@@ -1,170 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
testServerName = "testserver";
|
||||
|
||||
# Create pkgs with nix-minecraft overlay and unfree packages allowed
|
||||
testPkgs = import inputs.nixpkgs {
|
||||
system = pkgs.stdenv.targetPlatform.system;
|
||||
config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" ];
|
||||
overlays = [
|
||||
inputs.nix-minecraft.overlay
|
||||
(import ../modules/overlays.nix)
|
||||
];
|
||||
};
|
||||
|
||||
testServiceConfigs = {
|
||||
zpool_ssds = "";
|
||||
https = {
|
||||
domain = "test.local";
|
||||
};
|
||||
minecraft = {
|
||||
parent_dir = "/var/lib/minecraft";
|
||||
server_name = testServerName;
|
||||
};
|
||||
};
|
||||
|
||||
testLib = lib.extend (
|
||||
final: prev: {
|
||||
serviceMountWithZpool =
|
||||
serviceName: zpool: dirs:
|
||||
{ ... }:
|
||||
{ };
|
||||
}
|
||||
);
|
||||
|
||||
minecraftModule =
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
(import ../services/minecraft.nix {
|
||||
inherit config inputs;
|
||||
pkgs = testPkgs;
|
||||
lib = testLib;
|
||||
service_configs = testServiceConfigs;
|
||||
})
|
||||
];
|
||||
# Override nixpkgs config to prevent conflicts in test environment
|
||||
nixpkgs.config = lib.mkForce {
|
||||
allowUnfreePredicate = pkg: builtins.elem (testPkgs.lib.getName pkg) [ "minecraft-server" ];
|
||||
};
|
||||
# Disable whitelist import to avoid missing secrets file and reduce memory
|
||||
services.minecraft-servers.servers.${testServerName} = {
|
||||
whitelist = lib.mkForce { };
|
||||
jvmOpts = lib.mkForce "-Xmx1G -Xms1G";
|
||||
};
|
||||
};
|
||||
in
|
||||
testPkgs.testers.runNixOSTest {
|
||||
name = "fail2ban-minecraft";
|
||||
|
||||
nodes = {
|
||||
server =
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
../modules/security.nix
|
||||
minecraftModule
|
||||
];
|
||||
|
||||
# Disable ZFS mount dependency
|
||||
systemd.services."minecraft-server-${testServerName}-mounts".enable = lib.mkForce false;
|
||||
systemd.services."minecraft-server-${testServerName}" = {
|
||||
wants = lib.mkForce [ ];
|
||||
after = lib.mkForce [ ];
|
||||
requires = lib.mkForce [ ];
|
||||
};
|
||||
|
||||
# Override for faster testing
|
||||
services.fail2ban.jails.minecraft.settings = {
|
||||
maxretry = lib.mkForce 3;
|
||||
findtime = lib.mkForce "5m";
|
||||
bantime = lib.mkForce "10m";
|
||||
};
|
||||
|
||||
# Create log directory and placeholder for fail2ban
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/minecraft/${testServerName}/logs 0755 minecraft minecraft"
|
||||
"f /var/lib/minecraft/${testServerName}/logs/latest.log 0644 minecraft minecraft"
|
||||
];
|
||||
|
||||
# Make fail2ban start after minecraft
|
||||
systemd.services.fail2ban = {
|
||||
wants = [ "minecraft-server-${testServerName}.service" ];
|
||||
after = [ "minecraft-server-${testServerName}.service" ];
|
||||
};
|
||||
|
||||
# Give minecraft server more resources
|
||||
virtualisation.diskSize = 4 * 1024;
|
||||
virtualisation.memorySize = 4 * 1024;
|
||||
};
|
||||
|
||||
client =
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [
|
||||
(pkgs.python3.withPackages (ps: [ ps.mcstatus ]))
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
import time
|
||||
|
||||
start_all()
|
||||
|
||||
# Wait for minecraft server to fully start
|
||||
server.wait_for_unit("minecraft-server-${testServerName}.service", timeout=180)
|
||||
server.wait_for_unit("fail2ban.service")
|
||||
server.wait_for_open_port(25565, timeout=120)
|
||||
|
||||
# Wait for server to be ready (shows "Done" in logs)
|
||||
server.wait_until_succeeds(
|
||||
"grep -q 'Done' /var/lib/minecraft/${testServerName}/logs/latest.log",
|
||||
timeout=120
|
||||
)
|
||||
time.sleep(2)
|
||||
|
||||
# Reload fail2ban now that the real log file exists
|
||||
server.succeed("fail2ban-client reload minecraft")
|
||||
time.sleep(2)
|
||||
|
||||
with subtest("Verify minecraft jail is active"):
|
||||
status = server.succeed("fail2ban-client status")
|
||||
print(f"fail2ban status:\n{status}")
|
||||
assert "minecraft" in status, f"minecraft jail not found in: {status}"
|
||||
|
||||
with subtest("Verify jail configuration"):
|
||||
# Check jail status shows it's monitoring the log file
|
||||
status = server.succeed("fail2ban-client status minecraft")
|
||||
print(f"Jail status:\n{status}")
|
||||
assert "minecraft" in status, "minecraft jail not properly configured"
|
||||
|
||||
with subtest("Check server logs"):
|
||||
logs = server.succeed("tail -20 /var/lib/minecraft/${testServerName}/logs/latest.log")
|
||||
print(f"Server logs:\n{logs}")
|
||||
|
||||
with subtest("Test regex with fail2ban-regex"):
|
||||
# Test the filter regex against the log file
|
||||
result = server.execute("fail2ban-regex /var/lib/minecraft/${testServerName}/logs/latest.log /etc/fail2ban/filter.d/minecraft.local 2>&1")
|
||||
print(f"Regex test result:\n{result}")
|
||||
|
||||
with subtest("Verify jail is functional"):
|
||||
# The jail should be running and monitoring - mcstatus won't trigger bans
|
||||
# since it only does status pings, not login attempts that would fail whitelist
|
||||
status = server.succeed("fail2ban-client status minecraft")
|
||||
print(f"Final jail status:\n{status}")
|
||||
# Verify the jail is running (has filter file loaded)
|
||||
assert "Filter" in status or "File list" in status or "Currently" in status, "Jail not properly running"
|
||||
'';
|
||||
}
|
||||
@@ -20,5 +20,4 @@ in
|
||||
fail2banVaultwardenTest = handleTest ./fail2ban-vaultwarden.nix;
|
||||
fail2banImmichTest = handleTest ./fail2ban-immich.nix;
|
||||
fail2banJellyfinTest = handleTest ./fail2ban-jellyfin.nix;
|
||||
fail2banMinecraftTest = handleTest ./fail2ban-minecraft.nix;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user