@ -11,7 +11,7 @@ let
file = {
group = " n g i n x " ;
owner = " n g i n x " ;
path = " / t m p / ${ host } - c a . p e m " ;
path = " / v a r / s s l / ${ host } - c a . p e m " ;
} ;
label = " w w w _ c a " ;
profile = " t h r e e - m o n t h " ;
@ -20,13 +20,13 @@ let
certificate = {
group = " n g i n x " ;
owner = " n g i n x " ;
path = " / t m p / ${ host } - c e r t . p e m " ;
path = " / v a r / s s l / ${ host } - c e r t . p e m " ;
} ;
private_key = {
group = " n g i n x " ;
mode = " 0 6 0 0 " ;
owner = " n g i n x " ;
path = " / t m p / ${ host } - k e y . p e m " ;
path = " / v a r / s s l / ${ host } - k e y . p e m " ;
} ;
request = {
CN = host ;
@ -57,6 +57,8 @@ let
services . cfssl . enable = true ;
systemd . services . cfssl . after = [ " c f s s l - i n i t . s e r v i c e " " n e t w o r k i n g . t a r g e t " ] ;
systemd . tmpfiles . rules = [ " d / v a r / s s l 7 7 7 r o o t r o o t " ] ;
systemd . services . cfssl-init = {
description = " I n i t i a l i z e t h e c f s s l C A " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
@ -87,8 +89,8 @@ let
enable = true ;
virtualHosts = lib . mkMerge ( map ( host : {
$ { host } = {
sslCertificate = " / t m p / ${ host } - c e r t . p e m " ;
sslCertificateKey = " / t m p / ${ host } - k e y . p e m " ;
sslCertificate = " / v a r / s s l / ${ host } - c e r t . p e m " ;
sslCertificateKey = " / v a r / s s l / ${ host } - k e y . p e m " ;
extraConfig = ''
ssl_protocols TLSv1 TLSv1 .1 TLSv1 .2 ;
'' ;
@ -124,16 +126,18 @@ in
} ;
testScript = ''
machine . wait_for_unit ( " c f s s l . s e r v i c e " )
machine . wait_until_succeeds ( " l s / t m p / d e c l . e x a m p l e . o r g - c a . p e m " )
machine . wait_until_succeeds ( " l s / t m p / d e c l . e x a m p l e . o r g - k e y . p e m " )
machine . wait_until_succeeds ( " l s / t m p / d e c l . e x a m p l e . o r g - c e r t . p e m " )
machine . wait_until_succeeds ( " l s / t m p / i m p . e x a m p l e . o r g - c a . p e m " )
machine . wait_until_succeeds ( " l s / t m p / i m p . e x a m p l e . o r g - k e y . p e m " )
machine . wait_until_succeeds ( " l s / t m p / i m p . e x a m p l e . o r g - c e r t . p e m " )
machine . wait_until_succeeds ( " l s / v a r / s s l / d e c l . e x a m p l e . o r g - c a . p e m " )
machine . wait_until_succeeds ( " l s / v a r / s s l / d e c l . e x a m p l e . o r g - k e y . p e m " )
machine . wait_until_succeeds ( " l s / v a r / s s l / d e c l . e x a m p l e . o r g - c e r t . p e m " )
machine . wait_until_succeeds ( " l s / v a r / s s l / i m p . e x a m p l e . o r g - c a . p e m " )
machine . wait_until_succeeds ( " l s / v a r / s s l / i m p . e x a m p l e . o r g - k e y . p e m " )
machine . wait_until_succeeds ( " l s / v a r / s s l / i m p . e x a m p l e . o r g - c e r t . p e m " )
machine . wait_for_unit ( " n g i n x . s e r v i c e " )
assert 1 < int ( machine . succeed ( ' journalctl - u nginx | grep " S t a r t i n g N g i n x " | wc - l' ) )
machine . succeed ( " c u r l - - c a c e r t / t m p / i m p . e x a m p l e . o r g - c a . p e m h t t p s : / / i m p . e x a m p l e . o r g " )
machine . succeed ( " c u r l - - c a c e r t / t m p / d e c l . e x a m p l e . o r g - c a . p e m h t t p s : / / d e c l . e x a m p l e . o r g " )
machine . succeed ( " c u r l - - c a c e r t / v a r / s s l / i m p . e x a m p l e . o r g - c a . p e m h t t p s : / / i m p . e x a m p l e . o r g " )
machine . succeed (
" c u r l - - c a c e r t / v a r / s s l / d e c l . e x a m p l e . o r g - c a . p e m h t t p s : / / d e c l . e x a m p l e . o r g "
)
'' ;
} ;