From 7d3c1bd972c67af3f5006bd02e8ed3655f16bfc7 Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Sat, 12 Apr 2025 16:25:53 +0200 Subject: tests/email-dns: Factor out all of the secrets/acme stuff into a common dir This makes it easier to re-use this test data for various tests. --- .../by-name/em/email-dns/nodes/acme/certs/generate | 66 ------------ .../em/email-dns/nodes/acme/certs/generate.ca | 38 ------- .../em/email-dns/nodes/acme/certs/generate.client | 44 -------- .../nodes/acme/certs/output/acme.test.cert.pem | 11 -- .../nodes/acme/certs/output/acme.test.key.pem | 25 ----- .../nodes/acme/certs/output/acme.test.template | 5 - .../email-dns/nodes/acme/certs/output/ca.cert.pem | 10 -- .../email-dns/nodes/acme/certs/output/ca.key.pem | 25 ----- .../email-dns/nodes/acme/certs/output/ca.template | 5 - .../email-dns/nodes/acme/certs/snakeoil-certs.nix | 13 --- tests/by-name/em/email-dns/nodes/acme/client.nix | 21 ---- tests/by-name/em/email-dns/nodes/acme/default.nix | 114 --------------------- tests/by-name/em/email-dns/nodes/mail_server.nix | 8 +- tests/by-name/em/email-dns/nodes/name_server.nix | 2 +- tests/by-name/em/email-dns/nodes/user.nix | 2 +- .../email-dns/secrets/dkim/alice.com/private.age | 15 --- .../em/email-dns/secrets/dkim/alice.com/public | 1 - .../em/email-dns/secrets/dkim/bob.com/private.age | 14 --- .../em/email-dns/secrets/dkim/bob.com/public | 1 - tests/by-name/em/email-dns/secrets/dkim/gen_key.sh | 35 ------- .../secrets/dkim/mail1.server.com/private.age | 15 --- .../email-dns/secrets/dkim/mail1.server.com/public | 1 - .../secrets/dkim/mail2.server.com/private.age | 15 --- .../email-dns/secrets/dkim/mail2.server.com/public | 1 - tests/by-name/em/email-dns/secrets/hostKey | 7 -- tests/by-name/em/email-dns/test.nix | 2 +- tests/common/acme/certs/generate | 66 ++++++++++++ tests/common/acme/certs/generate.ca | 38 +++++++ tests/common/acme/certs/generate.client | 44 ++++++++ tests/common/acme/certs/output/acme.test.cert.pem | 11 ++ tests/common/acme/certs/output/acme.test.key.pem | 25 +++++ tests/common/acme/certs/output/acme.test.template | 5 + tests/common/acme/certs/output/ca.cert.pem | 10 ++ tests/common/acme/certs/output/ca.key.pem | 25 +++++ tests/common/acme/certs/output/ca.template | 5 + tests/common/acme/certs/snakeoil-certs.nix | 13 +++ tests/common/acme/client.nix | 21 ++++ tests/common/acme/default.nix | 114 +++++++++++++++++++++ tests/common/email/dkim/alice.com/private.age | 15 +++ tests/common/email/dkim/alice.com/public | 1 + tests/common/email/dkim/bob.com/private.age | 14 +++ tests/common/email/dkim/bob.com/public | 1 + tests/common/email/dkim/gen_key.sh | 35 +++++++ .../common/email/dkim/mail1.server.com/private.age | 15 +++ tests/common/email/dkim/mail1.server.com/public | 1 + .../common/email/dkim/mail2.server.com/private.age | 15 +++ tests/common/email/dkim/mail2.server.com/public | 1 + tests/common/email/hostKey | 7 ++ 48 files changed, 489 insertions(+), 489 deletions(-) delete mode 100755 tests/by-name/em/email-dns/nodes/acme/certs/generate delete mode 100755 tests/by-name/em/email-dns/nodes/acme/certs/generate.ca delete mode 100755 tests/by-name/em/email-dns/nodes/acme/certs/generate.client delete mode 100644 tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.cert.pem delete mode 100644 tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.key.pem delete mode 100644 tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.template delete mode 100644 tests/by-name/em/email-dns/nodes/acme/certs/output/ca.cert.pem delete mode 100644 tests/by-name/em/email-dns/nodes/acme/certs/output/ca.key.pem delete mode 100644 tests/by-name/em/email-dns/nodes/acme/certs/output/ca.template delete mode 100644 tests/by-name/em/email-dns/nodes/acme/certs/snakeoil-certs.nix delete mode 100644 tests/by-name/em/email-dns/nodes/acme/client.nix delete mode 100644 tests/by-name/em/email-dns/nodes/acme/default.nix delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/alice.com/private.age delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/alice.com/public delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/bob.com/private.age delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/bob.com/public delete mode 100755 tests/by-name/em/email-dns/secrets/dkim/gen_key.sh delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/private.age delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/public delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/private.age delete mode 100644 tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/public delete mode 100644 tests/by-name/em/email-dns/secrets/hostKey create mode 100755 tests/common/acme/certs/generate create mode 100755 tests/common/acme/certs/generate.ca create mode 100755 tests/common/acme/certs/generate.client create mode 100644 tests/common/acme/certs/output/acme.test.cert.pem create mode 100644 tests/common/acme/certs/output/acme.test.key.pem create mode 100644 tests/common/acme/certs/output/acme.test.template create mode 100644 tests/common/acme/certs/output/ca.cert.pem create mode 100644 tests/common/acme/certs/output/ca.key.pem create mode 100644 tests/common/acme/certs/output/ca.template create mode 100644 tests/common/acme/certs/snakeoil-certs.nix create mode 100644 tests/common/acme/client.nix create mode 100644 tests/common/acme/default.nix create mode 100644 tests/common/email/dkim/alice.com/private.age create mode 100644 tests/common/email/dkim/alice.com/public create mode 100644 tests/common/email/dkim/bob.com/private.age create mode 100644 tests/common/email/dkim/bob.com/public create mode 100755 tests/common/email/dkim/gen_key.sh create mode 100644 tests/common/email/dkim/mail1.server.com/private.age create mode 100644 tests/common/email/dkim/mail1.server.com/public create mode 100644 tests/common/email/dkim/mail2.server.com/private.age create mode 100644 tests/common/email/dkim/mail2.server.com/public create mode 100644 tests/common/email/hostKey diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/generate b/tests/by-name/em/email-dns/nodes/acme/certs/generate deleted file mode 100755 index 0d6258e..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/generate +++ /dev/null @@ -1,66 +0,0 @@ -#! /usr/bin/env nix-shell -#! nix-shell -p gnutls -p dash -i dash --impure -# shellcheck shell=dash - -# For development and testing. -# Create a CA key and cert, and use that to generate a server key and cert. -# Creates: -# ca.key.pem -# ca.cert.pem -# server.key.pem -# server.cert.pem - -export SEC_PARAM=ultra -export EXPIRATION_DAYS=123456 -export ORGANIZATION="Vhack.eu Test Keys" -export COUNTRY=EU -export SAN="acme.test" -export KEY_TYPE="ed25519" - -BASEDIR="$(dirname "$0")" -GENERATION_LOCATION="$BASEDIR/output" -cd "$BASEDIR" || { - echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 - exit 1 -} - -ca=false -clients=false - -usage() { - echo "Usage: $0 --ca|--clients" - exit 2 -} - -if [ "$#" -eq 0 ]; then - usage -fi - -for arg in "$@"; do - case "$arg" in - "--ca") - ca=true - ;; - "--clients") - clients=true - ;; - *) - usage - ;; - esac -done - -[ -d "$GENERATION_LOCATION" ] || mkdir --parents "$GENERATION_LOCATION" -cd "$GENERATION_LOCATION" || echo "(BUG?) No generation location fould!" 1>&2 - -[ "$ca" = true ] && ../generate.ca - -# Creates: -# .key.pem -# .cert.pem -# -[ "$clients" = true ] && ../generate.client "acme.test" - -echo "(INFO) Look for the keys at: $GENERATION_LOCATION" - -# vim: ft=sh diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/generate.ca b/tests/by-name/em/email-dns/nodes/acme/certs/generate.ca deleted file mode 100755 index 92832c5..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/generate.ca +++ /dev/null @@ -1,38 +0,0 @@ -#! /usr/bin/env sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ]; then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -# Create a CA key. -$CERTTOOL \ - --generate-privkey \ - --sec-param "$SEC_PARAM" \ - --key-type "$KEY_TYPE" \ - --outfile ca.key.pem - -chmod 600 ca.key.pem - -# Sign a CA cert. -cat <ca.template -country = $COUNTRY -dns_name = "$SAN" -expiration_days = $EXPIRATION_DAYS -organization = $ORGANIZATION -ca -EOF -#state = $STATE -#locality = $LOCALITY - -$CERTTOOL \ - --generate-self-signed \ - --load-privkey ca.key.pem \ - --template ca.template \ - --outfile ca.cert.pem - -chmod 600 ca.cert.pem - -# vim: ft=sh diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/generate.client b/tests/by-name/em/email-dns/nodes/acme/certs/generate.client deleted file mode 100755 index 5930298..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/generate.client +++ /dev/null @@ -1,44 +0,0 @@ -#! /usr/bin/env sh - -# Take the correct binary to create the certificates -CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) -if [ -z "$CERTTOOL" ]; then - echo "ERROR: No certtool found" >&2 - exit 1 -fi - -NAME=client -if [ $# -gt 0 ]; then - NAME="$1" -fi - -# Create a client key. -$CERTTOOL \ - --generate-privkey \ - --sec-param "$SEC_PARAM" \ - --key-type "$KEY_TYPE" \ - --outfile "$NAME".key.pem - -chmod 600 "$NAME".key.pem - -# Sign a client cert with the key. -cat <"$NAME".template -dns_name = "$NAME" -dns_name = "$SAN" -expiration_days = $EXPIRATION_DAYS -organization = $ORGANIZATION -encryption_key -signing_key -EOF - -$CERTTOOL \ - --generate-certificate \ - --load-privkey "$NAME".key.pem \ - --load-ca-certificate ca.cert.pem \ - --load-ca-privkey ca.key.pem \ - --template "$NAME".template \ - --outfile "$NAME".cert.pem - -chmod 600 "$NAME".cert.pem - -# vim: ft=sh diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.cert.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.cert.pem deleted file mode 100644 index 687101d..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.cert.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBjTCCAT+gAwIBAgIUfiDKld3eiPKuFhsaiHpPNmbMJU8wBQYDK2VwMCoxCzAJ -BgNVBAYTAkVVMRswGQYDVQQKExJWaGFjay5ldSBUZXN0IEtleXMwIBcNMjUwMzAx -MTEyNjU2WhgPMjM2MzAzMDYxMTI2NTZaMB0xGzAZBgNVBAoTElZoYWNrLmV1IFRl -c3QgS2V5czAqMAUGAytlcAMhAHYq2cjrfrlslWxvcKjs2cD7THbpmtq+jf/dlrKW -UEo8o4GBMH8wDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgglhY21lLnRlc3SCCWFj -bWUudGVzdDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFN/1UyS0jnC3LoryMIL2 -/6cdsYBBMB8GA1UdIwQYMBaAFLUZcL/zguHlulHg5GYyYhXmVt/6MAUGAytlcANB -ALz3u7lBreHeVZ0YXrwK3SDwlhWIH/SeUQwbxQlarzR47qu3cwQQ93Y1xjtOdu+h -hOM/ig3nLGVOT6qL8IsZrQk= ------END CERTIFICATE----- diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.key.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.key.pem deleted file mode 100644 index 06195b8..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.key.pem +++ /dev/null @@ -1,25 +0,0 @@ -Public Key Info: - Public Key Algorithm: EdDSA (Ed25519) - Key Security Level: High (256 bits) - -curve: Ed25519 -private key: - 9d:25:38:89:f2:37:d7:65:41:f5:24:ba:4c:19:fb:0f - 86:c8:a3:cf:f7:08:57:69:cc:64:cf:55:2d:8e:99:3e - - -x: - 76:2a:d9:c8:eb:7e:b9:6c:95:6c:6f:70:a8:ec:d9:c0 - fb:4c:76:e9:9a:da:be:8d:ff:dd:96:b2:96:50:4a:3c - - - -Public Key PIN: - pin-sha256:NPwZitkDv4isUmdiicSsM1t1OtYoxqhdvBUnqSc4bFQ= -Public Key ID: - sha256:34fc198ad903bf88ac52676289c4ac335b753ad628c6a85dbc1527a927386c54 - sha1:dff55324b48e70b72e8af23082f6ffa71db18041 - ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIJ0lOInyN9dlQfUkukwZ+w+GyKPP9whXacxkz1Utjpk+ ------END PRIVATE KEY----- diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.template b/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.template deleted file mode 100644 index 320a170..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/output/acme.test.template +++ /dev/null @@ -1,5 +0,0 @@ -dns_name = "acme.test" -dns_name = "acme.test" -expiration_days = 123456 -organization = Vhack.eu Test Keys -encryption_key diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.cert.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.cert.pem deleted file mode 100644 index 0fa9d14..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.cert.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBYDCCARKgAwIBAgIUdhVVcf+NgElqGuutU55FUDBtFVMwBQYDK2VwMCoxCzAJ -BgNVBAYTAkVVMRswGQYDVQQKExJWaGFjay5ldSBUZXN0IEtleXMwIBcNMjUwMzAx -MTEyNjU2WhgPMjM2MzAzMDYxMTI2NTZaMCoxCzAJBgNVBAYTAkVVMRswGQYDVQQK -ExJWaGFjay5ldSBUZXN0IEtleXMwKjAFBgMrZXADIQCkO1LhHINvJjt41JD6UEc4 -ZKKUubB8lKPxSOyTkFBOgqNIMEYwDwYDVR0TAQH/BAUwAwEB/zAUBgNVHREEDTAL -gglhY21lLnRlc3QwHQYDVR0OBBYEFLUZcL/zguHlulHg5GYyYhXmVt/6MAUGAytl -cANBAFMFFy5tjuQtp5GVEN6qM50L4lteQuxfhlQqmOOfl06HV6153wJnrlKaTOYO -t0dKlSqKROMYUYeU39xDp07MLAc= ------END CERTIFICATE----- diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.key.pem b/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.key.pem deleted file mode 100644 index 64263bc..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.key.pem +++ /dev/null @@ -1,25 +0,0 @@ -Public Key Info: - Public Key Algorithm: EdDSA (Ed25519) - Key Security Level: High (256 bits) - -curve: Ed25519 -private key: - 82:0d:fc:f0:d6:82:89:63:e5:bc:23:78:ba:98:38:83 - 09:2d:e0:78:4c:53:92:e3:db:5b:2f:e4:39:ce:96:3d - - -x: - a4:3b:52:e1:1c:83:6f:26:3b:78:d4:90:fa:50:47:38 - 64:a2:94:b9:b0:7c:94:a3:f1:48:ec:93:90:50:4e:82 - - - -Public Key PIN: - pin-sha256:jpzYZMOHDPCeSXxfL+YUXgSPcbO9MAs8foGMP5CJiD8= -Public Key ID: - sha256:8e9cd864c3870cf09e497c5f2fe6145e048f71b3bd300b3c7e818c3f9089883f - sha1:b51970bff382e1e5ba51e0e466326215e656dffa - ------BEGIN PRIVATE KEY----- -MC4CAQAwBQYDK2VwBCIEIIIN/PDWgolj5bwjeLqYOIMJLeB4TFOS49tbL+Q5zpY9 ------END PRIVATE KEY----- diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.template b/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.template deleted file mode 100644 index a2295d8..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/output/ca.template +++ /dev/null @@ -1,5 +0,0 @@ -country = EU -dns_name = "acme.test" -expiration_days = 123456 -organization = Vhack.eu Test Keys -ca diff --git a/tests/by-name/em/email-dns/nodes/acme/certs/snakeoil-certs.nix b/tests/by-name/em/email-dns/nodes/acme/certs/snakeoil-certs.nix deleted file mode 100644 index aeb6dfc..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/certs/snakeoil-certs.nix +++ /dev/null @@ -1,13 +0,0 @@ -let - domain = "acme.test"; -in { - inherit domain; - ca = { - cert = ./output/ca.cert.pem; - key = ./output/ca.key.pem; - }; - "${domain}" = { - cert = ./output/. + "/${domain}.cert.pem"; - key = ./output/. + "/${domain}.key.pem"; - }; -} diff --git a/tests/by-name/em/email-dns/nodes/acme/client.nix b/tests/by-name/em/email-dns/nodes/acme/client.nix deleted file mode 100644 index 2b870e8..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/client.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - nodes, - lib, - ... -}: let - inherit (nodes.acme.test-support.acme) caCert; - inherit (nodes.acme.test-support.acme) caDomain; -in { - security = { - acme = { - acceptTerms = true; - defaults = { - server = "https://${caDomain}/dir"; - }; - }; - - pki = { - certificateFiles = lib.mkForce [caCert]; - }; - }; -} diff --git a/tests/by-name/em/email-dns/nodes/acme/default.nix b/tests/by-name/em/email-dns/nodes/acme/default.nix deleted file mode 100644 index 236ba6a..0000000 --- a/tests/by-name/em/email-dns/nodes/acme/default.nix +++ /dev/null @@ -1,114 +0,0 @@ -# The certificate for the ACME service is exported as: -# -# config.test-support.acme.caCert -# -# This value can be used inside the configuration of other test nodes to inject -# the test certificate into security.pki.certificateFiles or into package -# overlays. -# -# { -# acme = { nodes, lib, ... }: { -# imports = [ ./common/acme/server ]; -# networking.nameservers = lib.mkForce [ -# nodes.mydnsresolver.networking.primaryIPAddress -# ]; -# }; -# -# dnsmyresolver = ...; -# } -# -# Keep in mind, that currently only _one_ resolver is supported, if you have -# more than one resolver in networking.nameservers only the first one will be -# used. -# -# Also make sure that whenever you use a resolver from a different test node -# that it has to be started _before_ the ACME service. -{ - config, - pkgs, - lib, - ... -}: let - testCerts = import ./certs/snakeoil-certs.nix; - inherit (testCerts) domain; - - pebbleConf.pebble = { - listenAddress = "0.0.0.0:443"; - managementListenAddress = "0.0.0.0:15000"; - - # The cert and key are used only for the Web Front End (WFE) - certificate = testCerts.${domain}.cert; - privateKey = testCerts.${domain}.key; - - httpPort = 80; - tlsPort = 443; - ocspResponderURL = "http://${domain}:4002"; - strict = true; - }; - - pebbleConfFile = pkgs.writeText "pebble.conf" (builtins.toJSON pebbleConf); -in { - options.test-support.acme = { - caDomain = lib.mkOption { - type = lib.types.str; - default = domain; - readOnly = true; - description = '' - A domain name to use with the `nodes` attribute to - identify the CA server in the `client` config. - ''; - }; - caCert = lib.mkOption { - type = lib.types.path; - readOnly = true; - default = testCerts.ca.cert; - description = '' - A certificate file to use with the `nodes` attribute to - inject the test CA certificate used in the ACME server into - {option}`security.pki.certificateFiles`. - ''; - }; - }; - - config = { - networking = { - # This has priority 140, because modules/testing/test-instrumentation.nix - # already overrides this with priority 150. - nameservers = lib.mkOverride 140 ["127.0.0.1"]; - firewall.allowedTCPPorts = [ - 80 - 443 - 15000 - 4002 - ]; - - extraHosts = '' - 127.0.0.1 ${domain} - ${config.networking.primaryIPAddress} ${domain} - ''; - }; - - systemd.services = { - pebble = { - enable = true; - description = "Pebble ACME server"; - wantedBy = ["network.target"]; - environment = { - # We're not testing lego, we're just testing our configuration. - # No need to sleep. - PEBBLE_VA_NOSLEEP = "1"; - }; - - serviceConfig = { - RuntimeDirectory = "pebble"; - WorkingDirectory = "/run/pebble"; - - # Required to bind on privileged ports. - AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; - - ExecStart = "${pkgs.pebble}/bin/pebble -config ${pebbleConfFile}"; - }; - }; - }; - }; -} diff --git a/tests/by-name/em/email-dns/nodes/mail_server.nix b/tests/by-name/em/email-dns/nodes/mail_server.nix index a8c528a..89dbc4a 100644 --- a/tests/by-name/em/email-dns/nodes/mail_server.nix +++ b/tests/by-name/em/email-dns/nodes/mail_server.nix @@ -13,7 +13,7 @@ extraModules ++ [ ../../../../../modules - ./acme/client.nix + ../../../../common/acme/client.nix ]; environment.systemPackages = [ @@ -26,7 +26,7 @@ nodes.name_server.networking.primaryIPv6Address ]; - age.identityPaths = ["${../secrets/hostKey}"]; + age.identityPaths = ["${../../../../common/email/hostKey}"]; vhack = { stalwart-mail = { @@ -36,8 +36,8 @@ security = { dkimKeys = let loadKey = name: { - dkimPublicKey = builtins.readFile (../secrets/dkim + "/${name}/public"); - dkimPrivateKeyPath = ../secrets/dkim + "/${name}/private.age"; + dkimPublicKey = builtins.readFile (../../../../common/email/dkim + "/${name}/public"); + dkimPrivateKeyPath = ../../../../common/email/dkim + "/${name}/private.age"; keyAlgorithm = "ed25519-sha256"; }; in { diff --git a/tests/by-name/em/email-dns/nodes/name_server.nix b/tests/by-name/em/email-dns/nodes/name_server.nix index ef657f4..48ce496 100644 --- a/tests/by-name/em/email-dns/nodes/name_server.nix +++ b/tests/by-name/em/email-dns/nodes/name_server.nix @@ -139,7 +139,7 @@ in { extraModules ++ [ ../../../../../modules - ./acme/client.nix + ../../../../common/acme/client.nix ]; networking.nameservers = lib.mkForce [ diff --git a/tests/by-name/em/email-dns/nodes/user.nix b/tests/by-name/em/email-dns/nodes/user.nix index e4db347..55a4609 100644 --- a/tests/by-name/em/email-dns/nodes/user.nix +++ b/tests/by-name/em/email-dns/nodes/user.nix @@ -8,7 +8,7 @@ ... }: { imports = [ - ./acme/client.nix + ../../../../common/acme/client.nix ]; environment.systemPackages = [ diff --git a/tests/by-name/em/email-dns/secrets/dkim/alice.com/private.age b/tests/by-name/em/email-dns/secrets/dkim/alice.com/private.age deleted file mode 100644 index 5415fdc..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/alice.com/private.age +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dkJqTFNjOUphUWpBTmUv -MldLUUVtUWJWY2p4NGNDVlluWUdJNUVGTDBnCkRMZ3VsVGkvUUJsbUgrUHA5d1pY -d3lvQkdsSnRxYWxSbGlkQUlnMEFiWncKLT4gWDI1NTE5IGljWDF2a3JqZHBzZC9J -ZjlxSVdKQ0ErRGc1VVRTNE91RC8rR2ZhMlN5d28KYVNyMWZWSnZFNS9zWUdLS01T -UkJLaGxqWmwySzdxRk5GVUZ4NFR1aXcxcwotPiBzc2gtZWQyNTUxOSBSc2dXcFEg -alJlckZsT21YUUQrS05Xb25TeFJXUmFFTFl1U3NYOXZoWEZwa0Qrd2dnWQoxZVla -TFV3VURsaUxZdUZVRkZhdXcyV3AzMTJCc1hXUDJlK2FPc0pIU2hvCi0+IFN6Nlc4 -R0dqLWdyZWFzZSBfIQpUdERFc2xwZGkwR2p3QW0vNlIyR0pYTkkyeU02ckw2RnEv -bHE5TFQ4TlBaL3lNd1ZFbDRPZXo1RmpSeStWcjljCmFpV28KLS0tIEE2SURxTHdl -RWt5NXZRT3hFUHpjSm1BdTlwZGM2NmQvNm5Pb0s4dW5pc2sKTKoHvkHEkuPkMTDw -Un+0mSGY82ZxfpNuYH6YEjUYsXwAw4y0HFvsObc0XuYzCmQrBX8vLos0Sg5kzboT -EU81RdjI1AQPwhd+jBIDNFpUzYZ/IaQsz7Yp3G1WDfkeYPk10IuzOJoeRjLC9HPa -wfYCKZDhegV6n//kAxBGM0Q3MzyxO3eYJ+k3TaWnUPLnw+nFMAANgkYqfg== ------END AGE ENCRYPTED FILE----- diff --git a/tests/by-name/em/email-dns/secrets/dkim/alice.com/public b/tests/by-name/em/email-dns/secrets/dkim/alice.com/public deleted file mode 100644 index 0f3c3b2..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/alice.com/public +++ /dev/null @@ -1 +0,0 @@ -cLWzd3zg51ITME1Fnu16/h07lXIUxfhdLivktUMoVQs= \ No newline at end of file diff --git a/tests/by-name/em/email-dns/secrets/dkim/bob.com/private.age b/tests/by-name/em/email-dns/secrets/dkim/bob.com/private.age deleted file mode 100644 index c07c997..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/bob.com/private.age +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmN0FHQ2ZhVEVpNnB1S2Zu -T3JBS0xLUklKNUxKeENYeis3MUZHdUF1STFFCmdkTFQvcG9qWk55QjlEUDN2NGFa -Ump1TW1xRUZ3K251bFJsaEMrTXd3VzgKLT4gWDI1NTE5IFF6ZGNJbWkrc1Z5M3Rk -blpNUGpuNU0rZi9Ed2dicnM4WXhrbjdQVDFzeGsKd2V6clA0UjZWYmJxZytaa3B3 -T2drNkhiQVBKU2tOL2gxeGtjQnAra2NxawotPiBzc2gtZWQyNTUxOSBSc2dXcFEg -Y2xrRDduWXo1Qk81VFMxMHZ0T3FhaXZXUm1VMDNhVGZscEJ6Q2owWXFCMApsMTQ4 -K2hGNm4ybGNkSTFOeHdwZnI5YjRZQm1uVC9xUEtRSjBxV0JKdERRCi0+IFlzLWdy -ZWFzZSBbZztrCk1sWFhaZXNZOUhMbAotLS0gbkNRK2hkZ0dEZEkxeFVJKysyUUY3 -UWVBRjZoVXJCWk5YTEh4ZktpM1IwNArrxTAoCB+Ubb79nB53ZnbakCaDfrfLx7Oi -Khq4CZh64r2LaQWFP0m5dhHWDF/8Fg+E42zbXN1KQwggz2h59EqI2ouOXmjiZeHN -O50mfruF9xybdAFVIThEsjRTRQDPfO5qq6PI+g+w4s+S8kl6yp61t6z3y+zI3GGw -RxCsY2uEn5naMuBMqkYL5dhA/G5deNMpUQ8rcRZw ------END AGE ENCRYPTED FILE----- diff --git a/tests/by-name/em/email-dns/secrets/dkim/bob.com/public b/tests/by-name/em/email-dns/secrets/dkim/bob.com/public deleted file mode 100644 index ddea670..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/bob.com/public +++ /dev/null @@ -1 +0,0 @@ -3yrKD52yd5hBA6ue5uQVl7FXGK8UOlUE9Y+yCdBRfVQ= \ No newline at end of file diff --git a/tests/by-name/em/email-dns/secrets/dkim/gen_key.sh b/tests/by-name/em/email-dns/secrets/dkim/gen_key.sh deleted file mode 100755 index 48b4434..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/gen_key.sh +++ /dev/null @@ -1,35 +0,0 @@ -#! /usr/bin/env nix-shell -#! nix-shell -p rage -p openssl -p dash -i dash --impure - -# shellcheck shell=dash - -cd "$(dirname "$0")" || { - echo "No basedir?!" - exit 1 -} - -key_name="$1" -[ -z "$key_name" ] && { - echo "Usage: $0 KEY_NAME" - exit 2 -} - -[ -d "$key_name" ] || mkdir "$key_name" -cd "$key_name" || { - echo "Just created." - exit 1 -} - -openssl genpkey -algorithm ed25519 -out "private" -openssl pkey -in "private" -pubout -out "public.tmp" - -openssl asn1parse -in "public.tmp" -offset 12 -noout -out /dev/stdout | base64 --wrap 0 >"public" -rm "public.tmp" - -rage --encrypt \ - --armor \ - --recipient "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxdvBk/PC9fC7B5vqe9TvygZKY6LgDQ2mXRdVrthBM/" \ - "private" >"private.age" -rm "private" - -# vim: ft=sh diff --git a/tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/private.age b/tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/private.age deleted file mode 100644 index 8c5d3c3..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/private.age +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOYXRiK29XallqZG1vc1Bl -TlpFbk9WZmZIK1FrUHRIbmx6bEI5UkhJZUZ3Ck8zcHVGWHJjdG5wZnh0SDljc2F5 -WU1DMUNxdFdVQmRUMFNpa0VCSUkxZmsKLT4gWDI1NTE5IFhXREJyTVNueGp6YVg1 -b3FUemlodUMraWRMVnEyQTZqRlpKanhxdDBSMlkKYVNxcXFockpleGJBaU1iUUQ4 -bml2azlPSE9Jc0N0dDU2d1hYOXFpcnV2ZwotPiBzc2gtZWQyNTUxOSBSc2dXcFEg -ZUVuOHZyM3pRcTZHKzFsV2VheDkrdml4NUVIWldQY1BqcGNpTG5lU2VrVQoydnVZ -UHdpa1FmT3hNbHA1dll1dVFxS0VFanV3N3Y5Z1E5ejBiMkhRSHhRCi0+ICVuPzx1 -Ky1ncmVhc2UgYXY5PE43Om4KcWplaklGSXlMSk0yNktld21ucUdVS1dFVmt4NFhi -VG5WYUNMUGdxZ0dta1F6RVpRRTdoek1WT0hwaC9CVEcyMworUQotLS0genJEN2Jq -Y1JVbzc3NVFoSXAxSUxEQUZzZkRCcXNmSXBwZDB0eDMybE5NMApv3ghQF9tC00yI -v7Sa9ZKrA8HDb/wpUn0X+D+ShLC95rW8+oPonN6gt+z+PoVUFvXwKsP/1I+D6z+B -PRMurlvpspkIGlgi5S5H6brj9UJ7Pt61+Ld2/gaLevzCPy1QCmlAlqRKvZuZMUUR -hWbmEXi8j56ClcxpVe62p+4GCI41T2cjAogi2C33dtviIcGedq9byD5tbVt4 ------END AGE ENCRYPTED FILE----- diff --git a/tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/public b/tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/public deleted file mode 100644 index 4941b85..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/mail1.server.com/public +++ /dev/null @@ -1 +0,0 @@ -quDd9+ogqiIUWybfegosFFkG7jAsblij2VrkuUXEzzY= \ No newline at end of file diff --git a/tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/private.age b/tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/private.age deleted file mode 100644 index d39631a..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/private.age +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRkl1SThtVnN3bUg4cmJL -aXBBUU4yRE1DOGdYclg1UXVhS1Y0UTJPVVIwCjlSOXZJdVB0R0VxbGdUWHd5U2RO -RGpFdUw4c3EyUFZNZUx4Mm5yeGNIeVUKLT4gWDI1NTE5IHc5K05EeE1xNnBHd1dS -WDJwSTdzLys3MnRncmN0WWZjTWkvM0tqeWRRU1EKek13RGRsNUhadncxQ3V6ZFcv -Ni9aMTFtRllFK0lvd2tidnRwUjE0V0d2OAotPiBzc2gtZWQyNTUxOSBSc2dXcFEg -Mml5VEt5b3R3d09Gc1hzR2pRZzJFY3VHT0JwUnBaTTNIWG5QaGdsWkh4bwp1Nzdx -dWxpbjdNRGZ6aThxM0d6a2MraklkSW03ek15YXRkSXVyaS96QlFjCi0+IDAkRDEp -bC4tZ3JlYXNlCi9lUnduUFJreTdpMEU5ejZjS1JyWmJzRkZNRVdLbnRRZC81aldN -c2FqTTgrNnFCSEYxQUhSQWxyMW9icCtQYkgKTUEKLS0tIDNmQkwwbjJiSldraDVw -ZUs3SHNpU0pGWXRLSVBtZ0Y1QW5uT0N5bnpjek0KiujqGmiYB3hCso3u4uCtZuO3 -EmPPJkbHKPNyUQy1V/Bv+sjgPDQi/0y7UR759G91iNIYQB0fWg7njWsl8GNdJwXI -YO+2utDKkrm0DowWNKpHX1KE1g93e0H5ZoptygLFtx8TWDP2i8R7JJqJ9QevSz6r -Nwjj+d3HGTxA7WvAZnNdvyfHbRRdvW+6q0uIjS5zHXAs8YmepA== ------END AGE ENCRYPTED FILE----- diff --git a/tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/public b/tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/public deleted file mode 100644 index 5c4406d..0000000 --- a/tests/by-name/em/email-dns/secrets/dkim/mail2.server.com/public +++ /dev/null @@ -1 +0,0 @@ -th9exwaYvoAjxW1tAj3k/VNLl5jKzSC/dxKrxM2mTZE= \ No newline at end of file diff --git a/tests/by-name/em/email-dns/secrets/hostKey b/tests/by-name/em/email-dns/secrets/hostKey deleted file mode 100644 index 79c9d6c..0000000 --- a/tests/by-name/em/email-dns/secrets/hostKey +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACC8XbwZPzwvXwuweb6nvU78oGSmOi4A0Npl0XVa7YQTPwAAAJjFZPqHxWT6 -hwAAAAtzc2gtZWQyNTUxOQAAACC8XbwZPzwvXwuweb6nvU78oGSmOi4A0Npl0XVa7YQTPw -AAAEA9D5AP+Uqhrg8rPx2DjgucjfnJknkk7lkeKHMV04ZZv7xdvBk/PC9fC7B5vqe9Tvyg -ZKY6LgDQ2mXRdVrthBM/AAAAFSAnUHVibGljIHRlc3Rpbmcga2V5Jw== ------END OPENSSH PRIVATE KEY----- diff --git a/tests/by-name/em/email-dns/test.nix b/tests/by-name/em/email-dns/test.nix index 32447ae..7391c86 100644 --- a/tests/by-name/em/email-dns/test.nix +++ b/tests/by-name/em/email-dns/test.nix @@ -31,7 +31,7 @@ in lib, ... }: { - imports = [./nodes/acme]; + imports = [../../../common/acme]; networking.nameservers = lib.mkForce [ nodes.name_server.networking.primaryIPAddress ]; diff --git a/tests/common/acme/certs/generate b/tests/common/acme/certs/generate new file mode 100755 index 0000000..0d6258e --- /dev/null +++ b/tests/common/acme/certs/generate @@ -0,0 +1,66 @@ +#! /usr/bin/env nix-shell +#! nix-shell -p gnutls -p dash -i dash --impure +# shellcheck shell=dash + +# For development and testing. +# Create a CA key and cert, and use that to generate a server key and cert. +# Creates: +# ca.key.pem +# ca.cert.pem +# server.key.pem +# server.cert.pem + +export SEC_PARAM=ultra +export EXPIRATION_DAYS=123456 +export ORGANIZATION="Vhack.eu Test Keys" +export COUNTRY=EU +export SAN="acme.test" +export KEY_TYPE="ed25519" + +BASEDIR="$(dirname "$0")" +GENERATION_LOCATION="$BASEDIR/output" +cd "$BASEDIR" || { + echo "(BUG?) No basedir ('$BASEDIR')" 1>&2 + exit 1 +} + +ca=false +clients=false + +usage() { + echo "Usage: $0 --ca|--clients" + exit 2 +} + +if [ "$#" -eq 0 ]; then + usage +fi + +for arg in "$@"; do + case "$arg" in + "--ca") + ca=true + ;; + "--clients") + clients=true + ;; + *) + usage + ;; + esac +done + +[ -d "$GENERATION_LOCATION" ] || mkdir --parents "$GENERATION_LOCATION" +cd "$GENERATION_LOCATION" || echo "(BUG?) No generation location fould!" 1>&2 + +[ "$ca" = true ] && ../generate.ca + +# Creates: +# .key.pem +# .cert.pem +# +[ "$clients" = true ] && ../generate.client "acme.test" + +echo "(INFO) Look for the keys at: $GENERATION_LOCATION" + +# vim: ft=sh diff --git a/tests/common/acme/certs/generate.ca b/tests/common/acme/certs/generate.ca new file mode 100755 index 0000000..92832c5 --- /dev/null +++ b/tests/common/acme/certs/generate.ca @@ -0,0 +1,38 @@ +#! /usr/bin/env sh + +# Take the correct binary to create the certificates +CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) +if [ -z "$CERTTOOL" ]; then + echo "ERROR: No certtool found" >&2 + exit 1 +fi + +# Create a CA key. +$CERTTOOL \ + --generate-privkey \ + --sec-param "$SEC_PARAM" \ + --key-type "$KEY_TYPE" \ + --outfile ca.key.pem + +chmod 600 ca.key.pem + +# Sign a CA cert. +cat <ca.template +country = $COUNTRY +dns_name = "$SAN" +expiration_days = $EXPIRATION_DAYS +organization = $ORGANIZATION +ca +EOF +#state = $STATE +#locality = $LOCALITY + +$CERTTOOL \ + --generate-self-signed \ + --load-privkey ca.key.pem \ + --template ca.template \ + --outfile ca.cert.pem + +chmod 600 ca.cert.pem + +# vim: ft=sh diff --git a/tests/common/acme/certs/generate.client b/tests/common/acme/certs/generate.client new file mode 100755 index 0000000..5930298 --- /dev/null +++ b/tests/common/acme/certs/generate.client @@ -0,0 +1,44 @@ +#! /usr/bin/env sh + +# Take the correct binary to create the certificates +CERTTOOL=$(command -v gnutls-certtool 2>/dev/null || command -v certtool 2>/dev/null) +if [ -z "$CERTTOOL" ]; then + echo "ERROR: No certtool found" >&2 + exit 1 +fi + +NAME=client +if [ $# -gt 0 ]; then + NAME="$1" +fi + +# Create a client key. +$CERTTOOL \ + --generate-privkey \ + --sec-param "$SEC_PARAM" \ + --key-type "$KEY_TYPE" \ + --outfile "$NAME".key.pem + +chmod 600 "$NAME".key.pem + +# Sign a client cert with the key. +cat <"$NAME".template +dns_name = "$NAME" +dns_name = "$SAN" +expiration_days = $EXPIRATION_DAYS +organization = $ORGANIZATION +encryption_key +signing_key +EOF + +$CERTTOOL \ + --generate-certificate \ + --load-privkey "$NAME".key.pem \ + --load-ca-certificate ca.cert.pem \ + --load-ca-privkey ca.key.pem \ + --template "$NAME".template \ + --outfile "$NAME".cert.pem + +chmod 600 "$NAME".cert.pem + +# vim: ft=sh diff --git a/tests/common/acme/certs/output/acme.test.cert.pem b/tests/common/acme/certs/output/acme.test.cert.pem new file mode 100644 index 0000000..687101d --- /dev/null +++ b/tests/common/acme/certs/output/acme.test.cert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBjTCCAT+gAwIBAgIUfiDKld3eiPKuFhsaiHpPNmbMJU8wBQYDK2VwMCoxCzAJ +BgNVBAYTAkVVMRswGQYDVQQKExJWaGFjay5ldSBUZXN0IEtleXMwIBcNMjUwMzAx +MTEyNjU2WhgPMjM2MzAzMDYxMTI2NTZaMB0xGzAZBgNVBAoTElZoYWNrLmV1IFRl +c3QgS2V5czAqMAUGAytlcAMhAHYq2cjrfrlslWxvcKjs2cD7THbpmtq+jf/dlrKW +UEo8o4GBMH8wDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgglhY21lLnRlc3SCCWFj +bWUudGVzdDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFN/1UyS0jnC3LoryMIL2 +/6cdsYBBMB8GA1UdIwQYMBaAFLUZcL/zguHlulHg5GYyYhXmVt/6MAUGAytlcANB +ALz3u7lBreHeVZ0YXrwK3SDwlhWIH/SeUQwbxQlarzR47qu3cwQQ93Y1xjtOdu+h +hOM/ig3nLGVOT6qL8IsZrQk= +-----END CERTIFICATE----- diff --git a/tests/common/acme/certs/output/acme.test.key.pem b/tests/common/acme/certs/output/acme.test.key.pem new file mode 100644 index 0000000..06195b8 --- /dev/null +++ b/tests/common/acme/certs/output/acme.test.key.pem @@ -0,0 +1,25 @@ +Public Key Info: + Public Key Algorithm: EdDSA (Ed25519) + Key Security Level: High (256 bits) + +curve: Ed25519 +private key: + 9d:25:38:89:f2:37:d7:65:41:f5:24:ba:4c:19:fb:0f + 86:c8:a3:cf:f7:08:57:69:cc:64:cf:55:2d:8e:99:3e + + +x: + 76:2a:d9:c8:eb:7e:b9:6c:95:6c:6f:70:a8:ec:d9:c0 + fb:4c:76:e9:9a:da:be:8d:ff:dd:96:b2:96:50:4a:3c + + + +Public Key PIN: + pin-sha256:NPwZitkDv4isUmdiicSsM1t1OtYoxqhdvBUnqSc4bFQ= +Public Key ID: + sha256:34fc198ad903bf88ac52676289c4ac335b753ad628c6a85dbc1527a927386c54 + sha1:dff55324b48e70b72e8af23082f6ffa71db18041 + +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIJ0lOInyN9dlQfUkukwZ+w+GyKPP9whXacxkz1Utjpk+ +-----END PRIVATE KEY----- diff --git a/tests/common/acme/certs/output/acme.test.template b/tests/common/acme/certs/output/acme.test.template new file mode 100644 index 0000000..320a170 --- /dev/null +++ b/tests/common/acme/certs/output/acme.test.template @@ -0,0 +1,5 @@ +dns_name = "acme.test" +dns_name = "acme.test" +expiration_days = 123456 +organization = Vhack.eu Test Keys +encryption_key diff --git a/tests/common/acme/certs/output/ca.cert.pem b/tests/common/acme/certs/output/ca.cert.pem new file mode 100644 index 0000000..0fa9d14 --- /dev/null +++ b/tests/common/acme/certs/output/ca.cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBYDCCARKgAwIBAgIUdhVVcf+NgElqGuutU55FUDBtFVMwBQYDK2VwMCoxCzAJ +BgNVBAYTAkVVMRswGQYDVQQKExJWaGFjay5ldSBUZXN0IEtleXMwIBcNMjUwMzAx +MTEyNjU2WhgPMjM2MzAzMDYxMTI2NTZaMCoxCzAJBgNVBAYTAkVVMRswGQYDVQQK +ExJWaGFjay5ldSBUZXN0IEtleXMwKjAFBgMrZXADIQCkO1LhHINvJjt41JD6UEc4 +ZKKUubB8lKPxSOyTkFBOgqNIMEYwDwYDVR0TAQH/BAUwAwEB/zAUBgNVHREEDTAL +gglhY21lLnRlc3QwHQYDVR0OBBYEFLUZcL/zguHlulHg5GYyYhXmVt/6MAUGAytl +cANBAFMFFy5tjuQtp5GVEN6qM50L4lteQuxfhlQqmOOfl06HV6153wJnrlKaTOYO +t0dKlSqKROMYUYeU39xDp07MLAc= +-----END CERTIFICATE----- diff --git a/tests/common/acme/certs/output/ca.key.pem b/tests/common/acme/certs/output/ca.key.pem new file mode 100644 index 0000000..64263bc --- /dev/null +++ b/tests/common/acme/certs/output/ca.key.pem @@ -0,0 +1,25 @@ +Public Key Info: + Public Key Algorithm: EdDSA (Ed25519) + Key Security Level: High (256 bits) + +curve: Ed25519 +private key: + 82:0d:fc:f0:d6:82:89:63:e5:bc:23:78:ba:98:38:83 + 09:2d:e0:78:4c:53:92:e3:db:5b:2f:e4:39:ce:96:3d + + +x: + a4:3b:52:e1:1c:83:6f:26:3b:78:d4:90:fa:50:47:38 + 64:a2:94:b9:b0:7c:94:a3:f1:48:ec:93:90:50:4e:82 + + + +Public Key PIN: + pin-sha256:jpzYZMOHDPCeSXxfL+YUXgSPcbO9MAs8foGMP5CJiD8= +Public Key ID: + sha256:8e9cd864c3870cf09e497c5f2fe6145e048f71b3bd300b3c7e818c3f9089883f + sha1:b51970bff382e1e5ba51e0e466326215e656dffa + +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIIIN/PDWgolj5bwjeLqYOIMJLeB4TFOS49tbL+Q5zpY9 +-----END PRIVATE KEY----- diff --git a/tests/common/acme/certs/output/ca.template b/tests/common/acme/certs/output/ca.template new file mode 100644 index 0000000..a2295d8 --- /dev/null +++ b/tests/common/acme/certs/output/ca.template @@ -0,0 +1,5 @@ +country = EU +dns_name = "acme.test" +expiration_days = 123456 +organization = Vhack.eu Test Keys +ca diff --git a/tests/common/acme/certs/snakeoil-certs.nix b/tests/common/acme/certs/snakeoil-certs.nix new file mode 100644 index 0000000..aeb6dfc --- /dev/null +++ b/tests/common/acme/certs/snakeoil-certs.nix @@ -0,0 +1,13 @@ +let + domain = "acme.test"; +in { + inherit domain; + ca = { + cert = ./output/ca.cert.pem; + key = ./output/ca.key.pem; + }; + "${domain}" = { + cert = ./output/. + "/${domain}.cert.pem"; + key = ./output/. + "/${domain}.key.pem"; + }; +} diff --git a/tests/common/acme/client.nix b/tests/common/acme/client.nix new file mode 100644 index 0000000..2b870e8 --- /dev/null +++ b/tests/common/acme/client.nix @@ -0,0 +1,21 @@ +{ + nodes, + lib, + ... +}: let + inherit (nodes.acme.test-support.acme) caCert; + inherit (nodes.acme.test-support.acme) caDomain; +in { + security = { + acme = { + acceptTerms = true; + defaults = { + server = "https://${caDomain}/dir"; + }; + }; + + pki = { + certificateFiles = lib.mkForce [caCert]; + }; + }; +} diff --git a/tests/common/acme/default.nix b/tests/common/acme/default.nix new file mode 100644 index 0000000..236ba6a --- /dev/null +++ b/tests/common/acme/default.nix @@ -0,0 +1,114 @@ +# The certificate for the ACME service is exported as: +# +# config.test-support.acme.caCert +# +# This value can be used inside the configuration of other test nodes to inject +# the test certificate into security.pki.certificateFiles or into package +# overlays. +# +# { +# acme = { nodes, lib, ... }: { +# imports = [ ./common/acme/server ]; +# networking.nameservers = lib.mkForce [ +# nodes.mydnsresolver.networking.primaryIPAddress +# ]; +# }; +# +# dnsmyresolver = ...; +# } +# +# Keep in mind, that currently only _one_ resolver is supported, if you have +# more than one resolver in networking.nameservers only the first one will be +# used. +# +# Also make sure that whenever you use a resolver from a different test node +# that it has to be started _before_ the ACME service. +{ + config, + pkgs, + lib, + ... +}: let + testCerts = import ./certs/snakeoil-certs.nix; + inherit (testCerts) domain; + + pebbleConf.pebble = { + listenAddress = "0.0.0.0:443"; + managementListenAddress = "0.0.0.0:15000"; + + # The cert and key are used only for the Web Front End (WFE) + certificate = testCerts.${domain}.cert; + privateKey = testCerts.${domain}.key; + + httpPort = 80; + tlsPort = 443; + ocspResponderURL = "http://${domain}:4002"; + strict = true; + }; + + pebbleConfFile = pkgs.writeText "pebble.conf" (builtins.toJSON pebbleConf); +in { + options.test-support.acme = { + caDomain = lib.mkOption { + type = lib.types.str; + default = domain; + readOnly = true; + description = '' + A domain name to use with the `nodes` attribute to + identify the CA server in the `client` config. + ''; + }; + caCert = lib.mkOption { + type = lib.types.path; + readOnly = true; + default = testCerts.ca.cert; + description = '' + A certificate file to use with the `nodes` attribute to + inject the test CA certificate used in the ACME server into + {option}`security.pki.certificateFiles`. + ''; + }; + }; + + config = { + networking = { + # This has priority 140, because modules/testing/test-instrumentation.nix + # already overrides this with priority 150. + nameservers = lib.mkOverride 140 ["127.0.0.1"]; + firewall.allowedTCPPorts = [ + 80 + 443 + 15000 + 4002 + ]; + + extraHosts = '' + 127.0.0.1 ${domain} + ${config.networking.primaryIPAddress} ${domain} + ''; + }; + + systemd.services = { + pebble = { + enable = true; + description = "Pebble ACME server"; + wantedBy = ["network.target"]; + environment = { + # We're not testing lego, we're just testing our configuration. + # No need to sleep. + PEBBLE_VA_NOSLEEP = "1"; + }; + + serviceConfig = { + RuntimeDirectory = "pebble"; + WorkingDirectory = "/run/pebble"; + + # Required to bind on privileged ports. + AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; + + ExecStart = "${pkgs.pebble}/bin/pebble -config ${pebbleConfFile}"; + }; + }; + }; + }; +} diff --git a/tests/common/email/dkim/alice.com/private.age b/tests/common/email/dkim/alice.com/private.age new file mode 100644 index 0000000..5415fdc --- /dev/null +++ b/tests/common/email/dkim/alice.com/private.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dkJqTFNjOUphUWpBTmUv +MldLUUVtUWJWY2p4NGNDVlluWUdJNUVGTDBnCkRMZ3VsVGkvUUJsbUgrUHA5d1pY +d3lvQkdsSnRxYWxSbGlkQUlnMEFiWncKLT4gWDI1NTE5IGljWDF2a3JqZHBzZC9J +ZjlxSVdKQ0ErRGc1VVRTNE91RC8rR2ZhMlN5d28KYVNyMWZWSnZFNS9zWUdLS01T +UkJLaGxqWmwySzdxRk5GVUZ4NFR1aXcxcwotPiBzc2gtZWQyNTUxOSBSc2dXcFEg +alJlckZsT21YUUQrS05Xb25TeFJXUmFFTFl1U3NYOXZoWEZwa0Qrd2dnWQoxZVla +TFV3VURsaUxZdUZVRkZhdXcyV3AzMTJCc1hXUDJlK2FPc0pIU2hvCi0+IFN6Nlc4 +R0dqLWdyZWFzZSBfIQpUdERFc2xwZGkwR2p3QW0vNlIyR0pYTkkyeU02ckw2RnEv +bHE5TFQ4TlBaL3lNd1ZFbDRPZXo1RmpSeStWcjljCmFpV28KLS0tIEE2SURxTHdl +RWt5NXZRT3hFUHpjSm1BdTlwZGM2NmQvNm5Pb0s4dW5pc2sKTKoHvkHEkuPkMTDw +Un+0mSGY82ZxfpNuYH6YEjUYsXwAw4y0HFvsObc0XuYzCmQrBX8vLos0Sg5kzboT +EU81RdjI1AQPwhd+jBIDNFpUzYZ/IaQsz7Yp3G1WDfkeYPk10IuzOJoeRjLC9HPa +wfYCKZDhegV6n//kAxBGM0Q3MzyxO3eYJ+k3TaWnUPLnw+nFMAANgkYqfg== +-----END AGE ENCRYPTED FILE----- diff --git a/tests/common/email/dkim/alice.com/public b/tests/common/email/dkim/alice.com/public new file mode 100644 index 0000000..0f3c3b2 --- /dev/null +++ b/tests/common/email/dkim/alice.com/public @@ -0,0 +1 @@ +cLWzd3zg51ITME1Fnu16/h07lXIUxfhdLivktUMoVQs= \ No newline at end of file diff --git a/tests/common/email/dkim/bob.com/private.age b/tests/common/email/dkim/bob.com/private.age new file mode 100644 index 0000000..c07c997 --- /dev/null +++ b/tests/common/email/dkim/bob.com/private.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmN0FHQ2ZhVEVpNnB1S2Zu +T3JBS0xLUklKNUxKeENYeis3MUZHdUF1STFFCmdkTFQvcG9qWk55QjlEUDN2NGFa +Ump1TW1xRUZ3K251bFJsaEMrTXd3VzgKLT4gWDI1NTE5IFF6ZGNJbWkrc1Z5M3Rk +blpNUGpuNU0rZi9Ed2dicnM4WXhrbjdQVDFzeGsKd2V6clA0UjZWYmJxZytaa3B3 +T2drNkhiQVBKU2tOL2gxeGtjQnAra2NxawotPiBzc2gtZWQyNTUxOSBSc2dXcFEg +Y2xrRDduWXo1Qk81VFMxMHZ0T3FhaXZXUm1VMDNhVGZscEJ6Q2owWXFCMApsMTQ4 +K2hGNm4ybGNkSTFOeHdwZnI5YjRZQm1uVC9xUEtRSjBxV0JKdERRCi0+IFlzLWdy +ZWFzZSBbZztrCk1sWFhaZXNZOUhMbAotLS0gbkNRK2hkZ0dEZEkxeFVJKysyUUY3 +UWVBRjZoVXJCWk5YTEh4ZktpM1IwNArrxTAoCB+Ubb79nB53ZnbakCaDfrfLx7Oi +Khq4CZh64r2LaQWFP0m5dhHWDF/8Fg+E42zbXN1KQwggz2h59EqI2ouOXmjiZeHN +O50mfruF9xybdAFVIThEsjRTRQDPfO5qq6PI+g+w4s+S8kl6yp61t6z3y+zI3GGw +RxCsY2uEn5naMuBMqkYL5dhA/G5deNMpUQ8rcRZw +-----END AGE ENCRYPTED FILE----- diff --git a/tests/common/email/dkim/bob.com/public b/tests/common/email/dkim/bob.com/public new file mode 100644 index 0000000..ddea670 --- /dev/null +++ b/tests/common/email/dkim/bob.com/public @@ -0,0 +1 @@ +3yrKD52yd5hBA6ue5uQVl7FXGK8UOlUE9Y+yCdBRfVQ= \ No newline at end of file diff --git a/tests/common/email/dkim/gen_key.sh b/tests/common/email/dkim/gen_key.sh new file mode 100755 index 0000000..48b4434 --- /dev/null +++ b/tests/common/email/dkim/gen_key.sh @@ -0,0 +1,35 @@ +#! /usr/bin/env nix-shell +#! nix-shell -p rage -p openssl -p dash -i dash --impure + +# shellcheck shell=dash + +cd "$(dirname "$0")" || { + echo "No basedir?!" + exit 1 +} + +key_name="$1" +[ -z "$key_name" ] && { + echo "Usage: $0 KEY_NAME" + exit 2 +} + +[ -d "$key_name" ] || mkdir "$key_name" +cd "$key_name" || { + echo "Just created." + exit 1 +} + +openssl genpkey -algorithm ed25519 -out "private" +openssl pkey -in "private" -pubout -out "public.tmp" + +openssl asn1parse -in "public.tmp" -offset 12 -noout -out /dev/stdout | base64 --wrap 0 >"public" +rm "public.tmp" + +rage --encrypt \ + --armor \ + --recipient "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxdvBk/PC9fC7B5vqe9TvygZKY6LgDQ2mXRdVrthBM/" \ + "private" >"private.age" +rm "private" + +# vim: ft=sh diff --git a/tests/common/email/dkim/mail1.server.com/private.age b/tests/common/email/dkim/mail1.server.com/private.age new file mode 100644 index 0000000..8c5d3c3 --- /dev/null +++ b/tests/common/email/dkim/mail1.server.com/private.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOYXRiK29XallqZG1vc1Bl +TlpFbk9WZmZIK1FrUHRIbmx6bEI5UkhJZUZ3Ck8zcHVGWHJjdG5wZnh0SDljc2F5 +WU1DMUNxdFdVQmRUMFNpa0VCSUkxZmsKLT4gWDI1NTE5IFhXREJyTVNueGp6YVg1 +b3FUemlodUMraWRMVnEyQTZqRlpKanhxdDBSMlkKYVNxcXFockpleGJBaU1iUUQ4 +bml2azlPSE9Jc0N0dDU2d1hYOXFpcnV2ZwotPiBzc2gtZWQyNTUxOSBSc2dXcFEg +ZUVuOHZyM3pRcTZHKzFsV2VheDkrdml4NUVIWldQY1BqcGNpTG5lU2VrVQoydnVZ +UHdpa1FmT3hNbHA1dll1dVFxS0VFanV3N3Y5Z1E5ejBiMkhRSHhRCi0+ICVuPzx1 +Ky1ncmVhc2UgYXY5PE43Om4KcWplaklGSXlMSk0yNktld21ucUdVS1dFVmt4NFhi +VG5WYUNMUGdxZ0dta1F6RVpRRTdoek1WT0hwaC9CVEcyMworUQotLS0genJEN2Jq +Y1JVbzc3NVFoSXAxSUxEQUZzZkRCcXNmSXBwZDB0eDMybE5NMApv3ghQF9tC00yI +v7Sa9ZKrA8HDb/wpUn0X+D+ShLC95rW8+oPonN6gt+z+PoVUFvXwKsP/1I+D6z+B +PRMurlvpspkIGlgi5S5H6brj9UJ7Pt61+Ld2/gaLevzCPy1QCmlAlqRKvZuZMUUR +hWbmEXi8j56ClcxpVe62p+4GCI41T2cjAogi2C33dtviIcGedq9byD5tbVt4 +-----END AGE ENCRYPTED FILE----- diff --git a/tests/common/email/dkim/mail1.server.com/public b/tests/common/email/dkim/mail1.server.com/public new file mode 100644 index 0000000..4941b85 --- /dev/null +++ b/tests/common/email/dkim/mail1.server.com/public @@ -0,0 +1 @@ +quDd9+ogqiIUWybfegosFFkG7jAsblij2VrkuUXEzzY= \ No newline at end of file diff --git a/tests/common/email/dkim/mail2.server.com/private.age b/tests/common/email/dkim/mail2.server.com/private.age new file mode 100644 index 0000000..d39631a --- /dev/null +++ b/tests/common/email/dkim/mail2.server.com/private.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRkl1SThtVnN3bUg4cmJL +aXBBUU4yRE1DOGdYclg1UXVhS1Y0UTJPVVIwCjlSOXZJdVB0R0VxbGdUWHd5U2RO +RGpFdUw4c3EyUFZNZUx4Mm5yeGNIeVUKLT4gWDI1NTE5IHc5K05EeE1xNnBHd1dS +WDJwSTdzLys3MnRncmN0WWZjTWkvM0tqeWRRU1EKek13RGRsNUhadncxQ3V6ZFcv +Ni9aMTFtRllFK0lvd2tidnRwUjE0V0d2OAotPiBzc2gtZWQyNTUxOSBSc2dXcFEg +Mml5VEt5b3R3d09Gc1hzR2pRZzJFY3VHT0JwUnBaTTNIWG5QaGdsWkh4bwp1Nzdx +dWxpbjdNRGZ6aThxM0d6a2MraklkSW03ek15YXRkSXVyaS96QlFjCi0+IDAkRDEp +bC4tZ3JlYXNlCi9lUnduUFJreTdpMEU5ejZjS1JyWmJzRkZNRVdLbnRRZC81aldN +c2FqTTgrNnFCSEYxQUhSQWxyMW9icCtQYkgKTUEKLS0tIDNmQkwwbjJiSldraDVw +ZUs3SHNpU0pGWXRLSVBtZ0Y1QW5uT0N5bnpjek0KiujqGmiYB3hCso3u4uCtZuO3 +EmPPJkbHKPNyUQy1V/Bv+sjgPDQi/0y7UR759G91iNIYQB0fWg7njWsl8GNdJwXI +YO+2utDKkrm0DowWNKpHX1KE1g93e0H5ZoptygLFtx8TWDP2i8R7JJqJ9QevSz6r +Nwjj+d3HGTxA7WvAZnNdvyfHbRRdvW+6q0uIjS5zHXAs8YmepA== +-----END AGE ENCRYPTED FILE----- diff --git a/tests/common/email/dkim/mail2.server.com/public b/tests/common/email/dkim/mail2.server.com/public new file mode 100644 index 0000000..5c4406d --- /dev/null +++ b/tests/common/email/dkim/mail2.server.com/public @@ -0,0 +1 @@ +th9exwaYvoAjxW1tAj3k/VNLl5jKzSC/dxKrxM2mTZE= \ No newline at end of file diff --git a/tests/common/email/hostKey b/tests/common/email/hostKey new file mode 100644 index 0000000..79c9d6c --- /dev/null +++ b/tests/common/email/hostKey @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACC8XbwZPzwvXwuweb6nvU78oGSmOi4A0Npl0XVa7YQTPwAAAJjFZPqHxWT6 +hwAAAAtzc2gtZWQyNTUxOQAAACC8XbwZPzwvXwuweb6nvU78oGSmOi4A0Npl0XVa7YQTPw +AAAEA9D5AP+Uqhrg8rPx2DjgucjfnJknkk7lkeKHMV04ZZv7xdvBk/PC9fC7B5vqe9Tvyg +ZKY6LgDQ2mXRdVrthBM/AAAAFSAnUHVibGljIHRlc3Rpbmcga2V5Jw== +-----END OPENSSH PRIVATE KEY----- -- cgit 1.4.1