From 093d5cfaea4bf0c48a35e5a918946a348316553e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E0=B9=82=E0=B8=97=E0=B8=AA=E0=B8=BA=E0=B8=95=E0=B8=B1?=
 =?UTF-8?q?=E0=B8=A5?= <toastal@posteo.net>
Date: Fri, 21 Feb 2025 16:31:48 +0700
Subject: [PATCH] nixos/step-ca: add H2O test

---
 .../services/web-servers/h2o/default.nix      |  2 +
 nixos/tests/step-ca.nix                       | 38 +++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/nixos/modules/services/web-servers/h2o/default.nix b/nixos/modules/services/web-servers/h2o/default.nix
index d021ef7d4354..e359ea9671d8 100644
--- a/nixos/modules/services/web-servers/h2o/default.nix
+++ b/nixos/modules/services/web-servers/h2o/default.nix
@@ -20,6 +20,8 @@ let
     types
     ;
 
+  mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
+
   settingsFormat = pkgs.formats.yaml { };
 
   getNames = name: vhostSettings: rec {
diff --git a/nixos/tests/step-ca.nix b/nixos/tests/step-ca.nix
index 9076993b064e..69b22bfd424a 100644
--- a/nixos/tests/step-ca.nix
+++ b/nixos/tests/step-ca.nix
@@ -90,6 +90,40 @@ import ./make-test-python.nix (
           };
         };
 
+      caclienth2o =
+        { config, pkgs, ... }:
+        {
+          security.acme = {
+            acceptTerms = true;
+            defaults = {
+              server = "https://caserver:8443/acme/acme/directory";
+              email = "root@example.org";
+            };
+          };
+          security.pki.certificateFiles = [ "${test-certificates}/root_ca.crt" ];
+
+          networking.firewall.allowedTCPPorts = [
+            80
+            443
+          ];
+
+          services.h2o = {
+            enable = true;
+            hosts."caclienth2o" = {
+              tls.policy = "force";
+              acme.enable = true;
+              settings = {
+                paths."/" = {
+                  "file.file" = "${pkgs.writeTextFile {
+                    name = "h2o_welcome.txt";
+                    text = "Welcome to H2O!";
+                  }}";
+                };
+              };
+            };
+          };
+        };
+
       catester =
         { config, pkgs, ... }:
         {
@@ -110,6 +144,10 @@ import ./make-test-python.nix (
         # It’s hard to know when Caddy has finished the ACME dance with
         # step-ca, so we keep trying cURL until success.
         catester.wait_until_succeeds("curl https://caclientcaddy/ | grep \"Welcome to Caddy!\"")
+
+        caclienth2o.wait_for_unit("acme-finished-caclienth2o.target")
+        caclienth2o.wait_for_unit("h2o.service")
+        catester.succeed("curl https://caclienth2o/ | grep \"Welcome to H2O!\"")
       '';
   }
 )