forked from hswaw/hscloud
bgpwtf: add rsh tests, fix startup sequencing
Change-Id: Idba53905d3965db6f805221da3e48548d7a01811 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1340 Reviewed-by: implr <implr@hackerspace.pl>
This commit is contained in:
parent
957d91180a
commit
e1aa63c7dd
5 changed files with 100916 additions and 43 deletions
|
@ -30,39 +30,31 @@ in rec {
|
||||||
# TODO(q3k): make this generic, move to modules/router.nix.
|
# TODO(q3k): make this generic, move to modules/router.nix.
|
||||||
services.unbound = {
|
services.unbound = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaces = [
|
settings = {
|
||||||
"185.236.240.1"
|
server = {
|
||||||
"2a0d:eb00:2137::1"
|
interface = [
|
||||||
"127.0.0.1"
|
"185.236.240.1"
|
||||||
];
|
"2a0d:eb00:2137::1"
|
||||||
allowedAccess = [
|
"127.0.0.1"
|
||||||
"185.236.240.0/22"
|
];
|
||||||
"2a0d:eb00::0/29"
|
access-control = [
|
||||||
"127.0.0.0/8"
|
"185.236.240.0/22 allow"
|
||||||
];
|
"2a0d:eb00::0/29 allow"
|
||||||
extraConfig = ''
|
"127.0.0.0/8 allow"
|
||||||
outgoing-interface: 185.236.240.1
|
];
|
||||||
outgoing-interface: 2a0d:eb00:2137::1
|
outgoing-interface = [
|
||||||
cache-max-negative-ttl: 30
|
"185.236.240.1"
|
||||||
|
"2a0d:eb00:2137::1"
|
||||||
# Disable DoH in Firefox
|
];
|
||||||
local-zone: "use-application-dns.net" static
|
cache-max-negative-ttl = [ "30" ];
|
||||||
|
local-zone = [
|
||||||
# Rejestr Stron Hazardowych.
|
# Disable DoH in Firefox
|
||||||
# Populated by the rsh-unbound daemon.
|
"\"use-application-dns.net\" static"
|
||||||
include: "/var/lib/unbound/rsh.conf"
|
];
|
||||||
|
};
|
||||||
remote-control:
|
};
|
||||||
control-enable: yes
|
|
||||||
control-interface: /var/run/unbound.ctl
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
# Fix `systemctl reload unbound`.
|
|
||||||
systemd.services.unbound.reload = "${pkgs.unbound}/bin/unbound-control -c /var/lib/unbound/unbound.conf reload";
|
|
||||||
hscloud.rsh = {
|
|
||||||
enable = true;
|
|
||||||
out = "/var/lib/unbound/rsh.conf";
|
|
||||||
};
|
};
|
||||||
|
hscloud.rsh.enable = true;
|
||||||
|
|
||||||
networking.wireguard.interfaces = {
|
networking.wireguard.interfaces = {
|
||||||
wg-fmt = {
|
wg-fmt = {
|
||||||
|
|
|
@ -54,17 +54,27 @@ in {
|
||||||
};
|
};
|
||||||
out = mkOption {
|
out = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
|
default = "/var/lib/rsh.conf";
|
||||||
description = "Output file for generated unbound config.";
|
description = "Output file for generated unbound config.";
|
||||||
};
|
};
|
||||||
|
register = mkOption {
|
||||||
|
type = str;
|
||||||
|
description = "URL of blocklist register.";
|
||||||
|
default = "https://hazard.mf.gov.pl/api/Register";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config.systemd.services.rsh = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
wantedBy = [ "multi-user.target" ];
|
services.unbound.settings.server.include = [ cfg.out ];
|
||||||
serviceConfig = {
|
systemd.services.rsh = {
|
||||||
Type = "simple";
|
wantedBy = [ "multi-user.target" "unbound.service" ];
|
||||||
ExecStart = "${rshUnbound}/bin/rsh-unbound -output ${cfg.out} -register_endpoint https://hazard.mf.gov.pl/api/Register";
|
serviceConfig = {
|
||||||
Restart = "always";
|
Type = "simple";
|
||||||
RestartSec = "60";
|
ExecStartPre = "${pkgs.coreutils}/bin/touch ${cfg.out}";
|
||||||
|
ExecStart = "${rshUnbound}/bin/rsh-unbound -output ${cfg.out} -register_endpoint ${cfg.register}";
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = "10";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,10 +13,10 @@
|
||||||
# stuff. We don't really test much else than internet routing.
|
# stuff. We don't really test much else than internet routing.
|
||||||
#
|
#
|
||||||
# To run this:
|
# To run this:
|
||||||
# nix-build -A bgpwtf.machines.tests.edge01-waw
|
# nix-build -A bgpwtf.machines.tests.edge01-waw-bgp
|
||||||
#
|
#
|
||||||
# To debug this:
|
# To debug this:
|
||||||
# nix-build -A bgpwtf.machines.tests.edge01-waw.driver && result/bin/nixos-test-driver
|
# nix-build -A bgpwtf.machines.tests.edge01-waw-bgp.driver && result/bin/nixos-test-driver
|
||||||
# >>> start_all()
|
# >>> start_all()
|
||||||
|
|
||||||
{ hscloud, ... }:
|
{ hscloud, ... }:
|
||||||
|
@ -40,7 +40,6 @@ in { config, pkgs, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
../modules/gretap.nix
|
../modules/gretap.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
hscloud.gretap.interfaces."nnet" = {
|
hscloud.gretap.interfaces."nnet" = {
|
||||||
parent = "eth1";
|
parent = "eth1";
|
||||||
localV4 = "192.168.1.3";
|
localV4 = "192.168.1.3";
|
||||||
|
@ -139,7 +138,7 @@ in { config, pkgs, ... }: {
|
||||||
|
|
||||||
|
|
||||||
test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: {
|
test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: {
|
||||||
name = "test-edge01-waw-e2e";
|
name = "test-edge01-waw-bgp";
|
||||||
|
|
||||||
nodes = {
|
nodes = {
|
||||||
dut = { config, pkgs, ... }: {
|
dut = { config, pkgs, ... }: {
|
||||||
|
|
81
bgpwtf/machines/tests/rsh-dns.nix
Normal file
81
bgpwtf/machines/tests/rsh-dns.nix
Normal file
|
@ -0,0 +1,81 @@
|
||||||
|
# Test unbound & RSH infrastructure.
|
||||||
|
#
|
||||||
|
# To run this:
|
||||||
|
# nix-build -A bgpwtf.machines.tests.rsh-dns
|
||||||
|
|
||||||
|
{ hscloud, ... }:
|
||||||
|
|
||||||
|
# Use pkgs that edge01 is using. Perhaps we shouldn't use them for
|
||||||
|
# _everything_, but this will have to do.
|
||||||
|
let
|
||||||
|
pkgs = hscloud.ops.machines."edge01.waw.bgp.wtf".pkgs;
|
||||||
|
pkgsSrc = pkgs.path;
|
||||||
|
lib = pkgs.lib;
|
||||||
|
|
||||||
|
in with lib; let
|
||||||
|
|
||||||
|
test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: {
|
||||||
|
name = "test-rsh-dns";
|
||||||
|
|
||||||
|
nodes = {
|
||||||
|
provider = { config, pkgs, ... }: {
|
||||||
|
networking.interfaces.eth1.ipv4.addresses = [
|
||||||
|
{ address = "192.168.0.1"; prefixLength = 24; }
|
||||||
|
];
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."fake" = {
|
||||||
|
default = true;
|
||||||
|
root = pkgs.runCommand "root" {} ''
|
||||||
|
mkdir -p $out
|
||||||
|
cat ${./rsh-sample-20220612.xml} > $out/fake-register.xml
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
server = { config, pkgs, ... }: {
|
||||||
|
imports = [
|
||||||
|
../modules/rsh-unbound.nix
|
||||||
|
];
|
||||||
|
networking.interfaces.eth1.ipv4.addresses = [
|
||||||
|
{ address = "192.168.0.2"; prefixLength = 24; }
|
||||||
|
];
|
||||||
|
services.unbound = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
interface = [
|
||||||
|
"127.0.0.1"
|
||||||
|
];
|
||||||
|
access-control = [
|
||||||
|
"127.0.0.0/8 allow"
|
||||||
|
];
|
||||||
|
cache-max-negative-ttl = [ "30" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
hscloud.rsh = {
|
||||||
|
enable = true;
|
||||||
|
register = "http://192.168.0.1/fake-register.xml";
|
||||||
|
};
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
bind.dnsutils curl
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
provider.start()
|
||||||
|
provider.wait_for_unit("default.target")
|
||||||
|
|
||||||
|
start_all()
|
||||||
|
server.wait_for_unit("unbound.service")
|
||||||
|
server.wait_for_unit("rsh.service")
|
||||||
|
|
||||||
|
if "145.237.235.240" not in server.succeed("dig +short xn--drckglck-75ae.de"):
|
||||||
|
raise Exception("blocklist not applied")
|
||||||
|
'';
|
||||||
|
});
|
||||||
|
|
||||||
|
in test { inherit pkgs; inherit (pkgs) libs; }
|
100791
bgpwtf/machines/tests/rsh-sample-20220612.xml
Normal file
100791
bgpwtf/machines/tests/rsh-sample-20220612.xml
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue