nixos/tests/privoxy.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / privoxy.nix
at 23.11-pre 3.6 kB view raw
  1import ./make-test-python.nix ({ lib, pkgs, ... }:
  2
  3let
  4  # Note: For some reason Privoxy can't issue valid
  5  # certificates if the CA is generated using gnutls :(
  6  certs = pkgs.runCommand "example-certs"
  7    { buildInputs = [ pkgs.openssl ]; }
  8    ''
  9      mkdir $out
 10
 11      # generate CA keypair
 12      openssl req -new -nodes -x509 \
 13        -extensions v3_ca -keyout $out/ca.key \
 14        -out $out/ca.crt -days 365 \
 15        -subj "/O=Privoxy CA/CN=Privoxy CA"
 16
 17      # generate server key/signing request
 18      openssl genrsa -out $out/server.key 3072
 19      openssl req -new -key $out/server.key \
 20        -out server.csr -sha256 \
 21        -subj "/O=An unhappy server./CN=example.com"
 22
 23      # sign the request/generate the certificate
 24      openssl x509 -req -in server.csr -CA $out/ca.crt \
 25      -CAkey $out/ca.key -CAcreateserial -out $out/server.crt \
 26      -days 500 -sha256
 27    '';
 28in
 29
 30{
 31  name = "privoxy";
 32  meta = with lib.maintainers; {
 33    maintainers = [ rnhmjoj ];
 34  };
 35
 36  nodes.machine = { ... }: {
 37    services.nginx.enable = true;
 38    services.nginx.virtualHosts."example.com" = {
 39      addSSL = true;
 40      sslCertificate = "${certs}/server.crt";
 41      sslCertificateKey = "${certs}/server.key";
 42      locations."/".root = pkgs.writeTextFile
 43        { name = "bad-day";
 44          destination = "/how-are-you/index.html";
 45          text = "I've had a bad day!\n";
 46        };
 47      locations."/ads".extraConfig = ''
 48        return 200 "Hot Nixpkgs PRs in your area. Click here!\n";
 49      '';
 50    };
 51
 52    services.privoxy = {
 53      enable = true;
 54      inspectHttps = true;
 55      settings = {
 56        ca-cert-file = "${certs}/ca.crt";
 57        ca-key-file  = "${certs}/ca.key";
 58        debug = 65536;
 59      };
 60      userActions = ''
 61        {+filter{positive}}
 62        example.com
 63
 64        {+block{Fake ads}}
 65        example.com/ads
 66      '';
 67      userFilters = ''
 68        FILTER: positive This is a filter example.
 69        s/bad/great/ig
 70      '';
 71    };
 72
 73    security.pki.certificateFiles = [ "${certs}/ca.crt" ];
 74
 75    networking.hosts."::1" = [ "example.com" ];
 76    networking.proxy.httpProxy = "http://localhost:8118";
 77    networking.proxy.httpsProxy = "http://localhost:8118";
 78  };
 79
 80  testScript =
 81    ''
 82      with subtest("Privoxy is running"):
 83          machine.wait_for_unit("privoxy")
 84          machine.wait_for_open_port(8118)
 85          machine.succeed("curl -f http://config.privoxy.org")
 86
 87      with subtest("Privoxy can filter http requests"):
 88          machine.wait_for_open_port(80)
 89          assert "great day" in machine.succeed(
 90              "curl -sfL http://example.com/how-are-you? | tee /dev/stderr"
 91          )
 92
 93      with subtest("Privoxy can filter https requests"):
 94          machine.wait_for_open_port(443)
 95          assert "great day" in machine.succeed(
 96              "curl -sfL https://example.com/how-are-you? | tee /dev/stderr"
 97          )
 98
 99      with subtest("Blocks are working"):
100          machine.wait_for_open_port(443)
101          machine.fail("curl -f https://example.com/ads 1>&2")
102          machine.succeed("curl -f https://example.com/PRIVOXY-FORCE/ads 1>&2")
103
104      with subtest("Temporary certificates are cleaned"):
105          # Count current certificates
106          machine.succeed("test $(ls /run/privoxy/certs | wc -l) -gt 0")
107          # Forward in time 12 days, trigger the timer..
108          machine.succeed("date -s \"$(date --date '12 days')\"")
109          machine.systemctl("start systemd-tmpfiles-clean")
110          # ...and count again
111          machine.succeed("test $(ls /run/privoxy/certs | wc -l) -eq 0")
112    '';
113})