From 9ca60dbb793c338c30501f2c4c13291929ff524e Mon Sep 17 00:00:00 2001
From: Sizhe Zhao <prc.zhao@outlook.com>
Date: Tue, 15 Apr 2025 16:40:15 +0800
Subject: [PATCH] nixos/tests/firewalld: init

---
 nixos/tests/all-tests.nix             |  1 +
 nixos/tests/firewalld.nix             | 52 +++++++++++++++++++++++++++
 pkgs/by-name/fi/firewalld/package.nix |  1 +
 3 files changed, 54 insertions(+)
 create mode 100644 nixos/tests/firewalld.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index c6bd23538dee..40f6d0afbf65 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -579,6 +579,7 @@ in
     imports = [ ./firewall.nix ];
     _module.args.backend = "nftables";
   };
+  firewalld = runTest ./firewalld.nix;
   firezone = runTest ./firezone/firezone.nix;
   fish = runTest ./fish.nix;
   flannel = runTestOn [ "x86_64-linux" ] ./flannel.nix;
diff --git a/nixos/tests/firewalld.nix b/nixos/tests/firewalld.nix
new file mode 100644
index 000000000000..a191fe806354
--- /dev/null
+++ b/nixos/tests/firewalld.nix
@@ -0,0 +1,52 @@
+{ lib, pkgs, ... }:
+{
+  name = "firewalld";
+  meta.maintainers = with pkgs.lib.maintainers; [
+    prince213
+  ];
+
+  nodes = {
+    walled = {
+      networking.nftables.enable = true;
+      services.firewalld.enable = true;
+      services.httpd.enable = true;
+      services.httpd.adminAddr = "foo@example.org";
+    };
+
+    open = {
+      networking.nftables.enable = true;
+      services.firewalld = {
+        enable = true;
+        settings.DefaultZone = "trusted";
+      };
+      services.httpd.enable = true;
+      services.httpd.adminAddr = "foo@example.org";
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    walled.wait_for_unit("firewalld")
+    walled.wait_for_unit("httpd")
+
+    open.wait_for_unit("network.target")
+
+    with subtest("walled local httpd works"):
+      walled.succeed("curl -v http://localhost/ >&2")
+
+    with subtest("incoming connections are blocked"):
+      open.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
+
+    with subtest("outgoing connections are allowed"):
+      walled.succeed("curl -v http://open/ >&2")
+
+    with subtest("runtime configuration can be changed"):
+      walled.succeed("firewall-cmd --add-service=http")
+      open.succeed("curl -v http://walled/ >&2")
+
+    with subtest("runtime configuration are not permanent"):
+      walled.succeed("firewall-cmd --complete-reload")
+      open.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
+  '';
+}
diff --git a/pkgs/by-name/fi/firewalld/package.nix b/pkgs/by-name/fi/firewalld/package.nix
index 2a009be7de0b..9b0abeb7cbfd 100644
--- a/pkgs/by-name/fi/firewalld/package.nix
+++ b/pkgs/by-name/fi/firewalld/package.nix
@@ -155,6 +155,7 @@ stdenv.mkDerivation rec {
   '';
 
   passthru.tests = {
+    firewalld = nixosTests.firewalld;
     firewall-firewalld = nixosTests.firewall-firewalld;
   };