Simon Gardling
da6b4d1915
- Add explicit iptables banaction in security.nix for test compatibility - Force IPv4 in all curl requests to prevent IPv4/IPv6 mismatch issues - Fix caddy test: use basic_auth directive (not basicauth) - Override service ports in tests to match direct connections (not via Caddy) - Vaultwarden: override ROCKET_ADDRESS and ROCKET_LOG for external access - Immich: increase VM memory to 4GB for stability - Jellyfin: create placeholder log file and reload fail2ban after startup - Add tests.nix entries for all 6 fail2ban tests All tests now pass: ssh, caddy, gitea, vaultwarden, immich, jellyfin
104 lines
3.2 KiB
Nix
104 lines
3.2 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
pkgs.testers.runNixOSTest {
|
|
name = "fail2ban-caddy";
|
|
|
|
nodes = {
|
|
server =
|
|
{ config, pkgs, lib, ... }:
|
|
{
|
|
imports = [
|
|
../modules/security.nix
|
|
];
|
|
|
|
# Set up Caddy with basic auth (minimal config, no production stuff)
|
|
# Using bcrypt hash generated with: caddy hash-password --plaintext testpass
|
|
services.caddy = {
|
|
enable = true;
|
|
virtualHosts.":80".extraConfig = ''
|
|
log {
|
|
output file /var/log/caddy/access-server.log
|
|
format json
|
|
}
|
|
basic_auth {
|
|
testuser $2a$14$XqaQlGTdmofswciqrLlMz.rv0/jiGQq8aU.fP6mh6gCGiLf6Cl3.a
|
|
}
|
|
respond "Authenticated!" 200
|
|
'';
|
|
};
|
|
|
|
# Add the fail2ban jail for caddy-auth (same as in services/caddy.nix)
|
|
services.fail2ban.jails.caddy-auth = {
|
|
enabled = true;
|
|
settings = {
|
|
backend = "auto";
|
|
port = "http,https";
|
|
logpath = "/var/log/caddy/access-*.log";
|
|
maxretry = 3; # Lower for testing
|
|
};
|
|
filter.Definition = {
|
|
failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';
|
|
ignoreregex = "";
|
|
datepattern = ''"ts":{Epoch}\.'';
|
|
};
|
|
};
|
|
|
|
# Create log directory and initial log file so fail2ban can start
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/log/caddy 755 caddy caddy"
|
|
"f /var/log/caddy/access-server.log 644 caddy caddy"
|
|
];
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
};
|
|
|
|
client = {
|
|
environment.systemPackages = [ pkgs.curl ];
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
import time
|
|
import re
|
|
|
|
start_all()
|
|
server.wait_for_unit("caddy.service")
|
|
server.wait_for_unit("fail2ban.service")
|
|
server.wait_for_open_port(80)
|
|
time.sleep(2)
|
|
|
|
with subtest("Verify caddy-auth jail is active"):
|
|
status = server.succeed("fail2ban-client status")
|
|
assert "caddy-auth" in status, f"caddy-auth jail not found in: {status}"
|
|
|
|
with subtest("Verify correct password works"):
|
|
# Use -4 to force IPv4 for consistency
|
|
result = client.succeed("curl -4 -s -u testuser:testpass http://server/")
|
|
print(f"Curl result: {result}")
|
|
assert "Authenticated" in result, f"Auth should succeed: {result}"
|
|
|
|
with subtest("Generate failed basic auth attempts"):
|
|
# Use -4 to force IPv4 for consistent IP tracking
|
|
for i in range(4):
|
|
client.execute("curl -4 -s -u testuser:wrongpass http://server/ || true")
|
|
time.sleep(1)
|
|
|
|
with subtest("Verify IP is banned"):
|
|
time.sleep(5)
|
|
status = server.succeed("fail2ban-client status caddy-auth")
|
|
print(f"caddy-auth jail status: {status}")
|
|
# Check that at least 1 IP is banned
|
|
match = re.search(r"Currently banned:\s*(\d+)", status)
|
|
assert match and int(match.group(1)) >= 1, f"Expected at least 1 banned IP, got: {status}"
|
|
|
|
with subtest("Verify banned client cannot connect"):
|
|
# Use -4 to test with same IP that was banned
|
|
exit_code = client.execute("curl -4 -s --max-time 3 http://server/ 2>&1")[0]
|
|
assert exit_code != 0, "Connection should be blocked"
|
|
'';
|
|
}
|