nixos/tests/ferm.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ferm.nix
at master 2.6 kB view raw
 1{ pkgs, ... }:
 2{
 3  name = "ferm";
 4  meta = with pkgs.lib.maintainers; {
 5    maintainers = [ mic92 ];
 6  };
 7
 8  nodes = {
 9    client =
10      { pkgs, ... }:
11      with pkgs.lib;
12      {
13        networking = {
14          dhcpcd.enable = false;
15          interfaces.eth1.ipv6.addresses = mkOverride 0 [
16            {
17              address = "fd00::2";
18              prefixLength = 64;
19            }
20          ];
21          interfaces.eth1.ipv4.addresses = mkOverride 0 [
22            {
23              address = "192.168.1.2";
24              prefixLength = 24;
25            }
26          ];
27        };
28      };
29    server =
30      { pkgs, ... }:
31      with pkgs.lib;
32      {
33        networking = {
34          dhcpcd.enable = false;
35          useNetworkd = true;
36          useDHCP = false;
37          interfaces.eth1.ipv6.addresses = mkOverride 0 [
38            {
39              address = "fd00::1";
40              prefixLength = 64;
41            }
42          ];
43          interfaces.eth1.ipv4.addresses = mkOverride 0 [
44            {
45              address = "192.168.1.1";
46              prefixLength = 24;
47            }
48          ];
49        };
50
51        services = {
52          ferm.enable = true;
53          ferm.config = ''
54            domain (ip ip6) table filter chain INPUT {
55              interface lo ACCEPT;
56              proto tcp dport 8080 REJECT reject-with tcp-reset;
57            }
58          '';
59          nginx.enable = true;
60          nginx.httpConfig = ''
61            server {
62              listen 80;
63              listen [::]:80;
64              listen 8080;
65              listen [::]:8080;
66
67              location /status { stub_status on; }
68            }
69          '';
70        };
71      };
72  };
73
74  testScript = ''
75    start_all()
76
77    client.systemctl("start network-online.target")
78    server.systemctl("start network-online.target")
79    client.wait_for_unit("network-online.target")
80    server.wait_for_unit("network-online.target")
81    server.wait_for_unit("ferm.service")
82    server.wait_for_unit("nginx.service")
83    server.wait_until_succeeds("ss -ntl | grep -q 80")
84
85    with subtest("port 80 is allowed"):
86        client.succeed("curl --fail -g http://192.168.1.1:80/status")
87        client.succeed("curl --fail -g http://[fd00::1]:80/status")
88
89    with subtest("port 8080 is not allowed"):
90        server.succeed("curl --fail -g http://192.168.1.1:8080/status")
91        server.succeed("curl --fail -g http://[fd00::1]:8080/status")
92
93        client.fail("curl --fail -g http://192.168.1.1:8080/status")
94        client.fail("curl --fail -g http://[fd00::1]:8080/status")
95  '';
96}