15 files changed, 6 insertions, 383 deletions
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/generate b/tests/by-name/em/email-dns/nodes/acme/certs/generate
deleted file mode 100755
index 0d6258e..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/generate
+++ /dev/null
@@ -1,66 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -p gnutls -p dash -i dash --impure
-# shellcheck shell=dash
-
-# For development and testing.
-# Create a CA key and cert, and use that to generate a server key and cert.
-# Creates:
-#   ca.key.pem
-#   ca.cert.pem
-#   server.key.pem
-#   server.cert.pem
-
-export SEC_PARAM=ultra
-export EXPIRATION_DAYS=123456
-export ORGANIZATION="Vhack.eu Test Keys"
-export COUNTRY=EU
-export SAN="acme.test"
-export KEY_TYPE="ed25519"
-
-BASEDIR="$(dirname "$0")"
-GENERATION_LOCATION="$BASEDIR/output"
-cd "$BASEDIR" || {
-    echo "(BUG?) No basedir ('$BASEDIR')" 1>&2
-    exit 1
-}
-
-ca=false
-clients=false
-
-usage() {
-    echo "Usage: $0 --ca|--clients"
-    exit 2
-}
-
-if [ "$#" -eq 0 ]; then
-    usage
-fi
-
-for arg in "$@"; do
-    case "$arg" in
-    "--ca")
-        ca=true
-        ;;
-    "--clients")
-        clients=true
-        ;;
-    *)
-        usage
-        ;;
-    esac
-done
-
-[ -d "$GENERATION_LOCATION" ] || mkdir --parents "$GENERATION_LOCATION"
-cd "$GENERATION_LOCATION" || echo "(BUG?) No generation location fould!" 1>&2
-
-[ "$ca" = true ] && ../generate.ca
-
-# Creates:
-#   <client_name>.key.pem
-#   <client_name>.cert.pem
-#
-[ "$clients" = true ] && ../generate.client "acme.test"
-
-echo "(INFO) Look for the keys at: $GENERATION_LOCATION"
-
-# vim: ft=sh
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/generate.ca b/tests/by-name/em/email-dns/nodes/acme/certs/generate.ca
deleted file mode 100755
index 92832c5..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/generate.ca
+++ /dev/null
@@ -1,38 +0,0 @@
-#! /usr/bin/env sh
-
-# Take the correct binary to create the certificates
-CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
-if [ -z "$CERTTOOL" ]; then
-    echo "ERROR: No certtool found" >&2
-    exit 1
-fi
-
-# Create a CA key.
-$CERTTOOL \
-    --generate-privkey \
-    --sec-param "$SEC_PARAM" \
-    --key-type "$KEY_TYPE" \
-    --outfile ca.key.pem
-
-chmod 600 ca.key.pem
-
-# Sign a CA cert.
-cat <<EOF >ca.template
-country = $COUNTRY
-dns_name = "$SAN"
-expiration_days = $EXPIRATION_DAYS
-organization = $ORGANIZATION
-ca
-EOF
-#state = $STATE
-#locality = $LOCALITY
-
-$CERTTOOL \
-    --generate-self-signed \
-    --load-privkey ca.key.pem \
-    --template ca.template \
-    --outfile ca.cert.pem
-
-chmod 600 ca.cert.pem
-
-# vim: ft=sh
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/generate.client b/tests/by-name/em/email-dns/nodes/acme/certs/generate.client
deleted file mode 100755
index 5930298..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/generate.client
+++ /dev/null
@@ -1,44 +0,0 @@
-#! /usr/bin/env sh
-
-# Take the correct binary to create the certificates
-CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null)
-if [ -z "$CERTTOOL" ]; then
-    echo "ERROR: No certtool found" >&2
-    exit 1
-fi
-
-NAME=client
-if [ $# -gt 0 ]; then
-    NAME="$1"
-fi
-
-# Create a client key.
-$CERTTOOL \
-    --generate-privkey \
-    --sec-param "$SEC_PARAM" \
-    --key-type "$KEY_TYPE" \
-    --outfile "$NAME".key.pem
-
-chmod 600 "$NAME".key.pem
-
-# Sign a client cert with the key.
-cat <<EOF >"$NAME".template
-dns_name = "$NAME"
-dns_name = "$SAN"
-expiration_days = $EXPIRATION_DAYS
-organization = $ORGANIZATION
-encryption_key
-signing_key
-EOF
-
-$CERTTOOL \
-    --generate-certificate \
-    --load-privkey "$NAME".key.pem \
-    --load-ca-certificate ca.cert.pem \
-    --load-ca-privkey ca.key.pem \
-    --template "$NAME".template \
-    --outfile "$NAME".cert.pem
-
-chmod 600 "$NAME".cert.pem
-
-# vim: ft=sh
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.cert.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.cert.pem
deleted file mode 100644
index 687101d..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.cert.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBjTCCAT+gAwIBAgIUfiDKld3eiPKuFhsaiHpPNmbMJU8wBQYDK2VwMCoxCzAJ
-BgNVBAYTAkVVMRswGQYDVQQKExJWaGFjay5ldSBUZXN0IEtleXMwIBcNMjUwMzAx
-MTEyNjU2WhgPMjM2MzAzMDYxMTI2NTZaMB0xGzAZBgNVBAoTElZoYWNrLmV1IFRl
-c3QgS2V5czAqMAUGAytlcAMhAHYq2cjrfrlslWxvcKjs2cD7THbpmtq+jf/dlrKW
-UEo8o4GBMH8wDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgglhY21lLnRlc3SCCWFj
-bWUudGVzdDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFN/1UyS0jnC3LoryMIL2
-/6cdsYBBMB8GA1UdIwQYMBaAFLUZcL/zguHlulHg5GYyYhXmVt/6MAUGAytlcANB
-ALz3u7lBreHeVZ0YXrwK3SDwlhWIH/SeUQwbxQlarzR47qu3cwQQ93Y1xjtOdu+h
-hOM/ig3nLGVOT6qL8IsZrQk=
------END CERTIFICATE-----
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.key.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.key.pem
deleted file mode 100644
index 06195b8..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.key.pem
+++ /dev/null
@@ -1,25 +0,0 @@
-Public Key Info:
-	Public Key Algorithm: EdDSA (Ed25519)
-	Key Security Level: High (256 bits)
-
-curve:	Ed25519
-private key:
-	9d:25:38:89:f2:37:d7:65:41:f5:24:ba:4c:19:fb:0f
-	86:c8:a3:cf:f7:08:57:69:cc:64:cf:55:2d:8e:99:3e
-	
-
-x:
-	76:2a:d9:c8:eb:7e:b9:6c:95:6c:6f:70:a8:ec:d9:c0
-	fb:4c:76:e9:9a:da:be:8d:ff:dd:96:b2:96:50:4a:3c
-	
-
-
-Public Key PIN:
-	pin-sha256:NPwZitkDv4isUmdiicSsM1t1OtYoxqhdvBUnqSc4bFQ=
-Public Key ID:
-	sha256:34fc198ad903bf88ac52676289c4ac335b753ad628c6a85dbc1527a927386c54
-	sha1:dff55324b48e70b72e8af23082f6ffa71db18041
-
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIJ0lOInyN9dlQfUkukwZ+w+GyKPP9whXacxkz1Utjpk+
------END PRIVATE KEY-----
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.template b/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.template
deleted file mode 100644
index 320a170..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.template
+++ /dev/null
@@ -1,5 +0,0 @@
-dns_name = "acme.test"
-dns_name = "acme.test"
-expiration_days = 123456
-organization = Vhack.eu Test Keys
-encryption_key
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.cert.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.cert.pem
deleted file mode 100644
index 0fa9d14..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.cert.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBYDCCARKgAwIBAgIUdhVVcf+NgElqGuutU55FUDBtFVMwBQYDK2VwMCoxCzAJ
-BgNVBAYTAkVVMRswGQYDVQQKExJWaGFjay5ldSBUZXN0IEtleXMwIBcNMjUwMzAx
-MTEyNjU2WhgPMjM2MzAzMDYxMTI2NTZaMCoxCzAJBgNVBAYTAkVVMRswGQYDVQQK
-ExJWaGFjay5ldSBUZXN0IEtleXMwKjAFBgMrZXADIQCkO1LhHINvJjt41JD6UEc4
-ZKKUubB8lKPxSOyTkFBOgqNIMEYwDwYDVR0TAQH/BAUwAwEB/zAUBgNVHREEDTAL
-gglhY21lLnRlc3QwHQYDVR0OBBYEFLUZcL/zguHlulHg5GYyYhXmVt/6MAUGAytl
-cANBAFMFFy5tjuQtp5GVEN6qM50L4lteQuxfhlQqmOOfl06HV6153wJnrlKaTOYO
-t0dKlSqKROMYUYeU39xDp07MLAc=
------END CERTIFICATE-----
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.key.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.key.pem
deleted file mode 100644
index 64263bc..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.key.pem
+++ /dev/null
@@ -1,25 +0,0 @@
-Public Key Info:
-	Public Key Algorithm: EdDSA (Ed25519)
-	Key Security Level: High (256 bits)
-
-curve:	Ed25519
-private key:
-	82:0d:fc:f0:d6:82:89:63:e5:bc:23:78:ba:98:38:83
-	09:2d:e0:78:4c:53:92:e3:db:5b:2f:e4:39:ce:96:3d
-	
-
-x:
-	a4:3b:52:e1:1c:83:6f:26:3b:78:d4:90:fa:50:47:38
-	64:a2:94:b9:b0:7c:94:a3:f1:48:ec:93:90:50:4e:82
-	
-
-
-Public Key PIN:
-	pin-sha256:jpzYZMOHDPCeSXxfL+YUXgSPcbO9MAs8foGMP5CJiD8=
-Public Key ID:
-	sha256:8e9cd864c3870cf09e497c5f2fe6145e048f71b3bd300b3c7e818c3f9089883f
-	sha1:b51970bff382e1e5ba51e0e466326215e656dffa
-
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIIIN/PDWgolj5bwjeLqYOIMJLeB4TFOS49tbL+Q5zpY9
------END PRIVATE KEY-----
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.template b/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.template
deleted file mode 100644
index a2295d8..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.template
+++ /dev/null
@@ -1,5 +0,0 @@
-country = EU
-dns_name = "acme.test"
-expiration_days = 123456
-organization = Vhack.eu Test Keys
-ca
diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/snakeoil-certs.nix b/tests/by-name/em/email-dns/nodes/acme/certs/snakeoil-certs.nix
deleted file mode 100644
index aeb6dfc..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/certs/snakeoil-certs.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-let
-  domain = "acme.test";
-in {
-  inherit domain;
-  ca = {
-    cert = ./output/ca.cert.pem;
-    key = ./output/ca.key.pem;
-  };
-  "${domain}" = {
-    cert = ./output/. + "/${domain}.cert.pem";
-    key = ./output/. + "/${domain}.key.pem";
-  };
-}
diff --git a/tests/by-name/em/email-dns/nodes/acme/client.nix b/tests/by-name/em/email-dns/nodes/acme/client.nix
deleted file mode 100644
index 2b870e8..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/client.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{
-  nodes,
-  lib,
-  ...
-}: let
-  inherit (nodes.acme.test-support.acme) caCert;
-  inherit (nodes.acme.test-support.acme) caDomain;
-in {
-  security = {
-    acme = {
-      acceptTerms = true;
-      defaults = {
-        server = "https://${caDomain}/dir";
-      };
-    };
-
-    pki = {
-      certificateFiles = lib.mkForce [caCert];
-    };
-  };
-}
diff --git a/tests/by-name/em/email-dns/nodes/acme/default.nix b/tests/by-name/em/email-dns/nodes/acme/default.nix
deleted file mode 100644
index 236ba6a..0000000
--- a/tests/by-name/em/email-dns/nodes/acme/default.nix
+++ /dev/null
@@ -1,114 +0,0 @@
-# The certificate for the ACME service is exported as:
-#
-#   config.test-support.acme.caCert
-#
-# This value can be used inside the configuration of other test nodes to inject
-# the test certificate into security.pki.certificateFiles or into package
-# overlays.
-#
-# {
-#   acme = { nodes, lib, ... }: {
-#     imports = [ ./common/acme/server ];
-#     networking.nameservers = lib.mkForce [
-#       nodes.mydnsresolver.networking.primaryIPAddress
-#     ];
-#   };
-#
-#   dnsmyresolver = ...;
-# }
-#
-# Keep in mind, that currently only _one_ resolver is supported, if you have
-# more than one resolver in networking.nameservers only the first one will be
-# used.
-#
-# Also make sure that whenever you use a resolver from a different test node
-# that it has to be started _before_ the ACME service.
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}: let
-  testCerts = import ./certs/snakeoil-certs.nix;
-  inherit (testCerts) domain;
-
-  pebbleConf.pebble = {
-    listenAddress = "0.0.0.0:443";
-    managementListenAddress = "0.0.0.0:15000";
-
-    # The cert and key are used only for the Web Front End (WFE)
-    certificate = testCerts.${domain}.cert;
-    privateKey = testCerts.${domain}.key;
-
-    httpPort = 80;
-    tlsPort = 443;
-    ocspResponderURL = "http://${domain}:4002";
-    strict = true;
-  };
-
-  pebbleConfFile = pkgs.writeText "pebble.conf" (builtins.toJSON pebbleConf);
-in {
-  options.test-support.acme = {
-    caDomain = lib.mkOption {
-      type = lib.types.str;
-      default = domain;
-      readOnly = true;
-      description = ''
-        A domain name to use with the `nodes` attribute to
-        identify the CA server in the `client` config.
-      '';
-    };
-    caCert = lib.mkOption {
-      type = lib.types.path;
-      readOnly = true;
-      default = testCerts.ca.cert;
-      description = ''
-        A certificate file to use with the `nodes` attribute to
-        inject the test CA certificate used in the ACME server into
-        {option}`security.pki.certificateFiles`.
-      '';
-    };
-  };
-
-  config = {
-    networking = {
-      # This has priority 140, because modules/testing/test-instrumentation.nix
-      # already overrides this with priority 150.
-      nameservers = lib.mkOverride 140 ["127.0.0.1"];
-      firewall.allowedTCPPorts = [
-        80
-        443
-        15000
-        4002
-      ];
-
-      extraHosts = ''
-        127.0.0.1 ${domain}
-        ${config.networking.primaryIPAddress} ${domain}
-      '';
-    };
-
-    systemd.services = {
-      pebble = {
-        enable = true;
-        description = "Pebble ACME server";
-        wantedBy = ["network.target"];
-        environment = {
-          # We're not testing lego, we're just testing our configuration.
-          # No need to sleep.
-          PEBBLE_VA_NOSLEEP = "1";
-        };
-
-        serviceConfig = {
-          RuntimeDirectory = "pebble";
-          WorkingDirectory = "/run/pebble";
-
-          # Required to bind on privileged ports.
-          AmbientCapabilities = ["CAP_NET_BIND_SERVICE"];
-
-          ExecStart = "${pkgs.pebble}/bin/pebble -config ${pebbleConfFile}";
-        };
-      };
-    };
-  };
-}
diff --git a/tests/by-name/em/email-dns/nodes/mail_server.nix b/tests/by-name/em/email-dns/nodes/mail_server.nix
index a8c528a..89dbc4a 100644
--- a/tests/by-name/em/email-dns/nodes/mail_server.nix
+++ b/tests/by-name/em/email-dns/nodes/mail_server.nix
@@ -13,7 +13,7 @@
       extraModules
       ++ [
         ../../../../../modules
-        ./acme/client.nix
+        ../../../../common/acme/client.nix
       ];
 
     environment.systemPackages = [
@@ -26,7 +26,7 @@
       nodes.name_server.networking.primaryIPv6Address
     ];
 
-    age.identityPaths = ["${../secrets/hostKey}"];
+    age.identityPaths = ["${../../../../common/email/hostKey}"];
 
     vhack = {
       stalwart-mail = {
@@ -36,8 +36,8 @@
         security = {
           dkimKeys = let
             loadKey = name: {
-              dkimPublicKey = builtins.readFile (../secrets/dkim + "/${name}/public");
-              dkimPrivateKeyPath = ../secrets/dkim + "/${name}/private.age";
+              dkimPublicKey = builtins.readFile (../../../../common/email/dkim + "/${name}/public");
+              dkimPrivateKeyPath = ../../../../common/email/dkim + "/${name}/private.age";
               keyAlgorithm = "ed25519-sha256";
             };
           in {
diff --git a/tests/by-name/em/email-dns/nodes/name_server.nix b/tests/by-name/em/email-dns/nodes/name_server.nix
index ef657f4..48ce496 100644
--- a/tests/by-name/em/email-dns/nodes/name_server.nix
+++ b/tests/by-name/em/email-dns/nodes/name_server.nix
@@ -139,7 +139,7 @@ in {
     extraModules
     ++ [
       ../../../../../modules
-      ./acme/client.nix
+      ../../../../common/acme/client.nix
     ];
 
   networking.nameservers = lib.mkForce [
diff --git a/tests/by-name/em/email-dns/nodes/user.nix b/tests/by-name/em/email-dns/nodes/user.nix
index e4db347..55a4609 100644
--- a/tests/by-name/em/email-dns/nodes/user.nix
+++ b/tests/by-name/em/email-dns/nodes/user.nix
@@ -8,7 +8,7 @@
     ...
   }: {
     imports = [
-      ./acme/client.nix
+      ../../../../common/acme/client.nix
     ];
 
     environment.systemPackages = [