# Test unbound & RSH infrastructure. # # To run this: # nix-build -A bgpwtf.machines.tests.rsh-dns { hscloud, ... }: # Use pkgs that edge01 is using. Perhaps we shouldn't use them for # _everything_, but this will have to do. let pkgs = hscloud.ops.machines."edge01.waw.bgp.wtf".pkgs; pkgsSrc = pkgs.path; lib = pkgs.lib; in with lib; let test = import "${pkgsSrc}/nixos/tests/make-test-python.nix" ({ pkgs, libs, ... }: { name = "test-rsh-dns"; nodes = { provider = { config, pkgs, ... }: { networking.interfaces.eth1.ipv4.addresses = [ { address = "192.168.0.1"; prefixLength = 24; } ]; networking.firewall.allowedTCPPorts = [ 80 ]; services.nginx = { enable = true; virtualHosts."fake" = { default = true; root = pkgs.runCommand "root" {} '' mkdir -p $out cat ${./rsh-sample-20220612.xml} > $out/fake-register.xml ''; }; }; }; server = { config, pkgs, ... }: { imports = [ ../modules/rsh-unbound.nix ]; networking.interfaces.eth1.ipv4.addresses = [ { address = "192.168.0.2"; prefixLength = 24; } ]; services.unbound = { enable = true; settings = { server = { interface = [ "127.0.0.1" ]; access-control = [ "127.0.0.0/8 allow" ]; cache-max-negative-ttl = [ "30" ]; }; }; }; hscloud.rsh = { enable = true; register = "http://192.168.0.1/fake-register.xml"; }; environment.systemPackages = with pkgs; [ bind.dnsutils curl ]; }; }; testScript = '' provider.start() provider.wait_for_unit("default.target") start_all() server.wait_for_unit("unbound.service") server.wait_for_unit("rsh.service") if "145.237.235.240" not in server.succeed("dig +short xn--drckglck-75ae.de"): raise Exception("blocklist not applied") ''; }); in test { inherit pkgs; inherit (pkgs) libs; }