pyrox.dev / nixpkgs
lol
fork atom

nixos/nebula: add DNS tests

Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>

Sirio Balmelli a247dd22 40567b6b

options
unified split
Changed files
+14 -1
nixos
tests
nebula.nix
+14 -1
nixos/tests/nebula.nix 
···

       
14

       
14

       
 

       
      lib.mkMerge [


     

       
15

       
15

       
 

       
        {


     

       
16

       
16

       
 

       
          # Expose nebula for doing cert signing.


     

       
17

       

       
-

       
          environment.systemPackages = [ pkgs.nebula ];


     

       

       
17

       
+

       
          environment.systemPackages = [


     

       

       
18

       
+

       
            pkgs.dig


     

       

       
19

       
+

       
            pkgs.nebula


     

       

       
20

       
+

       
          ];


     

       
18

       
21

       
 

       
          users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];


     

       
19

       
22

       
 

       
          services.openssh.enable = true;


     

       
20

       
23

       
 

       
          networking.firewall.enable = true; # Implicitly true, but let's make sure.


     
···

       
51

       
54

       
 

       
      lighthouse =


     

       
52

       
55

       
 

       
        { ... }@args:


     

       
53

       
56

       
 

       
        makeNebulaNode args "lighthouse" {


     

       

       
57

       
+

       
          networking.firewall.allowedUDPPorts = [ 53 ];


     

       
54

       
58

       
 

       
          networking.interfaces.eth1.ipv4.addresses = lib.mkForce [


     

       
55

       
59

       
 

       
            {


     

       
56

       
60

       
 

       
              address = "192.168.1.1";


     
···

       
76

       
80

       
 

       
                  host = "any";


     

       
77

       
81

       
 

       
                }


     

       
78

       
82

       
 

       
              ];


     

       

       
83

       
+

       
            };


     

       

       
84

       
+

       
            lighthouse = {


     

       

       
85

       
+

       
              dns = {


     

       

       
86

       
+

       
                enable = true;


     

       

       
87

       
+

       
                host = "10.0.100.1"; # bind to lighthouse interface


     

       

       
88

       
+

       
                port = 53; # answer on standard DNS port


     

       

       
89

       
+

       
              };


     

       
79

       
90

       
 

       
            };


     

       
80

       
91

       
 

       
          };


     

       
81

       
92

       
 

       
        };


     
···

       
338

       
349

       
 

       
        # allowAny can ping the lighthouse, but not allowFromLighthouse because of its inbound firewall


     

       
339

       
350

       
 

       
        allowAny.succeed("ping -c3 10.0.100.1")


     

       
340

       
351

       
 

       
        allowAny.fail("ping -c3 10.0.100.3")


     

       

       
352

       
+

       
        # allowAny can also resolve DNS on lighthouse


     

       

       
353

       
+

       
        allowAny.succeed("dig @10.0.100.1 allowToLighthouse | grep -E 'allowToLighthouse\.\s+[0-9]+\s+IN\s+A\s+10\.0\.100\.4'")


     

       
341

       
354

       
 

       



     

       
342

       
355

       
 

       
        # allowFromLighthouse can ping the lighthouse and allowAny


     

       
343

       
356

       
 

       
        allowFromLighthouse.succeed("ping -c3 10.0.100.1")