diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 22ff078c1cf5..bce5efb9346f 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -597,7 +597,7 @@ in }; haka = handleTest ./haka.nix { }; haste-server = handleTest ./haste-server.nix { }; - haproxy = handleTest ./haproxy.nix { }; + haproxy = runTest ./haproxy.nix; hardened = handleTest ./hardened.nix { }; harmonia = runTest ./harmonia.nix; headscale = handleTest ./headscale.nix { }; diff --git a/nixos/tests/haproxy.nix b/nixos/tests/haproxy.nix index b3cc19696d7c..bd8b9b288a22 100644 --- a/nixos/tests/haproxy.nix +++ b/nixos/tests/haproxy.nix @@ -1,140 +1,138 @@ -import ./make-test-python.nix ( - { lib, pkgs, ... }: - { - name = "haproxy"; - nodes = { - server = - { ... }: - { - services.haproxy = { - enable = true; - config = '' - global - limited-quic +{ lib, hostPkgs, ... }: +{ + name = "haproxy"; + nodes = { + server = + { pkgs, ... }: + { + services.haproxy = { + enable = true; + config = '' + global + limited-quic - defaults - mode http - timeout connect 10s - timeout client 10s - timeout server 10s + defaults + mode http + timeout connect 10s + timeout client 10s + timeout server 10s - log /dev/log local0 debug err - option logasap - option httplog - option httpslog + log /dev/log local0 debug err + option logasap + option httplog + option httpslog - backend http_server - server httpd [::1]:8000 alpn http/1.1 + backend http_server + server httpd [::1]:8000 alpn http/1.1 - frontend http - bind :80 - bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1 - bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt + frontend http + bind :80 + bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1 + bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt - http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc } + http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc } - http-request use-service prometheus-exporter if { path /metrics } - use_backend http_server + http-request use-service prometheus-exporter if { path /metrics } + use_backend http_server - frontend http-cert-auth - bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt - bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3 + frontend http-cert-auth + bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt + bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3 - use_backend http_server - ''; - }; - services.httpd = { - enable = true; - virtualHosts.localhost = { - documentRoot = pkgs.writeTextDir "index.txt" "We are all good!"; - adminAddr = "notme@yourhost.local"; - listen = [ - { - ip = "::1"; - port = 8000; - } - ]; - }; - }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 8443 - ]; - networking.firewall.allowedUDPPorts = [ - 443 - 8443 - ]; + use_backend http_server + ''; }; - client = - { ... }: - { - environment.systemPackages = [ pkgs.curlHTTP3 ]; + services.httpd = { + enable = true; + virtualHosts.localhost = { + documentRoot = pkgs.writeTextDir "index.txt" "We are all good!"; + adminAddr = "notme@yourhost.local"; + listen = [ + { + ip = "::1"; + port = 8000; + } + ]; + }; }; - }; - testScript = '' - # Helpers - def cmd(command): - print(f"+{command}") - r = os.system(command) - if r != 0: - raise Exception(f"Command {command} failed with exit code {r}") + networking.firewall.allowedTCPPorts = [ + 80 + 443 + 8443 + ]; + networking.firewall.allowedUDPPorts = [ + 443 + 8443 + ]; + }; + client = + { pkgs, ... }: + { + environment.systemPackages = [ pkgs.curlHTTP3 ]; + }; + }; + testScript = '' + # Helpers + def cmd(command): + print(f"+{command}") + r = os.system(command) + if r != 0: + raise Exception(f"Command {command} failed with exit code {r}") - def openssl(command): - cmd(f"${pkgs.openssl}/bin/openssl {command}") + def openssl(command): + cmd(f"${lib.getExe hostPkgs.openssl} {command}") - # Generate CA. - openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt") + # Generate CA. + openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt") - # Generate and sign Server. - openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr") - openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7") - cmd("cat server.crt server.key > fullchain.pem") + # Generate and sign Server. + openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr") + openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7") + cmd("cat server.crt server.key > fullchain.pem") - # Generate and sign Client. - openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr") - openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7") - cmd("cat client.crt client.key > client.pem") + # Generate and sign Client. + openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr") + openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7") + cmd("cat client.crt client.key > client.pem") - # Start the actual test. - start_all() - server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem") - server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt") - server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt") + # Start the actual test. + start_all() + server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem") + server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt") + server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt") - client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt") - client.copy_from_host("client.pem", "/root/client.pem") + client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt") + client.copy_from_host("client.pem", "/root/client.pem") - server.wait_for_unit("multi-user.target") - server.wait_for_unit("haproxy.service") - server.wait_for_unit("httpd.service") + server.wait_for_unit("multi-user.target") + server.wait_for_unit("haproxy.service") + server.wait_for_unit("httpd.service") - assert "We are all good!" in client.succeed("curl -f http://server/index.txt") - assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics") + assert "We are all good!" in client.succeed("curl -f http://server/index.txt") + assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics") - with subtest("https"): - assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt") + with subtest("https"): + assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt") - with subtest("https-cert-auth"): - # Client must succeed in authenticating with the right certificate. - assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt") - # Client must fail without certificate. - client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt") + with subtest("https-cert-auth"): + # Client must succeed in authenticating with the right certificate. + assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt") + # Client must fail without certificate. + client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt") - with subtest("h3"): - assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt") + with subtest("h3"): + assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt") - with subtest("h3-cert-auth"): - # Client must succeed in authenticating with the right certificate. - assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt") - # Client must fail without certificate. - client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt") + with subtest("h3-cert-auth"): + # Client must succeed in authenticating with the right certificate. + assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt") + # Client must fail without certificate. + client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt") - with subtest("reload"): - server.succeed("systemctl reload haproxy") - # wait some time to ensure the following request hits the reloaded haproxy - server.sleep(5) - assert "We are all good!" in client.succeed("curl -f http://server/index.txt") - ''; - } -) + with subtest("reload"): + server.succeed("systemctl reload haproxy") + # wait some time to ensure the following request hits the reloaded haproxy + server.sleep(5) + assert "We are all good!" in client.succeed("curl -f http://server/index.txt") + ''; +}