cheshire
/
hscloud
forked from hswaw/hscloud
1
0
Fork 0
Code Pull Requests Activity

bgpwtf: add rsh tests, fix startup sequencing 

Change-Id: Idba53905d3965db6f805221da3e48548d7a01811
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1340
Reviewed-by: implr <implr@hackerspace.pl>
master
q3k 2022-06-12 12:27:56 +02:00 committed by q3k
parent 957d91180a
commit e1aa63c7dd
5 changed files with 100916 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
bgpwtf/machines/edge01.waw.bgp.wtf.nix
View File

@ -30,39 +30,31 @@ in rec {
# TODO(q3k): make this generic, move to modules/router.nix.
services.unbound = {
enable = true;
interfaces = [
"185.236.240.1"
"2a0d:eb00:2137::1"
"127.0.0.1"
];
allowedAccess = [
"185.236.240.0/22"
"2a0d:eb00::0/29"
"127.0.0.0/8"
];
extraConfig = ''
outgoing-interface: 185.236.240.1
outgoing-interface: 2a0d:eb00:2137::1
cache-max-negative-ttl: 30
# Disable DoH in Firefox
local-zone: "use-application-dns.net" static
# Rejestr Stron Hazardowych.
# Populated by the rsh-unbound daemon.
include: "/var/lib/unbound/rsh.conf"
remote-control:
control-enable: yes
control-interface: /var/run/unbound.ctl
'';
};
# Fix `systemctl reload unbound`.
systemd.services.unbound.reload = "${pkgs.unbound}/bin/unbound-control -c /var/lib/unbound/unbound.conf reload";
hscloud.rsh = {
enable = true;
out = "/var/lib/unbound/rsh.conf";
settings = {
server = {
interface = [
"185.236.240.1"
"2a0d:eb00:2137::1"
"127.0.0.1"
];
access-control = [
"185.236.240.0/22 allow"
"2a0d:eb00::0/29 allow"
"127.0.0.0/8 allow"
];
outgoing-interface = [
"185.236.240.1"
"2a0d:eb00:2137::1"
];
cache-max-negative-ttl = [ "30" ];
local-zone = [
# Disable DoH in Firefox
"\"use-application-dns.net\" static"
];
};
};
};
hscloud.rsh.enable = true;
networking.wireguard.interfaces = {
wg-fmt = {

24
bgpwtf/machines/modules/rsh-unbound.nix
View File

@ -54,17 +54,27 @@ in {
};
out = mkOption {
type = str;
default = "/var/lib/rsh.conf";
description = "Output file for generated unbound config.";
};
register = mkOption {
type = str;
description = "URL of blocklist register.";
default = "https://hazard.mf.gov.pl/api/Register";
};
};
config.systemd.services.rsh = mkIf cfg.enable {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${rshUnbound}/bin/rsh-unbound -output ${cfg.out} -register_endpoint https://hazard.mf.gov.pl/api/Register";
Restart = "always";
RestartSec = "60";
config = mkIf cfg.enable {
services.unbound.settings.server.include = [ cfg.out ];
systemd.services.rsh = {
wantedBy = [ "multi-user.target" "unbound.service" ];
serviceConfig = {
Type = "simple";
ExecStartPre = "${pkgs.coreutils}/bin/touch ${cfg.out}";
ExecStart = "${rshUnbound}/bin/rsh-unbound -output ${cfg.out} -register_endpoint ${cfg.register}";
Restart = "always";
RestartSec = "10";
};
};
};
}

7
bgpwtf/machines/tests/edge01-waw-bgp.nix
View File

@ -13,10 +13,10 @@
# stuff. We don't really test much else than internet routing.
#
# To run this:
# nix-build -A bgpwtf.machines.tests.edge01-waw
# nix-build -A bgpwtf.machines.tests.edge01-waw-bgp
#
# To debug this:
# nix-build -A bgpwtf.machines.tests.edge01-waw.driver && result/bin/nixos-test-driver
# nix-build -A bgpwtf.machines.tests.edge01-waw-bgp.driver && result/bin/nixos-test-driver
# >>> start_all()
{ hscloud, ... }:
@ -40,7 +40,6 @@ in { config, pkgs, ... }: {
imports = [
../modules/gretap.nix
];
hscloud.gretap.interfaces."nnet" = {
parent = "eth1";
localV4 = "192.168.1.3";
@ -139,7 +138,7 @@ in { config, pkgs, ... }: {
test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: {
name = "test-edge01-waw-e2e";
name = "test-edge01-waw-bgp";
nodes = {
dut = { config, pkgs, ... }: {

81
bgpwtf/machines/tests/rsh-dns.nix Normal file
View File

@ -0,0 +1,81 @@
# Test unbound & RSH infrastructure.
#
# To run this:
# nix-build -A bgpwtf.machines.tests.rsh-dns
{ hscloud, ... }:
# Use pkgs that edge01 is using. Perhaps we shouldn't use them for
# _everything_, but this will have to do.
let
pkgs = hscloud.ops.machines."edge01.waw.bgp.wtf".pkgs;
pkgsSrc = pkgs.path;
lib = pkgs.lib;
in with lib; let
test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: {
name = "test-rsh-dns";
nodes = {
provider = { config, pkgs, ... }: {
networking.interfaces.eth1.ipv4.addresses = [
{ address = "192.168.0.1"; prefixLength = 24; }
];
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts."fake" = {
default = true;
root = pkgs.runCommand "root" {} ''
mkdir -p $out
cat ${./rsh-sample-20220612.xml} > $out/fake-register.xml
'';
};
};
};
server = { config, pkgs, ... }: {
imports = [
../modules/rsh-unbound.nix
];
networking.interfaces.eth1.ipv4.addresses = [
{ address = "192.168.0.2"; prefixLength = 24; }
];
services.unbound = {
enable = true;
settings = {
server = {
interface = [
"127.0.0.1"
];
access-control = [
"127.0.0.0/8 allow"
];
cache-max-negative-ttl = [ "30" ];
};
};
};
hscloud.rsh = {
enable = true;
register = "http://192.168.0.1/fake-register.xml";
};
environment.systemPackages = with pkgs; [
bind.dnsutils curl
];
};
};
testScript = ''
provider.start()
provider.wait_for_unit("default.target")
start_all()
server.wait_for_unit("unbound.service")
server.wait_for_unit("rsh.service")
if "145.237.235.240" not in server.succeed("dig +short xn--drckglck-75ae.de"):
raise Exception("blocklist not applied")
'';
});
in test { inherit pkgs; inherit (pkgs) libs; }

100791
bgpwtf/machines/tests/rsh-sample-20220612.xml Normal file
View File

File diff suppressed because it is too large Load Diff