tests/common/acme/scripts.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

{pkgs}:
/*
* Extra functions useful for the test script.
*/
{
  add_pebble_acme_ca = pkgs.writeShellScript "fetch-and-set-ca" ''
    set -xe

    # Fetch the randomly generated ca certificate
    curl https://acme.test:15000/roots/0 > /tmp/ca.crt
    curl https://acme.test:15000/intermediates/0 >> /tmp/ca.crt

    # Append it to the various system stores
    # The file paths are from <nixpgks>/modules/security/ca.nix
    for cert_path in "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" "pki/tls/certs/ca-bundle.crt"; do
      cert_path="/etc/$cert_path"

      mv "$cert_path" "$cert_path.old"
      cat "$cert_path.old" > "$cert_path"
      cat /tmp/ca.crt >> "$cert_path"
    done

    export NIX_SSL_CERT_FILE=/tmp/ca.crt
    export SSL_CERT_FILE=/tmp/ca.crt

    # TODO
    # # P11-Kit trust source.
    # environment.etc."ssl/trust-source".source = "$${cacertPackage.p11kit}/etc/ssl/trust-source";
  '';
}