pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / dnsdist.nix
at master 3.8 kB view raw
1{ pkgs, runTest }: 2 3let 4 5 inherit (pkgs) lib; 6 7 baseConfig = { 8 networking.nameservers = [ "::1" ]; 9 services.bind = { 10 enable = true; 11 extraOptions = "empty-zones-enable no;"; 12 zones = lib.singleton { 13 name = "."; 14 master = true; 15 file = pkgs.writeText "root.zone" '' 16 $TTL 3600 17 . IN SOA ns.example.org. admin.example.org. ( 1 3h 1h 1w 1d ) 18 . IN NS ns.example.org. 19 20 ns.example.org. IN A 192.168.0.1 21 ns.example.org. IN AAAA abcd::1 22 23 1.0.168.192.in-addr.arpa IN PTR ns.example.org. 24 ''; 25 }; 26 }; 27 services.dnsdist = { 28 enable = true; 29 listenPort = 5353; 30 extraConfig = '' 31 newServer({address="127.0.0.1:53", name="local-bind"}) 32 ''; 33 }; 34 }; 35 36in 37 38{ 39 40 base = runTest { 41 name = "dnsdist-base"; 42 meta.maintainers = with lib.maintainers; [ jojosch ]; 43 44 nodes.machine = baseConfig; 45 46 testScript = '' 47 machine.wait_for_unit("bind.service") 48 machine.wait_for_open_port(53) 49 machine.succeed("host -p 53 192.168.0.1 | grep -qF ns.example.org") 50 51 machine.wait_for_unit("dnsdist.service") 52 machine.wait_for_open_port(5353) 53 machine.succeed("host -p 5353 192.168.0.1 | grep -qF ns.example.org") 54 ''; 55 }; 56 57 dnscrypt = runTest { 58 name = "dnsdist-dnscrypt"; 59 meta.maintainers = with lib.maintainers; [ rnhmjoj ]; 60 61 nodes.server = lib.mkMerge [ 62 baseConfig 63 { 64 networking.firewall.allowedTCPPorts = [ 443 ]; 65 networking.firewall.allowedUDPPorts = [ 443 ]; 66 services.dnsdist.dnscrypt.enable = true; 67 services.dnsdist.dnscrypt.providerKey = pkgs.runCommand "dnscrypt-secret.key" { } '' 68 echo 'R70+xqm7AaDsPtDgpSjSG7KHvEqVf6u6PZ+E3cGPbOwUQdg6/ 69 RIIpK6pHkINhrv7nxwIG5c7b/m5NJVT3A1AXQ==' | base64 -id > "$out" 70 ''; 71 } 72 ]; 73 74 nodes.client = { 75 services.dnscrypt-proxy.enable = true; 76 services.dnscrypt-proxy.upstreamDefaults = false; 77 services.dnscrypt-proxy.settings = { 78 server_names = [ "server" ]; 79 listen_addresses = [ "[::1]:53" ]; 80 cache = false; 81 # Computed using https://dnscrypt.info/stamps/ 82 static.server.stamp = "sdns://AQAAAAAAAAAADzE5Mi4xNjguMS4yOjQ0MyAUQdg6_RIIpK6pHkINhrv7nxwIG5c7b_m5NJVT3A1AXRYyLmRuc2NyeXB0LWNlcnQuc2VydmVy"; 83 }; 84 networking.nameservers = [ "::1" ]; 85 }; 86 87 testScript = '' 88 with subtest("The DNSCrypt server is accepting connections"): 89 server.wait_for_unit("bind.service") 90 server.wait_for_unit("dnsdist.service") 91 server.wait_for_open_port(443) 92 almost_expiration = server.succeed("date --date '14min'").strip() 93 94 with subtest("The DNSCrypt client can connect to the server"): 95 client.wait_until_succeeds("journalctl -u dnscrypt-proxy --grep '\\[server\\] OK'") 96 97 with subtest("DNS queries over UDP are working"): 98 client.wait_for_open_port(53) 99 client.wait_until_succeeds("host -U 192.168.0.1", timeout=60) 100 client.succeed("host -U 192.168.0.1 | grep -qF ns.example.org") 101 102 with subtest("DNS queries over TCP are working"): 103 client.wait_for_open_port(53) 104 client.succeed("host -T 192.168.0.1 | grep -qF ns.example.org") 105 106 with subtest("The server rotates the ephemeral keys"): 107 server.succeed(f"date -s '{almost_expiration}'") 108 client.succeed(f"date -s '{almost_expiration}'") 109 server.wait_until_succeeds("journalctl -u dnsdist --grep 'rotated certificate'") 110 111 with subtest("The client can still connect to the server"): 112 client.wait_until_succeeds("host -T 192.168.0.1") 113 client.wait_until_succeeds("host -U 192.168.0.1") 114 ''; 115 }; 116}