blob: c756a4f119611f5de454a0d862f5be14a25e5e1f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
{pkgs}: let
add_pebble_ca_certs = pkgs.writeShellScript "fetch-and-set-ca" ''
set -xe
# Fetch the randomly generated ca certificate
curl https://acme.test:15000/roots/0 > /tmp/ca.crt
curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt
# Append it to the various system stores
# The file paths are from <nixpgks>/modules/security/ca.nix
for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do
cert_path="/etc/$cert_path"
mv "$cert_path" "$cert_path.old"
cat "$cert_path.old" > "$cert_path"
cat /tmp/ca.crt >> "$cert_path"
done
export NIX_SSL_CERT_FILE=/tmp/ca.crt
export SSL_CERT_FILE=/tmp/ca.crt
# TODO
# # P11-Kit trust source.
# environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source";
'';
in {
prepare = clients: extra:
# The parens are needed for the syntax highlighting to work.
( # python
''
# Start dependencies for the other services
acme.start()
acme.wait_for_unit("pebble.service")
name_server.start()
name_server.wait_for_unit("nsd.service")
# Start actual test
start_all()
with subtest("Add pebble ca key to all services"):
for node in [name_server, ${builtins.concatStringsSep "," clients}]:
node.wait_until_succeeds("curl https://acme.test:15000/roots/0")
node.succeed("${add_pebble_ca_certs}")
''
)
+ extra;
}
|
