1
0
Fork 0

improve ssl block

This commit is contained in:
ibizaman 2024-01-20 20:11:03 -08:00 committed by Pierre Penninckx
parent 3211585373
commit 7e2f76e7f9
3 changed files with 56 additions and 20 deletions

View file

@ -257,8 +257,13 @@ in
script = '' script = ''
mkdir -p /etc/ssl/certs mkdir -p /etc/ssl/certs
rm -f /etc/ssl/certs/ca-bundle.crt
rm -f /etc/ssl/certs/ca-certificates.crt rm -f /etc/ssl/certs/ca-certificates.crt
cat /etc/static/ssl/certs/ca-bundle.crt > /etc/ssl/certs/ca-bundle.crt
cat /etc/static/ssl/certs/ca-bundle.crt > /etc/ssl/certs/ca-certificates.crt
for file in ${lib.concatStringsSep " " (lib.mapAttrsToList (_name: caCfg: caCfg.paths.cert) cfg.cas.selfsigned)}; do for file in ${lib.concatStringsSep " " (lib.mapAttrsToList (_name: caCfg: caCfg.paths.cert) cfg.cas.selfsigned)}; do
cat "$file" >> /etc/ssl/certs/ca-bundle.crt
cat "$file" >> /etc/ssl/certs/ca-certificates.crt cat "$file" >> /etc/ssl/certs/ca-certificates.crt
done done
''; '';

View file

@ -96,22 +96,22 @@ To use either a self-signed certificates or a Let's Encrypt generated one, we ca
where the certificate and the private key are located: where the certificate and the private key are located:
```nix ```nix
config.shb.certs.<implementation>.<name>.paths.cert config.shb.certs.certs.<implementation>.<name>.paths.cert
config.shb.certs.<implementation>.<name>.paths.key config.shb.certs.certs.<implementation>.<name>.paths.key
``` ```
For example: For example:
```nix ```nix
config.shb.certs.selfsigned."example.com".paths.cert config.shb.certs.certs.selfsigned."example.com".paths.cert
config.shb.certs.selfsigned."example.com".paths.key config.shb.certs.certs.selfsigned."example.com".paths.key
``` ```
We can then configure Nginx to use those certificates: We can then configure Nginx to use those certificates:
```nix ```nix
services.nginx.virtualHosts."example.com" = services.nginx.virtualHosts."example.com" =
let let
cert = config.shb.certs.selfsigned."example.com"; cert = config.shb.certs.certs.selfsigned."example.com";
in in
{ {
onlySSL = true; onlySSL = true;
@ -130,8 +130,8 @@ certificate to the generated:
```nix ```nix
systemd.services.nginx = { systemd.services.nginx = {
after = [ config.shb.certs.selfsigned."example.com".systemdService ]; after = [ config.shb.certs.certs.selfsigned."example.com".systemdService ];
requires = [ config.shb.certs.selfsigned."example.com".systemdService ]; requires = [ config.shb.certs.certs.selfsigned."example.com".systemdService ];
}; };
``` ```

View file

@ -18,31 +18,46 @@
}; };
}; };
certs.selfsigned = { certs.selfsigned = {
mycert = { top = {
ca = config.shb.certs.cas.selfsigned.myca; ca = config.shb.certs.cas.selfsigned.myca;
domain = "example.com"; domain = "example.com";
}; };
subdomain = {
ca = config.shb.certs.cas.selfsigned.myca;
domain = "subdomain.example.com";
};
}; };
}; };
# The configuration below is to create a webserver that uses the server certificate. # The configuration below is to create a webserver that uses the server certificate.
networking.hosts."127.0.0.1" = [ "example.com" ]; networking.hosts."127.0.0.1" = [ "example.com" "subdomain.example.com" "wrong.example.com" ];
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."example.com" = services.nginx.virtualHosts."example.com" =
{ {
onlySSL = true; onlySSL = true;
sslCertificate = config.shb.certs.certs.selfsigned.mycert.paths.cert; sslCertificate = config.shb.certs.certs.selfsigned.top.paths.cert;
sslCertificateKey = config.shb.certs.certs.selfsigned.mycert.paths.key; sslCertificateKey = config.shb.certs.certs.selfsigned.top.paths.key;
locations."/".extraConfig = '' locations."/".extraConfig = ''
add_header Content-Type text/plain; add_header Content-Type text/plain;
return 200 'It works!'; return 200 'Top domain';
'';
};
services.nginx.virtualHosts."subdomain.example.com" =
{
onlySSL = true;
sslCertificate = config.shb.certs.certs.selfsigned.subdomain.paths.cert;
sslCertificateKey = config.shb.certs.certs.selfsigned.subdomain.paths.key;
locations."/".extraConfig = ''
add_header Content-Type text/plain;
return 200 'Subdomain';
''; '';
}; };
systemd.services.nginx = { systemd.services.nginx = {
after = [ config.shb.certs.certs.selfsigned.mycert.systemdService ]; after = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
requires = [ config.shb.certs.certs.selfsigned.mycert.systemdService ]; requires = [ config.shb.certs.certs.selfsigned.top.systemdService config.shb.certs.certs.selfsigned.subdomain.systemdService ];
}; };
}; };
@ -51,7 +66,8 @@
let let
myca = nodes.server.shb.certs.cas.selfsigned.myca; myca = nodes.server.shb.certs.cas.selfsigned.myca;
myotherca = nodes.server.shb.certs.cas.selfsigned.myotherca; myotherca = nodes.server.shb.certs.cas.selfsigned.myotherca;
mycert = nodes.server.shb.certs.certs.selfsigned.mycert; top = nodes.server.shb.certs.certs.selfsigned.top;
subdomain = nodes.server.shb.certs.certs.selfsigned.subdomain;
in in
'' ''
start_all() start_all()
@ -61,16 +77,31 @@
server.wait_for_file("${myca.paths.cert}") server.wait_for_file("${myca.paths.cert}")
server.wait_for_file("${myotherca.paths.key}") server.wait_for_file("${myotherca.paths.key}")
server.wait_for_file("${myotherca.paths.cert}") server.wait_for_file("${myotherca.paths.cert}")
server.wait_for_file("${mycert.paths.key}") server.wait_for_file("${top.paths.key}")
server.wait_for_file("${mycert.paths.cert}") server.wait_for_file("${top.paths.cert}")
server.wait_for_file("${subdomain.paths.key}")
server.wait_for_file("${subdomain.paths.cert}")
# Wait for jkkk # Wait for jkkk
server.require_unit_state("${nodes.server.shb.certs.systemdService}", "inactive") server.require_unit_state("${nodes.server.shb.certs.systemdService}", "inactive")
machine.wait_for_unit("nginx")
machine.wait_for_open_port(443)
with subtest("Certificate is trusted in curl"): with subtest("Certificate is trusted in curl"):
machine.wait_for_unit("nginx") resp = machine.succeed("curl --fail-with-body -v https://example.com")
machine.wait_for_open_port(443) if resp != "Top domain":
machine.succeed("curl --fail-with-body -v https://example.com") raise Exception('Unexpected response, got: {}'.format(resp))
resp = machine.succeed("curl --fail-with-body -v https://subdomain.example.com")
if resp != "Subdomain":
raise Exception('Unexpected response, got: {}'.format(resp))
with subtest("Fail if certificate is not in CA bundle"):
machine.fail("curl --cacert /etc/static/ssl/certs/ca-bundle.crt --fail-with-body -v https://example.com")
machine.fail("curl --cacert /etc/static/ssl/certs/ca-bundle.crt --fail-with-body -v https://subdomain.example.com")
machine.fail("curl --cacert /etc/static/ssl/certs/ca-certificates.crt --fail-with-body -v https://example.com")
machine.fail("curl --cacert /etc/static/ssl/certs/ca-certificates.crt --fail-with-body -v https://subdomain.example.com")
''; '';
}; };
} }