pyrox.dev
1
2import ./make-test-python.nix ({ pkgs, ...} : {
3 name = "ferm";
4 meta = with pkgs.lib.maintainers; {
5 maintainers = [ mic92 ];
6 };
7
8 nodes =
9 { client =
10 { pkgs, ... }:
11 with pkgs.lib;
12 {
13 networking = {
14 dhcpcd.enable = false;
15 interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
16 interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
17 };
18 };
19 server =
20 { pkgs, ... }:
21 with pkgs.lib;
22 {
23 networking = {
24 dhcpcd.enable = false;
25 useNetworkd = true;
26 useDHCP = false;
27 interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
28 interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
29 };
30
31 services = {
32 ferm.enable = true;
33 ferm.config = ''
34 domain (ip ip6) table filter chain INPUT {
35 interface lo ACCEPT;
36 proto tcp dport 8080 REJECT reject-with tcp-reset;
37 }
38 '';
39 nginx.enable = true;
40 nginx.httpConfig = ''
41 server {
42 listen 80;
43 listen [::]:80;
44 listen 8080;
45 listen [::]:8080;
46
47 location /status { stub_status on; }
48 }
49 '';
50 };
51 };
52 };
53
54 testScript =
55 ''
56 start_all()
57
58 client.wait_for_unit("network-online.target")
59 server.wait_for_unit("network-online.target")
60 server.wait_for_unit("ferm.service")
61 server.wait_for_unit("nginx.service")
62 server.wait_until_succeeds("ss -ntl | grep -q 80")
63
64 with subtest("port 80 is allowed"):
65 client.succeed("curl --fail -g http://192.168.1.1:80/status")
66 client.succeed("curl --fail -g http://[fd00::1]:80/status")
67
68 with subtest("port 8080 is not allowed"):
69 server.succeed("curl --fail -g http://192.168.1.1:8080/status")
70 server.succeed("curl --fail -g http://[fd00::1]:8080/status")
71
72 client.fail("curl --fail -g http://192.168.1.1:8080/status")
73 client.fail("curl --fail -g http://[fd00::1]:8080/status")
74 '';
75})