nixos/tests/dnscrypt-wrapper/default.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / dnscrypt-wrapper / default.nix
at 23.11-pre 2.8 kB view raw
 1import ../make-test-python.nix ({ pkgs, ... }: {
 2  name = "dnscrypt-wrapper";
 3  meta = with pkgs.lib.maintainers; {
 4    maintainers = [ rnhmjoj ];
 5  };
 6
 7  nodes = {
 8    server = { lib, ... }:
 9      { services.dnscrypt-wrapper = with builtins;
10          { enable = true;
11            address = "192.168.1.1";
12            keys.expiration = 5; # days
13            keys.checkInterval = 2;  # min
14            # The keypair was generated by the command:
15            # dnscrypt-wrapper --gen-provider-keypair \
16            #  --provider-name=2.dnscrypt-cert.server \
17            #  --ext-address=192.168.1.1:5353
18            providerKey.public = toFile "public.key" (readFile ./public.key);
19            providerKey.secret = toFile "secret.key" (readFile ./secret.key);
20          };
21        services.tinydns.enable = true;
22        services.tinydns.data = ''
23          ..:192.168.1.1:a
24          +it.works:1.2.3.4
25        '';
26        networking.firewall.allowedUDPPorts = [ 5353 ];
27        networking.firewall.allowedTCPPorts = [ 5353 ];
28        networking.interfaces.eth1.ipv4.addresses = lib.mkForce
29          [ { address = "192.168.1.1"; prefixLength = 24; } ];
30      };
31
32    client = { lib, ... }:
33      { services.dnscrypt-proxy2.enable = true;
34        services.dnscrypt-proxy2.upstreamDefaults = false;
35        services.dnscrypt-proxy2.settings = {
36          server_names = [ "server" ];
37          static.server.stamp = "sdns://AQAAAAAAAAAAEDE5Mi4xNjguMS4xOjUzNTMgFEHYOv0SCKSuqR5CDYa7-58cCBuXO2_5uTSVU9wNQF0WMi5kbnNjcnlwdC1jZXJ0LnNlcnZlcg";
38        };
39        networking.nameservers = [ "127.0.0.1" ];
40        networking.interfaces.eth1.ipv4.addresses = lib.mkForce
41          [ { address = "192.168.1.2"; prefixLength = 24; } ];
42      };
43
44  };
45
46  testScript = ''
47    start_all()
48
49    with subtest("The server can generate the ephemeral keypair"):
50        server.wait_for_unit("dnscrypt-wrapper")
51        server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key")
52        server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt")
53
54    with subtest("The client can connect to the server"):
55        server.wait_for_unit("tinydns")
56        client.wait_for_unit("dnscrypt-proxy2")
57        assert "1.2.3.4" in client.succeed(
58            "host it.works"
59        ), "The IP address of 'it.works' does not match 1.2.3.4"
60
61    with subtest("The server rotates the ephemeral keys"):
62        # advance time by a little less than 5 days
63        server.succeed("date -s \"$(date --date '4 days 6 hours')\"")
64        client.succeed("date -s \"$(date --date '4 days 6 hours')\"")
65        server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys")
66
67    with subtest("The client can still connect to the server"):
68        server.wait_for_unit("dnscrypt-wrapper")
69        client.succeed("host it.works")
70  '';
71})
72