nixos/tests/dnsdist: test dnscrypt support

This commit is contained in:
rnhmjoj 2023-11-27 22:00:42 +01:00
parent 1a1b91b3b9
commit a41bd09059
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450
2 changed files with 83 additions and 18 deletions

View file

@ -242,7 +242,7 @@ in {
discourse = handleTest ./discourse.nix {}; discourse = handleTest ./discourse.nix {};
dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};
dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper; dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper;
dnsdist = runTest ./dnsdist.nix {}; dnsdist = import ./dnsdist.nix { inherit pkgs runTest; };
doas = handleTest ./doas.nix {}; doas = handleTest ./doas.nix {};
docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {}; docker = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker.nix {};
docker-rootless = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker-rootless.nix {}; docker-rootless = handleTestOn ["aarch64-linux" "x86_64-linux"] ./docker-rootless.nix {};

View file

@ -1,12 +1,11 @@
{ pkgs, lib, ... }: { pkgs, runTest }:
{ let
name = "dnsdist";
meta = with lib; {
maintainers = with maintainers; [ jojosch ];
};
nodes.machine = { pkgs, lib, ... }: { inherit (pkgs) lib;
baseConfig = {
networking.nameservers = [ "::1" ];
services.bind = { services.bind = {
enable = true; enable = true;
extraOptions = "empty-zones-enable no;"; extraOptions = "empty-zones-enable no;";
@ -32,17 +31,83 @@
newServer({address="127.0.0.1:53", name="local-bind"}) newServer({address="127.0.0.1:53", name="local-bind"})
''; '';
}; };
environment.systemPackages = with pkgs; [ dig ];
}; };
testScript = '' in
machine.wait_for_unit("bind.service")
machine.wait_for_open_port(53)
machine.succeed("dig @127.0.0.1 +short -x 192.168.0.1 | grep -qF ns.example.org")
machine.wait_for_unit("dnsdist.service") {
machine.wait_for_open_port(5353)
machine.succeed("dig @127.0.0.1 -p 5353 +short -x 192.168.0.1 | grep -qF ns.example.org") base = runTest {
''; name = "dnsdist-base";
meta.maintainers = with lib.maintainers; [ jojosch ];
nodes.machine = baseConfig;
testScript = ''
machine.wait_for_unit("bind.service")
machine.wait_for_open_port(53)
machine.succeed("host -p 53 192.168.0.1 | grep -qF ns.example.org")
machine.wait_for_unit("dnsdist.service")
machine.wait_for_open_port(5353)
machine.succeed("host -p 5353 192.168.0.1 | grep -qF ns.example.org")
'';
};
dnscrypt = runTest {
name = "dnsdist-dnscrypt";
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
nodes.server = lib.mkMerge [
baseConfig
{
networking.firewall.allowedTCPPorts = [ 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.dnsdist.dnscrypt.enable = true;
services.dnsdist.dnscrypt.providerKey = "${./dnscrypt-wrapper/secret.key}";
}
];
nodes.client = {
services.dnscrypt-proxy2.enable = true;
services.dnscrypt-proxy2.upstreamDefaults = false;
services.dnscrypt-proxy2.settings =
{ server_names = [ "server" ];
listen_addresses = [ "[::1]:53" ];
cache = false;
# Computed using https://dnscrypt.info/stamps/
static.server.stamp =
"sdns://AQAAAAAAAAAADzE5Mi4xNjguMS4yOjQ0MyAUQdg6_RIIpK6pHkINhrv7nxwIG5c7b_m5NJVT3A1AXRYyLmRuc2NyeXB0LWNlcnQuc2VydmVy";
};
networking.nameservers = [ "::1" ];
};
testScript = ''
with subtest("The DNSCrypt server is accepting connections"):
server.wait_for_unit("bind.service")
server.wait_for_unit("dnsdist.service")
server.wait_for_open_port(443)
almost_expiration = server.succeed("date --date '14min'").strip()
with subtest("The DNSCrypt client can connect to the server"):
client.wait_until_succeeds("journalctl -u dnscrypt-proxy2 --grep '\[server\] OK'")
with subtest("DNS queries over UDP are working"):
client.wait_for_open_port(53)
client.succeed("host -U 192.168.0.1 | grep -qF ns.example.org")
with subtest("DNS queries over TCP are working"):
client.wait_for_open_port(53)
client.succeed("host -T 192.168.0.1 | grep -qF ns.example.org")
with subtest("The server rotates the ephemeral keys"):
server.succeed(f"date -s '{almost_expiration}'")
client.succeed(f"date -s '{almost_expiration}'")
server.wait_until_succeeds("journalctl -u dnsdist --grep 'rotated certificate'")
with subtest("The client can still connect to the server"):
client.wait_until_succeeds("host -T 192.168.0.1")
client.wait_until_succeeds("host -U 192.168.0.1")
'';
};
} }