nixos/tests/dnscrypt-wrapper/default.nix

   1 import ../make-test-python.nix ({ pkgs, ... }: {
   2   name = "dnscrypt-wrapper";
   3   meta = with pkgs.lib.maintainers; {
   4     maintainers = [ rnhmjoj ];
   5   };
   6
   7   nodes = {
   8     server = { lib, ... }:
   9       { services.dnscrypt-wrapper = with builtins;
  10           { enable = true;
  11             address = "192.168.1.1";
  12             keys.expiration = 5; # days
  13             keys.checkInterval = 2;  # min
  14             # The keypair was generated by the command:
  15             # dnscrypt-wrapper --gen-provider-keypair \
  16             #  --provider-name=2.dnscrypt-cert.server \
  17             #  --ext-address=192.168.1.1:5353
  18             providerKey.public = toFile "public.key" (readFile ./public.key);
  19             providerKey.secret = toFile "secret.key" (readFile ./secret.key);
  20           };
  21         services.tinydns.enable = true;
  22         services.tinydns.data = ''
  23           ..:192.168.1.1:a
  24           +it.works:1.2.3.4
  25         '';
  26         networking.firewall.allowedUDPPorts = [ 5353 ];
  27         networking.firewall.allowedTCPPorts = [ 5353 ];
  28         networking.interfaces.eth1.ipv4.addresses = lib.mkForce
  29           [ { address = "192.168.1.1"; prefixLength = 24; } ];
  30       };
  31
  32     client = { lib, ... }:
  33       { services.dnscrypt-proxy2.enable = true;
  34         services.dnscrypt-proxy2.upstreamDefaults = false;
  35         services.dnscrypt-proxy2.settings = {
  36           server_names = [ "server" ];
  37           static.server.stamp = "sdns://AQAAAAAAAAAAEDE5Mi4xNjguMS4xOjUzNTMgFEHYOv0SCKSuqR5CDYa7-58cCBuXO2_5uTSVU9wNQF0WMi5kbnNjcnlwdC1jZXJ0LnNlcnZlcg";
  38         };
  39         networking.nameservers = [ "127.0.0.1" ];
  40         networking.interfaces.eth1.ipv4.addresses = lib.mkForce
  41           [ { address = "192.168.1.2"; prefixLength = 24; } ];
  42       };
  43
  44   };
  45
  46   testScript = ''
  47     start_all()
  48
  49     with subtest("The server can generate the ephemeral keypair"):
  50         server.wait_for_unit("dnscrypt-wrapper")
  51         server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key")
  52         server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt")
  53
  54     with subtest("The client can connect to the server"):
  55         server.wait_for_unit("tinydns")
  56         client.wait_for_unit("dnscrypt-proxy2")
  57         assert "1.2.3.4" in client.succeed(
  58             "host it.works"
  59         ), "The IP address of 'it.works' does not match 1.2.3.4"
  60
  61     with subtest("The server rotates the ephemeral keys"):
  62         # advance time by a little less than 5 days
  63         server.succeed("date -s \"$(date --date '4 days 6 hours')\"")
  64         client.succeed("date -s \"$(date --date '4 days 6 hours')\"")
  65         server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys")
  66
  67     with subtest("The client can still connect to the server"):
  68         server.wait_for_unit("dnscrypt-wrapper")
  69         client.succeed("host it.works")
  70   '';
  71 })
  72