = {
|
|
|
|
group = "group1";
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
user2 = {
|
|
|
|
group = "group2";
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
users.groups = {
|
|
|
|
group1 = {};
|
|
|
|
group2 = {};
|
|
|
|
};
|
|
|
|
|
2024-01-12 08:22:46 +01:00
|
|
|
shb.certs = {
|
|
|
|
cas.selfsigned = {
|
|
|
|
myca = {
|
|
|
|
name = "My CA";
|
|
|
|
};
|
|
|
|
myotherca = {
|
|
|
|
name = "My Other CA";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
certs.selfsigned = {
|
2024-01-21 05:11:03 +01:00
|
|
|
top = {
|
2024-01-12 08:22:46 +01:00
|
|
|
ca = config.shb.certs.cas.selfsigned.myca;
|
|
|
|
|
|
|
|
domain = "example.com";
|
2024-01-25 07:41:18 +01:00
|
|
|
group = "nginx";
|
2024-01-12 08:22:46 +01:00
|
|
|
};
|
2024-01-21 05:11:03 +01:00
|
|
|
subdomain = {
|
|
|
|
ca = config.shb.certs.cas.selfsigned.myca;
|
|
|
|
|
|
|
|
domain = "subdomain.example.com";
|
2024-01-25 07:41:18 +01:00
|
|
|
group = "nginx";
|
2024-01-21 05:11:03 +01:00
|
|
|
};
|
2024-01-24 08:16:46 +01:00
|
|
|
multi = {
|
|
|
|
ca = config.shb.certs.cas.selfsigned.myca;
|
|
|
|
|
|
|
|
domain = "multi1.example.com";
|
|
|
|
extraDomains = [ "multi2.example.com" "multi3.example.com" ];
|
2024-01-25 07:41:18 +01:00
|
|
|
group = "nginx";
|
|
|
|
};
|
|
|
|
|
|
|
|
cert1 = {
|
|
|
|
ca = config.shb.certs.cas.selfsigned.myca;
|
|
|
|
|
|
|
|
domain = "cert1.example.com";
|
|
|
|
};
|
|
|
|
cert2 = {
|
|
|
|
ca = config.shb.certs.cas.selfsigned.myca;
|
|
|
|
|
|
|
|
domain = "cert2.example.com";
|
|
|
|
group = "group2";
|
2024-01-24 08:16:46 +01:00
|
|
|
};
|
2024-01-12 08:22:46 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# The configuration below is to create a webserver that uses the server certificate.
|
2024-01-24 08:16:46 +01:00
|
|
|
networking.hosts."127.0.0.1" = [
|
|
|
|
"example.com"
|
|
|
|
"subdomain.example.com"
|
|
|
|
"wrong.example.com"
|
|
|
|
"multi1.example.com"
|
|
|
|
"multi2.example.com"
|
|
|
|
"multi3.example.com"
|
|
|
|
];
|
2024-01-12 08:22:46 +01:00
|
|
|
|
|
|
|
services.nginx.enable = true;
|
2024-01-24 08:16:46 +01:00
|
|
|
services.nginx.virtualHosts =
|
|
|
|
let
|
|
|
|
mkVirtualHost = response: cert: {
|
|
|
|
onlySSL = true;
|
|
|
|
sslCertificate = cert.paths.cert;
|
|
|
|
sslCertificateKey = cert.paths.key;
|
|
|
|
locations."/".extraConfig = ''
|
|
|
|
add_header Content-Type text/plain;
|
|
|
|
return 200 '${response}';
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
"example.com" = mkVirtualHost "Top domain" config.shb.certs.certs.selfsigned.top;
|
|
|
|
"subdomain.example.com" = mkVirtualHost "Subdomain" config.shb.certs.certs.selfsigned.subdomain;
|
|
|
|
"multi1.example.com" = mkVirtualHost "multi1" config.shb.certs.certs.selfsigned.multi;
|
|
|
|
"multi2.example.com" = mkVirtualHost "multi2" config.shb.certs.certs.selfsigned.multi;
|
|
|
|
"multi3.example.com" = mkVirtualHost "multi3" config.shb.certs.certs.selfsigned.multi;
|
|
|
|
};
|
2024-01-12 08:22:46 +01:00
|
|
|
systemd.services.nginx = {
|
2024-01-21 05:11:03 +01:00
|
|
|
after = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
|
|
|
|
requires = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
|
2024-01-12 08:22:46 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Taken from https://github.com/NixOS/nixpkgs/blob/7f311dd9226bbd568a43632c977f4992cfb2b5c8/nixos/tests/custom-ca.nix
|
|
|
|
testScript = { nodes, ... }:
|
|
|
|
let
|
|
|
|
myca = nodes.server.shb.certs.cas.selfsigned.myca;
|
|
|
|
myotherca = nodes.server.shb.certs.cas.selfsigned.myotherca;
|
2024-01-21 05:11:03 +01:00
|
|
|
top = nodes.server.shb.certs.certs.selfsigned.top;
|
|
|
|
subdomain = nodes.server.shb.certs.certs.selfsigned.subdomain;
|
2024-01-24 08:16:46 +01:00
|
|
|
multi = nodes.server.shb.certs.certs.selfsigned.multi;
|
2024-01-25 07:41:18 +01:00
|
|
|
cert1 = nodes.server.shb.certs.certs.selfsigned.cert1;
|
|
|
|
cert2 = nodes.server.shb.certs.certs.selfsigned.cert2;
|
|
|
|
cert3 = nodes.server.shb.certs.certs.selfsigned.cert3;
|
2024-01-12 08:22:46 +01:00
|
|
|
in
|
|
|
|
''
|
|
|
|
start_all()
|
|
|
|
|
|
|
|
# Make sure certs are generated.
|
|
|
|
server.wait_for_file("${myca.paths.key}")
|
|
|
|
server.wait_for_file("${myca.paths.cert}")
|
|
|
|
server.wait_for_file("${myotherca.paths.key}")
|
|
|
|
server.wait_for_file("${myotherca.paths.cert}")
|
2024-01-21 05:11:03 +01:00
|
|
|
server.wait_for_file("${top.paths.key}")
|
|
|
|
server.wait_for_file("${top.paths.cert}")
|
|
|
|
server.wait_for_file("${subdomain.paths.key}")
|
|
|
|
server.wait_for_file("${subdomain.paths.cert}")
|
2024-01-24 08:16:46 +01:00
|
|
|
server.wait_for_file("${multi.paths.key}")
|
|
|
|
server.wait_for_file("${multi.paths.cert}")
|
2024-01-25 07:41:18 +01:00
|
|
|
server.wait_for_file("${cert1.paths.key}")
|
|
|
|
server.wait_for_file("${cert1.paths.cert}")
|
|
|
|
server.wait_for_file("${cert2.paths.key}")
|
|
|
|
server.wait_for_file("${cert2.paths.cert}")
|
2024-01-12 08:22:46 +01:00
|
|
|
|
|
|
|
server.require_unit_state("${nodes.server.shb.certs.systemdService}", "inactive")
|
|
|
|
|
2024-01-24 08:16:46 +01:00
|
|
|
server.wait_for_unit("nginx")
|
|
|
|
server.wait_for_open_port(443)
|
2024-01-21 05:11:03 +01:00
|
|
|
|
2024-01-25 07:41:18 +01:00
|
|
|
def assert_owner(path, user, group):
|
|
|
|
owner = server.succeed("stat --format '%U:%G' {}".format(path)).strip();
|
|
|
|
want_owner = user + ":" + group
|
|
|
|
if owner != want_owner:
|
|
|
|
raise Exception('Unexpected owner for {}: wanted "{}", got: "{}"'.format(path, want_owner, owner))
|
|
|
|
|
|
|
|
def assert_perm(path, want_perm):
|
|
|
|
perm = server.succeed("stat --format '%a' {}".format(path)).strip();
|
|
|
|
if perm != want_perm:
|
|
|
|
raise Exception('Unexpected perm for {}: wanted "{}", got: "{}"'.format(path, want_perm, perm))
|
|
|
|
|
2024-01-12 08:22:46 +01:00
|
|
|
with subtest("Certificate is trusted in curl"):
|
2024-01-24 08:16:46 +01:00
|
|
|
resp = server.succeed("curl --fail-with-body -v https://example.com")
|
2024-01-21 05:11:03 +01:00
|
|
|
if resp != "Top domain":
|
|
|
|
raise Exception('Unexpected response, got: {}'.format(resp))
|
|
|
|
|
2024-01-24 08:16:46 +01:00
|
|
|
resp = server.succeed("curl --fail-with-body -v https://subdomain.example.com")
|
2024-01-21 05:11:03 +01:00
|
|
|
if resp != "Subdomain":
|
|
|
|
raise Exception('Unexpected response, got: {}'.format(resp))
|
|
|
|
|
2024-01-24 08:16:46 +01:00
|
|
|
resp = server.succeed("curl --fail-with-body -v https://multi1.example.com")
|
|
|
|
if resp != "multi1":
|
|
|
|
raise Exception('Unexpected response, got: {}'.format(resp))
|
|
|
|
|
|
|
|
resp = server.succeed("curl --fail-with-body -v https://multi2.example.com")
|
|
|
|
if resp != "multi2":
|
|
|
|
raise Exception('Unexpected response, got: {}'.format(resp))
|
|
|
|
|
|
|
|
resp = server.succeed("curl --fail-with-body -v https://multi3.example.com")
|
|
|
|
if resp != "multi3":
|
|
|
|
raise Exception('Unexpected response, got: {}'.format(resp))
|
|
|
|
|
2024-01-25 07:41:18 +01:00
|
|
|
with subtest("Certificate has correct permission"):
|
|
|
|
assert_owner("${cert1.paths.key}", "root", "root")
|
|
|
|
assert_owner("${cert1.paths.cert}", "root", "root")
|
|
|
|
assert_perm("${cert1.paths.key}", "640")
|
|
|
|
assert_perm("${cert1.paths.cert}", "640")
|
|
|
|
|
|
|
|
assert_owner("${cert2.paths.key}", "root", "group2")
|
|
|
|
assert_owner("${cert2.paths.cert}", "root", "group2")
|
|
|
|
assert_perm("${cert2.paths.key}", "640")
|
|
|
|
assert_perm("${cert2.paths.cert}", "640")
|
|
|
|
|
2024-01-21 05:11:03 +01:00
|
|
|
with subtest("Fail if certificate is not in CA bundle"):
|
2024-01-24 08:16:46 +01:00
|
|
|
server.fail("curl --cacert /etc/static/ssl/certs/ca-bundle.crt --fail-with-body -v https://example.com")
|
|
|
|
server.fail("curl --cacert /etc/static/ssl/certs/ca-bundle.crt --fail-with-body -v https://subdomain.example.com")
|
|
|
|
server.fail("curl --cacert /etc/static/ssl/certs/ca-certificates.crt --fail-with-body -v https://example.com")
|
|
|
|
server.fail("curl --cacert /etc/static/ssl/certs/ca-certificates.crt --fail-with-body -v https://subdomain.example.com")
|
2024-01-12 08:22:46 +01:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
}
|