pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / ferm.nix
at 18.09-beta 2.2 kB view raw
1 2import ./make-test.nix ({ pkgs, ...} : { 3 name = "ferm"; 4 meta = with pkgs.stdenv.lib.maintainers; { 5 maintainers = [ mic92 ]; 6 }; 7 8 nodes = 9 { client = 10 { pkgs, ... }: 11 with pkgs.lib; 12 { 13 networking = { 14 interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ]; 15 interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ]; 16 }; 17 }; 18 server = 19 { pkgs, ... }: 20 with pkgs.lib; 21 { 22 networking = { 23 interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ]; 24 interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ]; 25 }; 26 27 services = { 28 ferm.enable = true; 29 ferm.config = '' 30 domain (ip ip6) table filter chain INPUT { 31 interface lo ACCEPT; 32 proto tcp dport 8080 REJECT reject-with tcp-reset; 33 } 34 ''; 35 nginx.enable = true; 36 nginx.httpConfig = '' 37 server { 38 listen 80; 39 listen [::]:80; 40 listen 8080; 41 listen [::]:8080; 42 43 location /status { stub_status on; } 44 } 45 ''; 46 }; 47 }; 48 }; 49 50 testScript = 51 '' 52 startAll; 53 54 $client->waitForUnit("network.target"); 55 $server->waitForUnit("ferm.service"); 56 $server->waitForUnit("nginx.service"); 57 $server->waitUntilSucceeds("ss -ntl | grep -q 80"); 58 59 subtest "port 80 is allowed", sub { 60 $client->succeed("curl --fail -g http://192.168.1.1:80/status"); 61 $client->succeed("curl --fail -g http://[fd00::1]:80/status"); 62 }; 63 64 subtest "port 8080 is not allowed", sub { 65 $server->succeed("curl --fail -g http://192.168.1.1:8080/status"); 66 $server->succeed("curl --fail -g http://[fd00::1]:8080/status"); 67 68 $client->fail("curl --fail -g http://192.168.1.1:8080/status"); 69 $client->fail("curl --fail -g http://[fd00::1]:8080/status"); 70 }; 71 ''; 72})