commit 1905cd89f8ed8467c95e359595114aa3437a5ade · pyrox.dev/nixpkgs

+1 -1

nixos/tests/all-tests.nix

···

       502
        
         guacamole-server = handleTest ./guacamole-server.nix {};

     

       503
        
         guix = handleTest ./guix {};

     

       504
        
         gvisor = handleTest ./gvisor.nix {};

     

       505
       -
         h2o = discoverTests (import ./web-servers/h2o { inherit handleTestOn; });

     

       506
        
         hadoop = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop; };

     

       507
        
         hadoop_3_3 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop_3_3; };

     

       508
        
         hadoop2 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop2; };

···

       502
        
         guacamole-server = handleTest ./guacamole-server.nix {};

     

       503
        
         guix = handleTest ./guix {};

     

       504
        
         gvisor = handleTest ./gvisor.nix {};

     

       505
       +
         h2o = import ./web-servers/h2o { inherit recurseIntoAttrs runTest; };

     

       506
        
         hadoop = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop; };

     

       507
        
         hadoop_3_3 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop_3_3; };

     

       508
        
         hadoop2 = import ./hadoop { inherit handleTestOn; package=pkgs.hadoop2; };

+112 -114

nixos/tests/web-servers/h2o/basic.nix

···

       1
       -
       import ../../make-test-python.nix (

     

       2
       -
         { lib, pkgs, ... }:

     

       3
        
       

     

       4
       -
         # Tests basics such as TLS, creating a mime-type & serving Unicode characters.

     

       5
        
       

     

       6
       -
         let

     

       7
       -
           domain = {

     

       8
       -
             HTTP = "h2o.local";

     

       9
       -
             TLS = "acme.test";

     

       10
       -
           };

     

       11
        
       

     

       12
       -
           port = {

     

       13
       -
             HTTP = 8080;

     

       14
       -
             TLS = 8443;

     

       15
       -
           };

     

       16
        
       

     

       17
       -
           sawatdi_chao_lok = "สวัสดีชาวโลก";

     

       18
        
       

     

       19
       -
           hello_world_txt = pkgs.writeTextFile {

     

       20
       -
             name = "/hello_world.txt";

     

       21
       -
             text = sawatdi_chao_lok;

     

       22
       -
           };

     

       23
        
       

     

       24
       -
           hello_world_rst = pkgs.writeTextFile {

     

       25
       -
             name = "/hello_world.rst";

     

       26
       -
             text = # rst

     

       27
       -
               ''

     

       28
       -
                 ====================

     

       29
       -
                 Thaiger Sprint 2025‼

     

       30
       -
                 ====================

     

       31
        
       

     

       32
       -
                 ${sawatdi_chao_lok}

     

       33
       -
               '';

     

       34
       -
           };

     

       35
       -
         in

     

       36
       -
         {

     

       37
       -
           name = "h2o-basic";

     

       38
        
       

     

       39
       -
           meta = {

     

       40
       -
             maintainers = with lib.maintainers; [ toastal ];

     

       41
       -
           };

     

       42
        
       

     

       43
       -
           nodes = {

     

       44
       -
             server =

     

       45
       -
               { pkgs, ... }:

     

       46
       -
               {

     

       47
       -
                 services.h2o = {

     

       48
       -
                   enable = true;

     

       49
       -
                   defaultHTTPListenPort = port.HTTP;

     

       50
       -
                   defaultTLSListenPort = port.TLS;

     

       51
       -
                   hosts = {

     

       52
       -
                     "${domain.HTTP}" = {

     

       53
       -
                       settings = {

     

       54
       -
                         paths = {

     

       55
       -
                           "/hello_world.txt" = {

     

       56
       -
                             "file.file" = "${hello_world_txt}";

     

       57
       -
                           };

     

       58
        
                         };

     

       59
        
                       };

     

       60
        
                     };

     

       61
       -
                     "${domain.TLS}" = {

     

       62
       -
                       tls = {

     

       63
       -
                         policy = "force";

     

       64
       -
                         identity = [

     

       65
       -
                           {

     

       66
       -
                             key-file = ../../common/acme/server/acme.test.key.pem;

     

       67
       -
                             certificate-file = ../../common/acme/server/acme.test.cert.pem;

     

       68
       -
                           }

     

       69
       -
                         ];

     

       70
       -
                         extraSettings = {

     

       71
       -
                           minimum-version = "TLSv1.3";

     

       72
       -
                         };

     

       73
        
                       };

     

       74
       -
                       settings = {

     

       75
       -
                         paths = {

     

       76
       -
                           "/hello_world.rst" = {

     

       77
       -
                             "file.file" = "${hello_world_rst}";

     

       78
       -
                           };

     

       79
        
                         };

     

       80
        
                       };

     

       81
        
                     };

     

       82
        
                   };

     

       83
       -
                   settings = {

     

       84
       -
                     compress = "ON";

     

       85
       -
                     compress-minimum-size = 32;

     

       86
       -
                     "file.mime.addtypes" = {

     

       87
       -
                       "text/x-rst" = {

     

       88
       -
                         extensions = [ ".rst" ];

     

       89
       -
                         is_compressible = "YES";

     

       90
       -
                       };

     

       91
        
                     };

     

       92
       -
                     ssl-offload = "kernel";

     

       93
        
                   };

     

       0
        
       
     

       94
        
                 };

     

       0
        
       
     

       95
        
       

     

       96
       -
                 security.pki.certificates = [

     

       97
       -
                   (builtins.readFile ../../common/acme/server/ca.cert.pem)

     

       98
       -
                 ];

     

       99
        
       

     

       100
       -
                 networking = {

     

       101
       -
                   firewall.allowedTCPPorts = with port; [

     

       102
       -
                     HTTP

     

       103
       -
                     TLS

     

       104
       -
                   ];

     

       105
       -
                   extraHosts = ''

     

       106
       -
                     127.0.0.1 ${domain.HTTP}

     

       107
       -
                     127.0.0.1 ${domain.TLS}

     

       108
       -
                   '';

     

       109
       -
                 };

     

       110
        
               };

     

       111
       -
           };

     

       0
        
       
     

       112
        
       

     

       113
       -
           testScript =

     

       114
       -
             let

     

       115
       -
               portStrHTTP = builtins.toString port.HTTP;

     

       116
       -
               portStrTLS = builtins.toString port.TLS;

     

       117
       -
             in

     

       118
       -
             # python

     

       119
       -
             ''

     

       120
       -
               server.wait_for_unit("h2o.service")

     

       121
       -
               server.wait_for_open_port(${portStrHTTP})

     

       122
       -
               server.wait_for_open_port(${portStrTLS})

     

       123
        
       

     

       124
       -
               http_hello_world_body = server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")

     

       125
       -
               assert "${sawatdi_chao_lok}" in http_hello_world_body

     

       126
        
       

     

       127
       -
               tls_hello_world_head = server.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()

     

       128
       -
               assert "http/2 200" in tls_hello_world_head

     

       129
       -
               assert "server: h2o" in tls_hello_world_head

     

       130
       -
               assert "content-type: text/x-rst" in tls_hello_world_head

     

       131
        
       

     

       132
       -
               tls_hello_world_body = server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

     

       133
       -
               assert "${sawatdi_chao_lok}" in tls_hello_world_body

     

       134
        
       

     

       135
       -
               tls_hello_world_head_redirected = server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${builtins.toString port.HTTP}/hello_world.rst'").lower()

     

       136
       -
               assert "redirected" in tls_hello_world_head_redirected

     

       137
        
       

     

       138
       -
               server.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

     

       139
        
       

     

       140
       -
               tls_hello_world_body_redirected = server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

     

       141
       -
               assert "${sawatdi_chao_lok}" in tls_hello_world_body_redirected

     

       142
       -
             '';

     

       143
       -
         }

     

       144
       -
       )

···

       1
       +
       { hostPkgs, lib, ... }:

     

       0
        
       
     

       2
        
       

     

       3
       +
       # Tests basics such as TLS, creating a mime-type & serving Unicode characters.

     

       4
        
       

     

       5
       +
       let

     

       6
       +
         domain = {

     

       7
       +
           HTTP = "h2o.local";

     

       8
       +
           TLS = "acme.test";

     

       9
       +
         };

     

       10
        
       

     

       11
       +
         port = {

     

       12
       +
           HTTP = 8080;

     

       13
       +
           TLS = 8443;

     

       14
       +
         };

     

       15
        
       

     

       16
       +
         sawatdi_chao_lok = "สวัสดีชาวโลก";

     

       17
        
       

     

       18
       +
         hello_world_txt = hostPkgs.writeTextFile {

     

       19
       +
           name = "/hello_world.txt";

     

       20
       +
           text = sawatdi_chao_lok;

     

       21
       +
         };

     

       22
        
       

     

       23
       +
         hello_world_rst = hostPkgs.writeTextFile {

     

       24
       +
           name = "/hello_world.rst";

     

       25
       +
           text = # rst

     

       26
       +
             ''

     

       27
       +
               ====================

     

       28
       +
               Thaiger Sprint 2025‼

     

       29
       +
               ====================

     

       30
        
       

     

       31
       +
               ${sawatdi_chao_lok}

     

       32
       +
             '';

     

       33
       +
         };

     

       34
       +
       in

     

       35
       +
       {

     

       36
       +
         name = "h2o-basic";

     

       37
        
       

     

       38
       +
         meta = {

     

       39
       +
           maintainers = with lib.maintainers; [ toastal ];

     

       40
       +
         };

     

       41
        
       

     

       42
       +
         nodes = {

     

       43
       +
           server =

     

       44
       +
             { pkgs, ... }:

     

       45
       +
             {

     

       46
       +
               services.h2o = {

     

       47
       +
                 enable = true;

     

       48
       +
                 defaultHTTPListenPort = port.HTTP;

     

       49
       +
                 defaultTLSListenPort = port.TLS;

     

       50
       +
                 hosts = {

     

       51
       +
                   "${domain.HTTP}" = {

     

       52
       +
                     settings = {

     

       53
       +
                       paths = {

     

       54
       +
                         "/hello_world.txt" = {

     

       55
       +
                           "file.file" = "${hello_world_txt}";

     

       0
        
       
     

       56
        
                         };

     

       57
        
                       };

     

       58
        
                     };

     

       59
       +
                   };

     

       60
       +
                   "${domain.TLS}" = {

     

       61
       +
                     tls = {

     

       62
       +
                       policy = "force";

     

       63
       +
                       identity = [

     

       64
       +
                         {

     

       65
       +
                           key-file = ../../common/acme/server/acme.test.key.pem;

     

       66
       +
                           certificate-file = ../../common/acme/server/acme.test.cert.pem;

     

       67
       +
                         }

     

       68
       +
                       ];

     

       69
       +
                       extraSettings = {

     

       70
       +
                         minimum-version = "TLSv1.3";

     

       71
        
                       };

     

       72
       +
                     };

     

       73
       +
                     settings = {

     

       74
       +
                       paths = {

     

       75
       +
                         "/hello_world.rst" = {

     

       76
       +
                           "file.file" = "${hello_world_rst}";

     

       77
        
                         };

     

       78
        
                       };

     

       79
        
                     };

     

       80
        
                   };

     

       81
       +
                 };

     

       82
       +
                 settings = {

     

       83
       +
                   compress = "ON";

     

       84
       +
                   compress-minimum-size = 32;

     

       85
       +
                   "file.mime.addtypes" = {

     

       86
       +
                     "text/x-rst" = {

     

       87
       +
                       extensions = [ ".rst" ];

     

       88
       +
                       is_compressible = "YES";

     

       89
        
                     };

     

       0
        
       
     

       90
        
                   };

     

       91
       +
                   ssl-offload = "kernel";

     

       92
        
                 };

     

       93
       +
               };

     

       94
        
       

     

       95
       +
               security.pki.certificates = [

     

       96
       +
                 (builtins.readFile ../../common/acme/server/ca.cert.pem)

     

       97
       +
               ];

     

       98
        
       

     

       99
       +
               networking = {

     

       100
       +
                 firewall.allowedTCPPorts = with port; [

     

       101
       +
                   HTTP

     

       102
       +
                   TLS

     

       103
       +
                 ];

     

       104
       +
                 extraHosts = ''

     

       105
       +
                   127.0.0.1 ${domain.HTTP}

     

       106
       +
                   127.0.0.1 ${domain.TLS}

     

       107
       +
                 '';

     

       0
        
       
     

       108
        
               };

     

       109
       +
             };

     

       110
       +
         };

     

       111
        
       

     

       112
       +
         testScript =

     

       113
       +
           let

     

       114
       +
             portStrHTTP = builtins.toString port.HTTP;

     

       115
       +
             portStrTLS = builtins.toString port.TLS;

     

       116
       +
           in

     

       117
       +
           # python

     

       118
       +
           ''

     

       119
       +
             server.wait_for_unit("h2o.service")

     

       120
       +
             server.wait_for_open_port(${portStrHTTP})

     

       121
       +
             server.wait_for_open_port(${portStrTLS})

     

       122
        
       

     

       123
       +
             http_hello_world_body = server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")

     

       124
       +
             assert "${sawatdi_chao_lok}" in http_hello_world_body

     

       125
        
       

     

       126
       +
             tls_hello_world_head = server.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()

     

       127
       +
             assert "http/2 200" in tls_hello_world_head

     

       128
       +
             assert "server: h2o" in tls_hello_world_head

     

       129
       +
             assert "content-type: text/x-rst" in tls_hello_world_head

     

       130
        
       

     

       131
       +
             tls_hello_world_body = server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

     

       132
       +
             assert "${sawatdi_chao_lok}" in tls_hello_world_body

     

       133
        
       

     

       134
       +
             tls_hello_world_head_redirected = server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${builtins.toString port.HTTP}/hello_world.rst'").lower()

     

       135
       +
             assert "redirected" in tls_hello_world_head_redirected

     

       136
        
       

     

       137
       +
             server.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

     

       138
        
       

     

       139
       +
             tls_hello_world_body_redirected = server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

     

       140
       +
             assert "${sawatdi_chao_lok}" in tls_hello_world_body_redirected

     

       141
       +
           '';

     

       142
       +
       }

     

       0

+5 -15

nixos/tests/web-servers/h2o/default.nix

···

       1
       -
       {

     

       2
       -
         system ? builtins.currentSystem,

     

       3
       -
         handleTestOn,

     

       4
       -
       }:

     

       5
        
       

     

       6
       -
       let

     

       7
       -
         supportedSystems = [

     

       8
       -
           "x86_64-linux"

     

       9
       -
           "i686-linux"

     

       10
       -
           "aarch64-linux"

     

       11
       -
         ];

     

       12
       -
       in

     

       13
       -
       {

     

       14
       -
         basic = handleTestOn supportedSystems ./basic.nix { inherit system; };

     

       15
       -
         mruby = handleTestOn supportedSystems ./mruby.nix { inherit system; };

     

       16
       -
         tls-recommendations = handleTestOn supportedSystems ./tls-recommendations.nix { inherit system; };

     

       17
        
       }

···

       1
       +
       { recurseIntoAttrs, runTest }:

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       2
        
       

     

       3
       +
       recurseIntoAttrs {

     

       4
       +
         basic = runTest ./basic.nix;

     

       5
       +
         mruby = runTest ./mruby.nix;

     

       6
       +
         tls-recommendations = runTest ./tls-recommendations.nix;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       7
        
       }

+53 -55

nixos/tests/web-servers/h2o/mruby.nix

···

       1
       -
       import ../../make-test-python.nix (

     

       2
       -
         { lib, pkgs, ... }:

     

       3
        
       

     

       4
       -
         let

     

       5
       -
           domain = "h2o.local";

     

       6
        
       

     

       7
       -
           port = 8080;

     

       8
        
       

     

       9
       -
           sawatdi_chao_lok = "สวัสดีชาวโลก";

     

       10
       -
         in

     

       11
       -
         {

     

       12
       -
           name = "h2o-mruby";

     

       13
        
       

     

       14
       -
           meta = {

     

       15
       -
             maintainers = with lib.maintainers; [ toastal ];

     

       16
       -
           };

     

       17
        
       

     

       18
       -
           nodes = {

     

       19
       -
             server =

     

       20
       -
               { pkgs, ... }:

     

       21
       -
               {

     

       22
       -
                 services.h2o = {

     

       23
       -
                   enable = true;

     

       24
       -
                   package = pkgs.h2o.override { withMruby = true; };

     

       25
       -
                   settings = {

     

       26
       -
                     listen = port;

     

       27
       -
                     hosts = {

     

       28
       -
                       "${domain}" = {

     

       29
       -
                         paths = {

     

       30
       -
                           "/hello_world" = {

     

       31
       -
                             "mruby.handler" = # ruby

     

       32
       -
                               ''

     

       33
       -
                                 Proc.new do |env|

     

       34
       -
                                   [200, {'content-type' => 'text/plain'}, ["${sawatdi_chao_lok}"]]

     

       35
       -
                                 end

     

       36
       -
                               '';

     

       37
       -
                           };

     

       38
       -
                           "/file_handler" = {

     

       39
       -
                             "mruby.handler-file" = ./file_handler.rb;

     

       40
       -
                           };

     

       41
        
                         };

     

       42
        
                       };

     

       43
        
                     };

     

       44
        
                   };

     

       45
        
                 };

     

       46
       -
       

     

       47
       -
                 networking.extraHosts = ''

     

       48
       -
                   127.0.0.1 ${domain}

     

       49
       -
                 '';

     

       50
        
               };

     

       51
       -
           };

     

       52
        
       

     

       53
       -
           testScript =

     

       54
       -
             let

     

       55
       -
               portStr = builtins.toString port;

     

       56
       -
             in

     

       57
       -
             # python

     

       58
       -
             ''

     

       59
       -
               server.wait_for_unit("h2o.service")

     

       60
       -
               server.wait_for_open_port(${portStr})

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       61
        
       

     

       62
       -
               hello_world = server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")

     

       63
       -
               assert "${sawatdi_chao_lok}" in hello_world

     

       64
        
       

     

       65
       -
               file_handler = server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")

     

       66
       -
               assert "FILE_HANDLER" in file_handler

     

       67
       -
             '';

     

       68
       -
         }

     

       69
       -
       )

···

       1
       +
       { lib, ... }:

     

       0
        
       
     

       2
        
       

     

       3
       +
       let

     

       4
       +
         domain = "h2o.local";

     

       5
        
       

     

       6
       +
         port = 8080;

     

       7
        
       

     

       8
       +
         sawatdi_chao_lok = "สวัสดีชาวโลก";

     

       9
       +
       in

     

       10
       +
       {

     

       11
       +
         name = "h2o-mruby";

     

       12
        
       

     

       13
       +
         meta = {

     

       14
       +
           maintainers = with lib.maintainers; [ toastal ];

     

       15
       +
         };

     

       16
        
       

     

       17
       +
         nodes = {

     

       18
       +
           server =

     

       19
       +
             { pkgs, ... }:

     

       20
       +
             {

     

       21
       +
               services.h2o = {

     

       22
       +
                 enable = true;

     

       23
       +
                 package = pkgs.h2o.override { withMruby = true; };

     

       24
       +
                 settings = {

     

       25
       +
                   listen = port;

     

       26
       +
                   hosts = {

     

       27
       +
                     "${domain}" = {

     

       28
       +
                       paths = {

     

       29
       +
                         "/hello_world" = {

     

       30
       +
                           "mruby.handler" = # ruby

     

       31
       +
                             ''

     

       32
       +
                               Proc.new do |env|

     

       33
       +
                                 [200, {'content-type' => 'text/plain'}, ["${sawatdi_chao_lok}"]]

     

       34
       +
                               end

     

       35
       +
                             '';

     

       36
       +
                         };

     

       37
       +
                         "/file_handler" = {

     

       38
       +
                           "mruby.handler-file" = ./file_handler.rb;

     

       0
        
       
     

       39
        
                         };

     

       40
        
                       };

     

       41
        
                     };

     

       42
        
                   };

     

       43
        
                 };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       44
        
               };

     

       0
        
       
     

       45
        
       

     

       46
       +
               networking.extraHosts = ''

     

       47
       +
                 127.0.0.1 ${domain}

     

       48
       +
               '';

     

       49
       +
             };

     

       50
       +
         };

     

       51
       +
       

     

       52
       +
         testScript =

     

       53
       +
           let

     

       54
       +
             portStr = builtins.toString port;

     

       55
       +
           in

     

       56
       +
           # python

     

       57
       +
           ''

     

       58
       +
             server.wait_for_unit("h2o.service")

     

       59
       +
             server.wait_for_open_port(${portStr})

     

       60
        
       

     

       61
       +
             hello_world = server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")

     

       62
       +
             assert "${sawatdi_chao_lok}" in hello_world

     

       63
        
       

     

       64
       +
             file_handler = server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")

     

       65
       +
             assert "FILE_HANDLER" in file_handler

     

       66
       +
           '';

     

       67
       +
       }

     

       0

+101 -103

nixos/tests/web-servers/h2o/tls-recommendations.nix

···

       1
       -
       import ../../make-test-python.nix (

     

       2
       -
         { lib, pkgs, ... }:

     

       3
        
       

     

       4
       -
         let

     

       5
       -
           domain = "acme.test";

     

       6
       -
           port = 8443;

     

       7
        
       

     

       8
       -
           hello_txt =

     

       9
       -
             name:

     

       10
       -
             pkgs.writeTextFile {

     

       11
       -
               name = "/hello_${name}.txt";

     

       12
       -
               text = "Hello, ${name}!";

     

       13
       -
             };

     

       14
        
       

     

       15
       -
           mkH2OServer =

     

       16
       -
             recommendations:

     

       17
       -
             { pkgs, lib, ... }:

     

       18
       -
             {

     

       19
       -
               services.h2o = {

     

       20
       -
                 enable = true;

     

       21
       -
                 package = pkgs.h2o.override (

     

       22
       -
                   lib.optionalAttrs

     

       23
       -
                     (builtins.elem recommendations [

     

       24
       -
                       "intermediate"

     

       25
       -
                       "old"

     

       26
       -
                     ])

     

       27
       -
                     {

     

       28
       -
                       openssl = pkgs.openssl_legacy;

     

       29
       -
                     }

     

       30
       -
                 );

     

       31
       -
                 defaultTLSRecommendations = "modern"; # prove overridden

     

       32
       -
                 hosts = {

     

       33
       -
                   "${domain}" = {

     

       34
       -
                     tls = {

     

       35
       -
                       inherit port recommendations;

     

       36
       -
                       policy = "force";

     

       37
       -
                       identity = [

     

       38
       -
                         {

     

       39
       -
                           key-file = ../../common/acme/server/acme.test.key.pem;

     

       40
       -
                           certificate-file = ../../common/acme/server/acme.test.cert.pem;

     

       41
       -
                         }

     

       42
       -
                       ];

     

       43
       -
                     };

     

       44
       -
                     settings = {

     

       45
       -
                       paths."/"."file.file" = "${hello_txt recommendations}";

     

       46
       -
                     };

     

       47
        
                   };

     

       48
        
                 };

     

       49
       -
                 settings = {

     

       50
       -
                   ssl-offload = "kernel";

     

       51
       -
                 };

     

       52
        
               };

     

       53
       -
       

     

       54
       -
               security.pki.certificates = [

     

       55
       -
                 (builtins.readFile ../../common/acme/server/ca.cert.pem)

     

       56
       -
               ];

     

       57
       -
       

     

       58
       -
               networking = {

     

       59
       -
                 firewall.allowedTCPPorts = [ port ];

     

       60
       -
                 extraHosts = "127.0.0.1 ${domain}";

     

       61
        
               };

     

       62
        
             };

     

       63
       -
         in

     

       64
       -
         {

     

       65
       -
           name = "h2o-tls-recommendations";

     

       66
        
       

     

       67
       -
           meta = {

     

       68
       -
             maintainers = with lib.maintainers; [ toastal ];

     

       69
       -
           };

     

       70
        
       

     

       71
       -
           nodes = {

     

       72
       -
             server_modern = mkH2OServer "modern";

     

       73
       -
             server_intermediate = mkH2OServer "intermediate";

     

       74
       -
             server_old = mkH2OServer "old";

     

       75
        
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       76
        
       

     

       77
       -
           testScript =

     

       78
       -
             let

     

       79
       -
               portStr = builtins.toString port;

     

       80
       -
             in

     

       81
       -
             # python

     

       82
       -
             ''

     

       83
       -
               curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:${portStr}/'"

     

       84
       -
               curl_head = "curl -v --head 'https://${domain}:${portStr}/'"

     

       85
       -
               curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:${portStr}/'"

     

       86
       -
               curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:${portStr}/'"

     

       87
       -
               curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:${portStr}/'"

     

       88
        
       

     

       89
       -
               server_modern.wait_for_unit("h2o.service")

     

       90
       -
               server_modern.wait_for_open_port(${portStr})

     

       91
       -
               modern_response = server_modern.succeed(curl_basic)

     

       92
       -
               assert "Hello, modern!" in modern_response

     

       93
       -
               modern_head = server_modern.succeed(curl_head)

     

       94
       -
               assert "strict-transport-security" in modern_head

     

       95
       -
               server_modern.fail(curl_max_tls1_2)

     

       96
        
       

     

       97
       -
               server_intermediate.wait_for_unit("h2o.service")

     

       98
       -
               server_intermediate.wait_for_open_port(${portStr})

     

       99
       -
               intermediate_response = server_intermediate.succeed(curl_basic)

     

       100
       -
               assert "Hello, intermediate!" in intermediate_response

     

       101
       -
               intermediate_head = server_modern.succeed(curl_head)

     

       102
       -
               assert "strict-transport-security" in intermediate_head

     

       103
       -
               server_intermediate.succeed(curl_max_tls1_2)

     

       104
       -
               server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher)

     

       105
       -
               server_intermediate.fail(curl_max_tls1_2_old_cipher)

     

       0
        
       
     

       0
        
       
     

       106
        
       

     

       107
       -
               server_old.wait_for_unit("h2o.service")

     

       108
       -
               server_old.wait_for_open_port(${portStr})

     

       109
       -
               old_response = server_old.succeed(curl_basic)

     

       110
       -
               assert "Hello, old!" in old_response

     

       111
       -
               old_head = server_modern.succeed(curl_head)

     

       112
       -
               assert "strict-transport-security" in old_head

     

       113
       -
               server_old.succeed(curl_max_tls1_2)

     

       114
       -
               server_old.succeed(curl_max_tls1_2_intermediate_cipher)

     

       115
       -
               server_old.succeed(curl_max_tls1_2_old_cipher)

     

       116
       -
             '';

     

       117
       -
         }

     

       118
       -
       )

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0

···

       1
       +
       { hostPkgs, lib, ... }:

     

       0
        
       
     

       2
        
       

     

       3
       +
       let

     

       4
       +
         domain = "acme.test";

     

       5
       +
         port = 8443;

     

       6
        
       

     

       7
       +
         hello_txt =

     

       8
       +
           name:

     

       9
       +
           hostPkgs.writeTextFile {

     

       10
       +
             name = "/hello_${name}.txt";

     

       11
       +
             text = "Hello, ${name}!";

     

       12
       +
           };

     

       13
        
       

     

       14
       +
         mkH2OServer =

     

       15
       +
           recommendations:

     

       16
       +
           { pkgs, lib, ... }:

     

       17
       +
           {

     

       18
       +
             services.h2o = {

     

       19
       +
               enable = true;

     

       20
       +
               package = pkgs.h2o.override (

     

       21
       +
                 lib.optionalAttrs

     

       22
       +
                   (builtins.elem recommendations [

     

       23
       +
                     "intermediate"

     

       24
       +
                     "old"

     

       25
       +
                   ])

     

       26
       +
                   {

     

       27
       +
                     openssl = pkgs.openssl_legacy;

     

       28
       +
                   }

     

       29
       +
               );

     

       30
       +
               defaultTLSRecommendations = "modern"; # prove overridden

     

       31
       +
               hosts = {

     

       32
       +
                 "${domain}" = {

     

       33
       +
                   tls = {

     

       34
       +
                     inherit port recommendations;

     

       35
       +
                     policy = "force";

     

       36
       +
                     identity = [

     

       37
       +
                       {

     

       38
       +
                         key-file = ../../common/acme/server/acme.test.key.pem;

     

       39
       +
                         certificate-file = ../../common/acme/server/acme.test.cert.pem;

     

       40
       +
                       }

     

       41
       +
                     ];

     

       42
       +
                   };

     

       43
       +
                   settings = {

     

       44
       +
                     paths."/"."file.file" = "${hello_txt recommendations}";

     

       0
        
       
     

       45
        
                   };

     

       46
        
                 };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       47
        
               };

     

       48
       +
               settings = {

     

       49
       +
                 ssl-offload = "kernel";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       50
        
               };

     

       51
        
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       52
        
       

     

       53
       +
             security.pki.certificates = [

     

       54
       +
               (builtins.readFile ../../common/acme/server/ca.cert.pem)

     

       55
       +
             ];

     

       56
        
       

     

       57
       +
             networking = {

     

       58
       +
               firewall.allowedTCPPorts = [ port ];

     

       59
       +
               extraHosts = "127.0.0.1 ${domain}";

     

       60
       +
             };

     

       61
        
           };

     

       62
       +
       in

     

       63
       +
       {

     

       64
       +
         name = "h2o-tls-recommendations";

     

       65
        
       

     

       66
       +
         meta = {

     

       67
       +
           maintainers = with lib.maintainers; [ toastal ];

     

       68
       +
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       69
        
       

     

       70
       +
         nodes = {

     

       71
       +
           server_modern = mkH2OServer "modern";

     

       72
       +
           server_intermediate = mkH2OServer "intermediate";

     

       73
       +
           server_old = mkH2OServer "old";

     

       74
       +
         };

     

       0
        
       
     

       0
        
       
     

       75
        
       

     

       76
       +
         testScript =

     

       77
       +
           let

     

       78
       +
             portStr = builtins.toString port;

     

       79
       +
           in

     

       80
       +
           # python

     

       81
       +
           ''

     

       82
       +
             curl_basic = "curl -v --tlsv1.3 --http2 'https://${domain}:${portStr}/'"

     

       83
       +
             curl_head = "curl -v --head 'https://${domain}:${portStr}/'"

     

       84
       +
             curl_max_tls1_2 ="curl -v --tlsv1.0 --tls-max 1.2 'https://${domain}:${portStr}/'"

     

       85
       +
             curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:${portStr}/'"

     

       86
       +
             curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:${portStr}/'"

     

       87
        
       

     

       88
       +
             server_modern.wait_for_unit("h2o.service")

     

       89
       +
             server_modern.wait_for_open_port(${portStr})

     

       90
       +
             modern_response = server_modern.succeed(curl_basic)

     

       91
       +
             assert "Hello, modern!" in modern_response

     

       92
       +
             modern_head = server_modern.succeed(curl_head)

     

       93
       +
             assert "strict-transport-security" in modern_head

     

       94
       +
             server_modern.fail(curl_max_tls1_2)

     

       95
       +
       

     

       96
       +
             server_intermediate.wait_for_unit("h2o.service")

     

       97
       +
             server_intermediate.wait_for_open_port(${portStr})

     

       98
       +
             intermediate_response = server_intermediate.succeed(curl_basic)

     

       99
       +
             assert "Hello, intermediate!" in intermediate_response

     

       100
       +
             intermediate_head = server_modern.succeed(curl_head)

     

       101
       +
             assert "strict-transport-security" in intermediate_head

     

       102
       +
             server_intermediate.succeed(curl_max_tls1_2)

     

       103
       +
             server_intermediate.succeed(curl_max_tls1_2_intermediate_cipher)

     

       104
       +
             server_intermediate.fail(curl_max_tls1_2_old_cipher)

     

       105
       +
       

     

       106
       +
             server_old.wait_for_unit("h2o.service")

     

       107
       +
             server_old.wait_for_open_port(${portStr})

     

       108
       +
             old_response = server_old.succeed(curl_basic)

     

       109
       +
             assert "Hello, old!" in old_response

     

       110
       +
             old_head = server_modern.succeed(curl_head)

     

       111
       +
             assert "strict-transport-security" in old_head

     

       112
       +
             server_old.succeed(curl_max_tls1_2)

     

       113
       +
             server_old.succeed(curl_max_tls1_2_intermediate_cipher)

     

       114
       +
             server_old.succeed(curl_max_tls1_2_old_cipher)

     

       115
       +
           '';

     

       116
       +
       }