From 9b67b79b6e99326052327a38139e4a47764f9612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phan=20Kochen?= <git@stephank.nl>
Date: Tue, 10 Dec 2024 14:53:02 +0100
Subject: [PATCH] nixos/tests/rustls-libssl: init

---
 nixos/tests/all-tests.nix     |  1 +
 nixos/tests/rustls-libssl.nix | 92 +++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+)
 create mode 100644 nixos/tests/rustls-libssl.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index afb1730955eff..b014b6405d93a 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -909,6 +909,7 @@ in {
   rsyslogd = handleTest ./rsyslogd.nix {};
   rtkit = runTest ./rtkit.nix;
   rtorrent = handleTest ./rtorrent.nix {};
+  rustls-libssl = handleTest ./rustls-libssl.nix {};
   rxe = handleTest ./rxe.nix {};
   sabnzbd = handleTest ./sabnzbd.nix {};
   samba = handleTest ./samba.nix {};
diff --git a/nixos/tests/rustls-libssl.nix b/nixos/tests/rustls-libssl.nix
new file mode 100644
index 0000000000000..079fa52435bc0
--- /dev/null
+++ b/nixos/tests/rustls-libssl.nix
@@ -0,0 +1,92 @@
+import ./make-test-python.nix (
+  { pkgs, lib, ... }:
+  let
+    caCert = builtins.readFile ./common/acme/server/ca.cert.pem;
+    certPath = ./common/acme/server/acme.test.cert.pem;
+    keyPath = ./common/acme/server/acme.test.key.pem;
+    hosts = ''
+      192.168.2.101 acme.test
+    '';
+  in
+  {
+    name = "rustls-libssl";
+    meta.maintainers = with pkgs.lib.maintainers; [
+      stephank
+      cpu
+    ];
+
+    nodes = {
+      server =
+        { lib, pkgs, ... }:
+        {
+          networking = {
+            interfaces.eth1 = {
+              ipv4.addresses = [
+                {
+                  address = "192.168.2.101";
+                  prefixLength = 24;
+                }
+              ];
+            };
+            extraHosts = hosts;
+            firewall.allowedTCPPorts = [ 443 ];
+          };
+
+          security.pki.certificates = [ caCert ];
+
+          services.nginx = {
+            enable = true;
+            package = pkgs.nginxMainline.override {
+              openssl = pkgs.rustls-libssl;
+              modules = [ ]; # slightly reduces the size of the build
+            };
+
+            # Hardcoded sole input accepted by rustls-libssl.
+            sslCiphers = "HIGH:!aNULL:!MD5";
+
+            virtualHosts."acme.test" = {
+              onlySSL = true;
+              sslCertificate = certPath;
+              sslCertificateKey = keyPath;
+              http2 = true;
+              reuseport = true;
+              root = lib.mkForce (
+                pkgs.runCommandLocal "testdir" { } ''
+                  mkdir "$out"
+                  cat > "$out/index.html" <<EOF
+                  <html><body>Hello World!</body></html>
+                  EOF
+                ''
+              );
+            };
+          };
+        };
+
+      client =
+        { pkgs, ... }:
+        {
+          environment.systemPackages = [ pkgs.curlHTTP3 ];
+          networking = {
+            interfaces.eth1 = {
+              ipv4.addresses = [
+                {
+                  address = "192.168.2.201";
+                  prefixLength = 24;
+                }
+              ];
+            };
+            extraHosts = hosts;
+          };
+
+          security.pki.certificates = [ caCert ];
+        };
+    };
+
+    testScript = ''
+      start_all()
+      server.wait_for_open_port(443)
+      client.succeed("curl --verbose --http1.1 https://acme.test | grep 'Hello World!'")
+      client.succeed("curl --verbose --http2-prior-knowledge https://acme.test | grep 'Hello World!'")
+    '';
+  }
+)