nixos/tests/h2o: use client to check + start_all() machines

Author: toastal

nixos/tests/web-servers/h2o/basic.nix

@@ -36,12 +36,8 @@ in
 
   nodes = {
     server =
-      { pkgs, config, ... }:
+      { config, ... }:
       {
-        environment.systemPackages = [
-          pkgs.curl
-        ];
-
         services.h2o = {
           enable = true;
           defaultHTTPListenPort = 8080;
@@ -111,12 +107,30 @@ in
             ];
           };
           extraHosts = ''
-            127.0.0.1 ${domain.HTTP}
-            127.0.0.1 ${domain.TLS}
+            ${config.networking.primaryIPAddress} ${domain.HTTP}
+            ${config.networking.primaryIPAddress} ${domain.TLS}
           '';
         };
       };
+
+    client =
+      { nodes, pkgs, ... }:
+      {
+        environment.systemPackages = [
+          pkgs.curl
+        ];
+
+        security.pki.certificates = [
+          (builtins.readFile ../../common/acme/server/ca.cert.pem)
+        ];
+
+        networking.extraHosts = ''
+          ${nodes.server.networking.primaryIPAddress} ${domain.HTTP}
+          ${nodes.server.networking.primaryIPAddress} ${domain.TLS}
+        '';
+      };
   };
+
   testScript =
     { nodes, ... }:
     let
@@ -126,30 +140,32 @@ in
     in
     # python
     ''
+      start_all()
+
       server.wait_for_unit("h2o.service")
       server.wait_for_open_port(${portStrHTTP})
       server.wait_for_open_port(${portStrTLS})
 
-      assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")
+      assert "${sawatdi_chao_lok}" in client.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")
 
-      tls_hello_world_head = server.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
+      tls_hello_world_head = client.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
       assert "http/2 200" in tls_hello_world_head
       assert "server: h2o" in tls_hello_world_head
       assert "content-type: text/x-rst" in tls_hello_world_head
 
-      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
+      assert "${sawatdi_chao_lok}" in client.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
 
-      quic_hello_world_head = server.succeed("curl -v --head --compressed --http3-only --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
+      quic_hello_world_head = client.succeed("curl -v --head --compressed --http3-only --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
       assert "http/3 200" in quic_hello_world_head
       assert "server: h2o" in quic_hello_world_head
       assert "content-type: text/x-rst" in quic_hello_world_head
 
-      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http3-only --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
+      assert "${sawatdi_chao_lok}" in client.succeed("curl -v --http3-only --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
 
-      assert "redirected" in server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'").lower()
+      assert "redirected" in client.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'").lower()
 
-      server.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
+      client.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
 
-      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
+      assert "${sawatdi_chao_lok}" in client.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
     '';
 }

nixos/tests/web-servers/h2o/mruby.nix

@@ -14,7 +14,7 @@ in
 
   nodes = {
     server =
-      { pkgs, ... }:
+      { pkgs, config, ... }:
       {
         services.h2o = {
           enable = true;
@@ -41,9 +41,17 @@ in
           };
         };
 
-        networking.extraHosts = ''
-          127.0.0.1 ${domain}
-        '';
+        networking.firewall.allowedTCPPorts = [
+          config.services.h2o.settings.listen
+        ];
+      };
+
+    client =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = [
+          pkgs.curl
+        ];
       };
   };
 
@@ -52,14 +60,17 @@ in
     let
       inherit (nodes) server;
       portStr = builtins.toString server.services.h2o.settings.listen;
+      origin = "http://server:${portStr}";
     in
     # python
     ''
+      start_all()
+
       server.wait_for_unit("h2o.service")
       server.wait_for_open_port(${portStr})
 
-      assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")
+      assert "${sawatdi_chao_lok}" in client.succeed("curl --fail-with-body ${origin}/hello_world")
 
-      assert "FILE_HANDLER" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")
+      assert "FILE_HANDLER" in client.succeed("curl --fail-with-body ${origin}/file_handler")
     '';
 }

nixos/tests/web-servers/h2o/tls-recommendations.nix

@@ -78,6 +78,8 @@ in
     maintainers = with lib.maintainers; [ toastal ];
   };
 
+  # not using a `client` since it’s easiest to test with acme.test pointing at
+  # localhost for these machines
   nodes = {
     server_modern = mkH2OServer "modern";
     server_intermediate = mkH2OServer "intermediate";
@@ -100,6 +102,8 @@ in
       curl_max_tls1_2_intermediate_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256' 'https://${domain}:{port}/'"
       curl_max_tls1_2_old_cipher ="curl -v --tlsv1.0 --tls-max 1.2 --ciphers 'ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256' 'https://${domain}:{port}/'"
 
+      start_all()
+
       server_modern.wait_for_unit("h2o.service")
       server_modern.wait_for_open_port(${modernPortStr})
       modern_response = server_modern.succeed(curl_basic.format(port="${modernPortStr}"))