import ./make-test-python.nix ({ lib, pkgs, ...}: {
  name = "haproxy";
  nodes = {
    server = { ... }: {
     services.haproxy = {
        enable = true;
        config = ''
          global
            limited-quic

          defaults
            mode http
            timeout connect 10s
            timeout client 10s
            timeout server 10s

            log /dev/log local0 debug err
            option logasap
            option httplog
            option httpslog

          backend http_server
            server httpd [::1]:8000 alpn http/1.1

          frontend http
            bind :80
            bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1
            bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt

            http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc }

            http-request use-service prometheus-exporter if { path /metrics }
            use_backend http_server

          frontend http-cert-auth
            bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt
            bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3

            use_backend http_server
        '';
      };
      services.httpd = {
        enable = true;
        virtualHosts.localhost = {
          documentRoot = pkgs.writeTextDir "index.txt" "We are all good!";
          adminAddr = "notme@yourhost.local";
          listen = [{
            ip = "::1";
            port = 8000;
          }];
        };
      };
      networking.firewall.allowedTCPPorts = [ 80 443 8443 ];
      networking.firewall.allowedUDPPorts = [ 443 8443 ];
     };
    client = { ... }: {
      environment.systemPackages = [ pkgs.curlHTTP3 ];
    };
  };
  testScript = ''
    # Helpers
    def cmd(command):
      print(f"+{command}")
      r = os.system(command)
      if r != 0:
        raise Exception(f"Command {command} failed with exit code {r}")

    def openssl(command):
      cmd(f"${pkgs.openssl}/bin/openssl {command}")

    # Generate CA.
    openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt")

    # Generate and sign Server.
    openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr")
    openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7")
    cmd("cat server.crt server.key > fullchain.pem")

    # Generate and sign Client.
    openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr")
    openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7")
    cmd("cat client.crt client.key > client.pem")

    # Start the actual test.
    start_all()
    server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem")
    server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
    server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt")

    client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")
    client.copy_from_host("client.pem", "/root/client.pem")

    server.wait_for_unit("multi-user.target")
    server.wait_for_unit("haproxy.service")
    server.wait_for_unit("httpd.service")

    assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
    assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics")

    with subtest("https"):
      assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt")

    with subtest("https-cert-auth"):
      # Client must succeed in authenticating with the right certificate.
      assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
      # Client must fail without certificate.
      client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")

    with subtest("h3"):
      assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt")

    with subtest("h3-cert-auth"):
      # Client must succeed in authenticating with the right certificate.
      assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")
      # Client must fail without certificate.
      client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")

    with subtest("reload"):
        server.succeed("systemctl reload haproxy")
        # wait some time to ensure the following request hits the reloaded haproxy
        server.sleep(5)
        assert "We are all good!" in client.succeed("curl -f http://server/index.txt")
  '';
})