nixos/tests/ferm.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ferm.nix
at 25.11-pre 2.8 kB view raw
 1import ./make-test-python.nix (
 2  { pkgs, ... }:
 3  {
 4    name = "ferm";
 5    meta = with pkgs.lib.maintainers; {
 6      maintainers = [ mic92 ];
 7    };
 8
 9    nodes = {
10      client =
11        { pkgs, ... }:
12        with pkgs.lib;
13        {
14          networking = {
15            dhcpcd.enable = false;
16            interfaces.eth1.ipv6.addresses = mkOverride 0 [
17              {
18                address = "fd00::2";
19                prefixLength = 64;
20              }
21            ];
22            interfaces.eth1.ipv4.addresses = mkOverride 0 [
23              {
24                address = "192.168.1.2";
25                prefixLength = 24;
26              }
27            ];
28          };
29        };
30      server =
31        { pkgs, ... }:
32        with pkgs.lib;
33        {
34          networking = {
35            dhcpcd.enable = false;
36            useNetworkd = true;
37            useDHCP = false;
38            interfaces.eth1.ipv6.addresses = mkOverride 0 [
39              {
40                address = "fd00::1";
41                prefixLength = 64;
42              }
43            ];
44            interfaces.eth1.ipv4.addresses = mkOverride 0 [
45              {
46                address = "192.168.1.1";
47                prefixLength = 24;
48              }
49            ];
50          };
51
52          services = {
53            ferm.enable = true;
54            ferm.config = ''
55              domain (ip ip6) table filter chain INPUT {
56                interface lo ACCEPT;
57                proto tcp dport 8080 REJECT reject-with tcp-reset;
58              }
59            '';
60            nginx.enable = true;
61            nginx.httpConfig = ''
62              server {
63                listen 80;
64                listen [::]:80;
65                listen 8080;
66                listen [::]:8080;
67
68                location /status { stub_status on; }
69              }
70            '';
71          };
72        };
73    };
74
75    testScript = ''
76      start_all()
77
78      client.systemctl("start network-online.target")
79      server.systemctl("start network-online.target")
80      client.wait_for_unit("network-online.target")
81      server.wait_for_unit("network-online.target")
82      server.wait_for_unit("ferm.service")
83      server.wait_for_unit("nginx.service")
84      server.wait_until_succeeds("ss -ntl | grep -q 80")
85
86      with subtest("port 80 is allowed"):
87          client.succeed("curl --fail -g http://192.168.1.1:80/status")
88          client.succeed("curl --fail -g http://[fd00::1]:80/status")
89
90      with subtest("port 8080 is not allowed"):
91          server.succeed("curl --fail -g http://192.168.1.1:8080/status")
92          server.succeed("curl --fail -g http://[fd00::1]:8080/status")
93
94          client.fail("curl --fail -g http://192.168.1.1:8080/status")
95          client.fail("curl --fail -g http://[fd00::1]:8080/status")
96    '';
97  }
98)