1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-24 22:50:49 +00:00
nixpkgs/nixos/tests/ferm.nix
Uli Baum 5e7b7b805a nixos/tests/ferm: disable dhcpcd
The test failed in one run on Hydra, logs look like
dhcpcd changed ipv6 routing at just the wrong time.
Disable dhcpcd. It's not needed, the test uses static IPs anyway.
2018-09-21 01:17:41 +02:00

75 lines
2.2 KiB
Nix

import ./make-test.nix ({ pkgs, ...} : {
name = "ferm";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mic92 ];
};
nodes =
{ client =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
};
};
server =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
};
services = {
ferm.enable = true;
ferm.config = ''
domain (ip ip6) table filter chain INPUT {
interface lo ACCEPT;
proto tcp dport 8080 REJECT reject-with tcp-reset;
}
'';
nginx.enable = true;
nginx.httpConfig = ''
server {
listen 80;
listen [::]:80;
listen 8080;
listen [::]:8080;
location /status { stub_status on; }
}
'';
};
};
};
testScript =
''
startAll;
$client->waitForUnit("network-online.target");
$server->waitForUnit("ferm.service");
$server->waitForUnit("nginx.service");
$server->waitUntilSucceeds("ss -ntl | grep -q 80");
subtest "port 80 is allowed", sub {
$client->succeed("curl --fail -g http://192.168.1.1:80/status");
$client->succeed("curl --fail -g http://[fd00::1]:80/status");
};
subtest "port 8080 is not allowed", sub {
$server->succeed("curl --fail -g http://192.168.1.1:8080/status");
$server->succeed("curl --fail -g http://[fd00::1]:8080/status");
$client->fail("curl --fail -g http://192.168.1.1:8080/status");
$client->fail("curl --fail -g http://[fd00::1]:8080/status");
};
'';
})