forked from hswaw/hscloud
bgpwtf: add rsh tests, fix startup sequencing
Change-Id: Idba53905d3965db6f805221da3e48548d7a01811 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1340 Reviewed-by: implr <implr@hackerspace.pl>
This commit is contained in:
parent
957d91180a
commit
e1aa63c7dd
5 changed files with 100916 additions and 43 deletions
|
@ -30,39 +30,31 @@ in rec {
|
|||
# TODO(q3k): make this generic, move to modules/router.nix.
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
interfaces = [
|
||||
"185.236.240.1"
|
||||
"2a0d:eb00:2137::1"
|
||||
"127.0.0.1"
|
||||
];
|
||||
allowedAccess = [
|
||||
"185.236.240.0/22"
|
||||
"2a0d:eb00::0/29"
|
||||
"127.0.0.0/8"
|
||||
];
|
||||
extraConfig = ''
|
||||
outgoing-interface: 185.236.240.1
|
||||
outgoing-interface: 2a0d:eb00:2137::1
|
||||
cache-max-negative-ttl: 30
|
||||
|
||||
# Disable DoH in Firefox
|
||||
local-zone: "use-application-dns.net" static
|
||||
|
||||
# Rejestr Stron Hazardowych.
|
||||
# Populated by the rsh-unbound daemon.
|
||||
include: "/var/lib/unbound/rsh.conf"
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-interface: /var/run/unbound.ctl
|
||||
'';
|
||||
};
|
||||
# Fix `systemctl reload unbound`.
|
||||
systemd.services.unbound.reload = "${pkgs.unbound}/bin/unbound-control -c /var/lib/unbound/unbound.conf reload";
|
||||
hscloud.rsh = {
|
||||
enable = true;
|
||||
out = "/var/lib/unbound/rsh.conf";
|
||||
settings = {
|
||||
server = {
|
||||
interface = [
|
||||
"185.236.240.1"
|
||||
"2a0d:eb00:2137::1"
|
||||
"127.0.0.1"
|
||||
];
|
||||
access-control = [
|
||||
"185.236.240.0/22 allow"
|
||||
"2a0d:eb00::0/29 allow"
|
||||
"127.0.0.0/8 allow"
|
||||
];
|
||||
outgoing-interface = [
|
||||
"185.236.240.1"
|
||||
"2a0d:eb00:2137::1"
|
||||
];
|
||||
cache-max-negative-ttl = [ "30" ];
|
||||
local-zone = [
|
||||
# Disable DoH in Firefox
|
||||
"\"use-application-dns.net\" static"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
hscloud.rsh.enable = true;
|
||||
|
||||
networking.wireguard.interfaces = {
|
||||
wg-fmt = {
|
||||
|
|
|
@ -54,17 +54,27 @@ in {
|
|||
};
|
||||
out = mkOption {
|
||||
type = str;
|
||||
default = "/var/lib/rsh.conf";
|
||||
description = "Output file for generated unbound config.";
|
||||
};
|
||||
register = mkOption {
|
||||
type = str;
|
||||
description = "URL of blocklist register.";
|
||||
default = "https://hazard.mf.gov.pl/api/Register";
|
||||
};
|
||||
};
|
||||
|
||||
config.systemd.services.rsh = mkIf cfg.enable {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${rshUnbound}/bin/rsh-unbound -output ${cfg.out} -register_endpoint https://hazard.mf.gov.pl/api/Register";
|
||||
Restart = "always";
|
||||
RestartSec = "60";
|
||||
config = mkIf cfg.enable {
|
||||
services.unbound.settings.server.include = [ cfg.out ];
|
||||
systemd.services.rsh = {
|
||||
wantedBy = [ "multi-user.target" "unbound.service" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStartPre = "${pkgs.coreutils}/bin/touch ${cfg.out}";
|
||||
ExecStart = "${rshUnbound}/bin/rsh-unbound -output ${cfg.out} -register_endpoint ${cfg.register}";
|
||||
Restart = "always";
|
||||
RestartSec = "10";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -13,10 +13,10 @@
|
|||
# stuff. We don't really test much else than internet routing.
|
||||
#
|
||||
# To run this:
|
||||
# nix-build -A bgpwtf.machines.tests.edge01-waw
|
||||
# nix-build -A bgpwtf.machines.tests.edge01-waw-bgp
|
||||
#
|
||||
# To debug this:
|
||||
# nix-build -A bgpwtf.machines.tests.edge01-waw.driver && result/bin/nixos-test-driver
|
||||
# nix-build -A bgpwtf.machines.tests.edge01-waw-bgp.driver && result/bin/nixos-test-driver
|
||||
# >>> start_all()
|
||||
|
||||
{ hscloud, ... }:
|
||||
|
@ -40,7 +40,6 @@ in { config, pkgs, ... }: {
|
|||
imports = [
|
||||
../modules/gretap.nix
|
||||
];
|
||||
|
||||
hscloud.gretap.interfaces."nnet" = {
|
||||
parent = "eth1";
|
||||
localV4 = "192.168.1.3";
|
||||
|
@ -139,7 +138,7 @@ in { config, pkgs, ... }: {
|
|||
|
||||
|
||||
test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: {
|
||||
name = "test-edge01-waw-e2e";
|
||||
name = "test-edge01-waw-bgp";
|
||||
|
||||
nodes = {
|
||||
dut = { config, pkgs, ... }: {
|
||||
|
|
81
bgpwtf/machines/tests/rsh-dns.nix
Normal file
81
bgpwtf/machines/tests/rsh-dns.nix
Normal file
|
@ -0,0 +1,81 @@
|
|||
# Test unbound & RSH infrastructure.
|
||||
#
|
||||
# To run this:
|
||||
# nix-build -A bgpwtf.machines.tests.rsh-dns
|
||||
|
||||
{ hscloud, ... }:
|
||||
|
||||
# Use pkgs that edge01 is using. Perhaps we shouldn't use them for
|
||||
# _everything_, but this will have to do.
|
||||
let
|
||||
pkgs = hscloud.ops.machines."edge01.waw.bgp.wtf".pkgs;
|
||||
pkgsSrc = pkgs.path;
|
||||
lib = pkgs.lib;
|
||||
|
||||
in with lib; let
|
||||
|
||||
test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: {
|
||||
name = "test-rsh-dns";
|
||||
|
||||
nodes = {
|
||||
provider = { config, pkgs, ... }: {
|
||||
networking.interfaces.eth1.ipv4.addresses = [
|
||||
{ address = "192.168.0.1"; prefixLength = 24; }
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."fake" = {
|
||||
default = true;
|
||||
root = pkgs.runCommand "root" {} ''
|
||||
mkdir -p $out
|
||||
cat ${./rsh-sample-20220612.xml} > $out/fake-register.xml
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
server = { config, pkgs, ... }: {
|
||||
imports = [
|
||||
../modules/rsh-unbound.nix
|
||||
];
|
||||
networking.interfaces.eth1.ipv4.addresses = [
|
||||
{ address = "192.168.0.2"; prefixLength = 24; }
|
||||
];
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server = {
|
||||
interface = [
|
||||
"127.0.0.1"
|
||||
];
|
||||
access-control = [
|
||||
"127.0.0.0/8 allow"
|
||||
];
|
||||
cache-max-negative-ttl = [ "30" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
hscloud.rsh = {
|
||||
enable = true;
|
||||
register = "http://192.168.0.1/fake-register.xml";
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
bind.dnsutils curl
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
provider.start()
|
||||
provider.wait_for_unit("default.target")
|
||||
|
||||
start_all()
|
||||
server.wait_for_unit("unbound.service")
|
||||
server.wait_for_unit("rsh.service")
|
||||
|
||||
if "145.237.235.240" not in server.succeed("dig +short xn--drckglck-75ae.de"):
|
||||
raise Exception("blocklist not applied")
|
||||
'';
|
||||
});
|
||||
|
||||
in test { inherit pkgs; inherit (pkgs) libs; }
|
100791
bgpwtf/machines/tests/rsh-sample-20220612.xml
Normal file
100791
bgpwtf/machines/tests/rsh-sample-20220612.xml
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue