vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / ferm.nix
blob87c67ac623479ee8bac9f8980208d68a55891b9c
2 import ./make-test-python.nix ({ pkgs, ...} : {
3   name = "ferm";
4   meta = with pkgs.lib.maintainers; {
5     maintainers = [ mic92 ];
6   };
8   nodes =
9     { client =
10         { pkgs, ... }:
11         with pkgs.lib;
12         {
13           networking = {
14             dhcpcd.enable = false;
15             interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
16             interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
17           };
18       };
19       server =
20         { pkgs, ... }:
21         with pkgs.lib;
22         {
23           networking = {
24             dhcpcd.enable = false;
25             useNetworkd = true;
26             useDHCP = false;
27             interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
28             interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
29           };
31           services = {
32             ferm.enable = true;
33             ferm.config = ''
34               domain (ip ip6) table filter chain INPUT {
35                 interface lo ACCEPT;
36                 proto tcp dport 8080 REJECT reject-with tcp-reset;
37               }
38             '';
39             nginx.enable = true;
40             nginx.httpConfig = ''
41               server {
42                 listen 80;
43                 listen [::]:80;
44                 listen 8080;
45                 listen [::]:8080;
47                 location /status { stub_status on; }
48               }
49             '';
50           };
51         };
52     };
54   testScript =
55     ''
56       start_all()
58       client.systemctl("start network-online.target")
59       server.systemctl("start network-online.target")
60       client.wait_for_unit("network-online.target")
61       server.wait_for_unit("network-online.target")
62       server.wait_for_unit("ferm.service")
63       server.wait_for_unit("nginx.service")
64       server.wait_until_succeeds("ss -ntl | grep -q 80")
66       with subtest("port 80 is allowed"):
67           client.succeed("curl --fail -g http://192.168.1.1:80/status")
68           client.succeed("curl --fail -g http://[fd00::1]:80/status")
70       with subtest("port 8080 is not allowed"):
71           server.succeed("curl --fail -g http://192.168.1.1:8080/status")
72           server.succeed("curl --fail -g http://[fd00::1]:8080/status")
74           client.fail("curl --fail -g http://192.168.1.1:8080/status")
75           client.fail("curl --fail -g http://[fd00::1]:8080/status")
76     '';