2024-11-02 22:04:45 +00:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
makeTest,
|
2024-06-05 20:39:10 +00:00
|
|
|
}:
|
|
|
|
|
|
|
|
let
|
2024-11-02 20:24:48 +00:00
|
|
|
inherit (pkgs) lib;
|
2024-06-05 20:39:10 +00:00
|
|
|
|
2024-11-02 22:04:45 +00:00
|
|
|
runWithOpenSSL =
|
|
|
|
file: cmd:
|
|
|
|
pkgs.runCommand file {
|
2024-11-02 20:24:48 +00:00
|
|
|
buildInputs = [ pkgs.openssl ];
|
2024-11-02 22:04:45 +00:00
|
|
|
} cmd;
|
2024-11-02 20:24:48 +00:00
|
|
|
caKey = runWithOpenSSL "ca.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
|
2024-11-02 22:04:45 +00:00
|
|
|
caCert = runWithOpenSSL "ca.crt" ''
|
|
|
|
openssl req -new -x509 -sha256 -key ${caKey} -out $out -subj "/CN=test.example" -days 36500
|
|
|
|
'';
|
|
|
|
serverKey = runWithOpenSSL "server.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
|
2024-11-02 20:24:48 +00:00
|
|
|
serverKeyPath = "/var/lib/postgresql";
|
2024-11-02 22:04:45 +00:00
|
|
|
serverCert = runWithOpenSSL "server.crt" ''
|
|
|
|
openssl req -new -sha256 -key ${serverKey} -out server.csr -subj "/CN=db.test.example"
|
|
|
|
openssl x509 -req -in server.csr -CA ${caCert} -CAkey ${caKey} \
|
|
|
|
-CAcreateserial -out $out -days 36500 -sha256
|
|
|
|
'';
|
|
|
|
clientKey = runWithOpenSSL "client.key" "openssl ecparam -name prime256v1 -genkey -noout -out $out";
|
|
|
|
clientCert = runWithOpenSSL "client.crt" ''
|
|
|
|
openssl req -new -sha256 -key ${clientKey} -out client.csr -subj "/CN=test"
|
|
|
|
openssl x509 -req -in client.csr -CA ${caCert} -CAkey ${caKey} \
|
|
|
|
-CAcreateserial -out $out -days 36500 -sha256
|
|
|
|
'';
|
2024-11-02 20:24:48 +00:00
|
|
|
clientKeyPath = "/root";
|
2024-06-05 20:39:10 +00:00
|
|
|
|
2024-11-02 22:04:45 +00:00
|
|
|
makeTestFor =
|
|
|
|
package:
|
2024-06-05 20:39:10 +00:00
|
|
|
makeTest {
|
2024-11-02 20:24:48 +00:00
|
|
|
name = "postgresql-tls-client-cert-${package.name}";
|
2024-06-05 20:39:10 +00:00
|
|
|
meta.maintainers = with lib.maintainers; [ erictapen ];
|
|
|
|
|
2024-11-02 22:04:45 +00:00
|
|
|
nodes.server =
|
|
|
|
{ ... }:
|
|
|
|
{
|
|
|
|
system.activationScripts = {
|
|
|
|
keyPlacement.text = ''
|
|
|
|
mkdir -p '${serverKeyPath}'
|
|
|
|
cp '${serverKey}' '${serverKeyPath}/server.key'
|
|
|
|
chown postgres:postgres '${serverKeyPath}/server.key'
|
|
|
|
chmod 600 '${serverKeyPath}/server.key'
|
|
|
|
'';
|
2024-06-05 20:39:10 +00:00
|
|
|
};
|
2024-11-02 22:04:45 +00:00
|
|
|
services.postgresql = {
|
|
|
|
inherit package;
|
|
|
|
enable = true;
|
2024-11-12 20:02:10 +00:00
|
|
|
enableJIT = lib.hasInfix "-jit-" package.name;
|
2024-11-02 22:04:45 +00:00
|
|
|
enableTCPIP = true;
|
|
|
|
ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "test";
|
|
|
|
ensureDBOwnership = true;
|
|
|
|
}
|
2024-06-05 20:39:10 +00:00
|
|
|
];
|
2024-11-02 22:04:45 +00:00
|
|
|
ensureDatabases = [ "test" ];
|
|
|
|
settings = {
|
|
|
|
ssl = "on";
|
|
|
|
ssl_ca_file = toString caCert;
|
|
|
|
ssl_cert_file = toString serverCert;
|
|
|
|
ssl_key_file = "${serverKeyPath}/server.key";
|
|
|
|
};
|
|
|
|
authentication = ''
|
|
|
|
hostssl test test ::/0 cert clientcert=verify-full
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
networking = {
|
|
|
|
interfaces.eth1 = {
|
|
|
|
ipv6.addresses = [
|
|
|
|
{
|
|
|
|
address = "fc00::1";
|
|
|
|
prefixLength = 120;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
firewall.allowedTCPPorts = [ 5432 ];
|
2024-06-05 20:39:10 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-11-02 22:04:45 +00:00
|
|
|
nodes.client =
|
|
|
|
{ ... }:
|
|
|
|
{
|
|
|
|
system.activationScripts = {
|
|
|
|
keyPlacement.text = ''
|
|
|
|
mkdir -p '${clientKeyPath}'
|
|
|
|
cp '${clientKey}' '${clientKeyPath}/client.key'
|
|
|
|
chown root:root '${clientKeyPath}/client.key'
|
|
|
|
chmod 600 '${clientKeyPath}/client.key'
|
|
|
|
'';
|
2024-06-05 20:39:10 +00:00
|
|
|
};
|
2024-11-02 22:04:45 +00:00
|
|
|
environment = {
|
|
|
|
variables = {
|
|
|
|
PGHOST = "db.test.example";
|
|
|
|
PGPORT = "5432";
|
|
|
|
PGDATABASE = "test";
|
|
|
|
PGUSER = "test";
|
|
|
|
PGSSLMODE = "verify-full";
|
|
|
|
PGSSLCERT = clientCert;
|
|
|
|
PGSSLKEY = "${clientKeyPath}/client.key";
|
|
|
|
PGSSLROOTCERT = caCert;
|
|
|
|
};
|
|
|
|
systemPackages = [ package ];
|
|
|
|
};
|
|
|
|
networking = {
|
|
|
|
interfaces.eth1 = {
|
|
|
|
ipv6.addresses = [
|
|
|
|
{
|
|
|
|
address = "fc00::2";
|
|
|
|
prefixLength = 120;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
hosts = {
|
|
|
|
"fc00::1" = [ "db.test.example" ];
|
|
|
|
};
|
2024-06-05 20:39:10 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
server.wait_for_unit("multi-user.target")
|
|
|
|
client.wait_for_unit("multi-user.target")
|
|
|
|
client.succeed("psql -c \"SELECT 1;\"")
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
in
|
2024-11-02 17:58:52 +00:00
|
|
|
lib.recurseIntoAttrs (
|
2024-11-02 20:24:48 +00:00
|
|
|
lib.concatMapAttrs (n: p: { ${n} = makeTestFor p; }) pkgs.postgresqlVersions
|
2024-11-02 17:58:52 +00:00
|
|
|
// {
|
2024-11-02 20:24:48 +00:00
|
|
|
passthru.override = p: makeTestFor p;
|
2024-11-02 17:58:52 +00:00
|
|
|
}
|
|
|
|
)
|