python312Packages.homematicip: 1.1.2 -> 1.1.3 (#356780)

[NixPkgs.git] / nixos / tests / dnsdist.nix

{ pkgs, runTest }:

let

  inherit (pkgs) lib;

  baseConfig = {
    networking.nameservers = [ "::1" ];
    services.bind = {
      enable = true;
      extraOptions = "empty-zones-enable no;";
      zones = lib.singleton {
        name = ".";
        master = true;
        file = pkgs.writeText "root.zone" ''
          $TTL 3600
          . IN SOA ns.example.org. admin.example.org. ( 1 3h 1h 1w 1d )
          . IN NS ns.example.org.

          ns.example.org. IN A    192.168.0.1
          ns.example.org. IN AAAA abcd::1

          1.0.168.192.in-addr.arpa IN PTR ns.example.org.
        '';
      };
    };
    services.dnsdist = {
      enable = true;
      listenPort = 5353;
      extraConfig = ''
        newServer({address="127.0.0.1:53", name="local-bind"})
      '';
    };
  };

in

{

  base = runTest {
    name = "dnsdist-base";
    meta.maintainers = with lib.maintainers; [ jojosch ];

    nodes.machine = baseConfig;

    testScript = ''
      machine.wait_for_unit("bind.service")
      machine.wait_for_open_port(53)
      machine.succeed("host -p 53 192.168.0.1 | grep -qF ns.example.org")

      machine.wait_for_unit("dnsdist.service")
      machine.wait_for_open_port(5353)
      machine.succeed("host -p 5353 192.168.0.1 | grep -qF ns.example.org")
    '';
  };

  dnscrypt = runTest {
    name = "dnsdist-dnscrypt";
    meta.maintainers = with lib.maintainers; [ rnhmjoj ];

    nodes.server = lib.mkMerge [
      baseConfig
      {
        networking.firewall.allowedTCPPorts = [ 443 ];
        networking.firewall.allowedUDPPorts = [ 443 ];
        services.dnsdist.dnscrypt.enable = true;
        services.dnsdist.dnscrypt.providerKey = pkgs.runCommand "dnscrypt-secret.key" {} ''
          echo 'R70+xqm7AaDsPtDgpSjSG7KHvEqVf6u6PZ+E3cGPbOwUQdg6/
                RIIpK6pHkINhrv7nxwIG5c7b/m5NJVT3A1AXQ==' | base64 -id > "$out"
        '';
      }
    ];

    nodes.client = {
      services.dnscrypt-proxy2.enable = true;
      services.dnscrypt-proxy2.upstreamDefaults = false;
      services.dnscrypt-proxy2.settings =
        { server_names = [ "server" ];
          listen_addresses = [ "[::1]:53" ];
          cache = false;
          # Computed using https://dnscrypt.info/stamps/
          static.server.stamp =
            "sdns://AQAAAAAAAAAADzE5Mi4xNjguMS4yOjQ0MyAUQdg6_RIIpK6pHkINhrv7nxwIG5c7b_m5NJVT3A1AXRYyLmRuc2NyeXB0LWNlcnQuc2VydmVy";
        };
      networking.nameservers = [ "::1" ];
    };

    testScript = ''
      with subtest("The DNSCrypt server is accepting connections"):
          server.wait_for_unit("bind.service")
          server.wait_for_unit("dnsdist.service")
          server.wait_for_open_port(443)
          almost_expiration = server.succeed("date --date '14min'").strip()

      with subtest("The DNSCrypt client can connect to the server"):
          client.wait_until_succeeds("journalctl -u dnscrypt-proxy2 --grep '\[server\] OK'")

      with subtest("DNS queries over UDP are working"):
          client.wait_for_open_port(53)
          client.succeed("host -U 192.168.0.1 | grep -qF ns.example.org")

      with subtest("DNS queries over TCP are working"):
          client.wait_for_open_port(53)
          client.succeed("host -T 192.168.0.1 | grep -qF ns.example.org")

      with subtest("The server rotates the ephemeral keys"):
          server.succeed(f"date -s '{almost_expiration}'")
          client.succeed(f"date -s '{almost_expiration}'")
          server.wait_until_succeeds("journalctl -u dnsdist --grep 'rotated certificate'")

      with subtest("The client can still connect to the server"):
          client.wait_until_succeeds("host -T 192.168.0.1")
          client.wait_until_succeeds("host -U 192.168.0.1")
    '';
  };
}