2024-10-26 13:23:22 +02:00
|
|
|
{ self, ... }:
|
|
|
|
{
|
|
|
|
perSystem =
|
|
|
|
{ pkgs, self', ... }:
|
|
|
|
{
|
|
|
|
checks =
|
|
|
|
let
|
|
|
|
testDomain = "webnstest.example";
|
2024-12-29 17:41:25 +01:00
|
|
|
|
2024-10-26 13:23:22 +02:00
|
|
|
zoneFile = pkgs.writeText "${testDomain}.zoneinfo" ''
|
|
|
|
$ORIGIN .
|
|
|
|
$TTL 60 ; 1 minute
|
|
|
|
${testDomain} IN SOA ns1.${testDomain}. admin.${testDomain}. (
|
|
|
|
1 ; serial
|
|
|
|
21600 ; refresh (6 hours)
|
|
|
|
3600 ; retry (1 hour)
|
|
|
|
604800 ; expire (1 week)
|
|
|
|
86400) ; negative caching TTL (1 day)
|
|
|
|
|
|
|
|
IN NS ns1.${testDomain}.
|
|
|
|
$ORIGIN ${testDomain}.
|
|
|
|
${testDomain}. IN A 127.0.0.1
|
|
|
|
${testDomain}. IN AAAA ::1
|
|
|
|
ns1 IN A 127.0.0.1
|
|
|
|
ns1 IN AAAA ::1
|
|
|
|
nsupdate IN A 127.0.0.1
|
|
|
|
nsupdate IN AAAA ::1
|
|
|
|
'';
|
|
|
|
|
2024-12-29 17:41:25 +01:00
|
|
|
bindDynamicZone =
|
2024-12-29 17:41:25 +01:00
|
|
|
{ config, ... }:
|
|
|
|
let
|
|
|
|
bindCfg = config.services.bind;
|
|
|
|
bindData = bindCfg.directory;
|
|
|
|
dynamicZonesDir = "${bindData}/zones";
|
|
|
|
in
|
|
|
|
{
|
2024-12-29 17:41:25 +01:00
|
|
|
services.bind.zones.${testDomain} = {
|
|
|
|
master = true;
|
|
|
|
file = "${dynamicZonesDir}/${testDomain}";
|
|
|
|
extraConfig = ''
|
|
|
|
allow-update { key rndc-key; };
|
|
|
|
'';
|
|
|
|
};
|
2024-10-26 13:23:22 +02:00
|
|
|
|
2024-12-29 17:41:25 +01:00
|
|
|
systemd.services.bind.preStart = ''
|
|
|
|
# shellcheck disable=SC2211,SC1127
|
|
|
|
rm -f ${dynamicZonesDir}/* # reset dynamic zones
|
2024-10-26 13:23:22 +02:00
|
|
|
|
2024-12-29 17:41:25 +01:00
|
|
|
# create a dynamic zones dir
|
|
|
|
mkdir -m 0755 -p ${dynamicZonesDir}
|
|
|
|
# copy dynamic zone's file to the dynamic zones dir
|
|
|
|
cp ${zoneFile} ${dynamicZonesDir}/${testDomain}
|
|
|
|
'';
|
|
|
|
};
|
2024-12-29 17:41:25 +01:00
|
|
|
|
2024-12-29 17:41:25 +01:00
|
|
|
webnsupdate-machine = {
|
|
|
|
imports = [
|
|
|
|
bindDynamicZone
|
|
|
|
self.nixosModules.webnsupdate
|
|
|
|
];
|
2024-10-26 13:23:22 +02:00
|
|
|
|
2024-12-29 17:41:25 +01:00
|
|
|
config = {
|
|
|
|
environment.systemPackages = [
|
|
|
|
pkgs.dig
|
|
|
|
pkgs.curl
|
|
|
|
];
|
2024-10-26 13:23:22 +02:00
|
|
|
|
2024-12-29 17:41:25 +01:00
|
|
|
services = {
|
|
|
|
bind.enable = true;
|
2024-10-26 13:23:22 +02:00
|
|
|
|
2024-12-29 17:41:25 +01:00
|
|
|
webnsupdate = {
|
|
|
|
enable = true;
|
|
|
|
bindIp = "127.0.0.1";
|
|
|
|
keyFile = "/etc/bind/rndc.key";
|
|
|
|
# test:test (user:password)
|
|
|
|
passwordFile = pkgs.writeText "webnsupdate.pass" "FQoNmuU1BKfg8qsU96F6bK5ykp2b0SLe3ZpB3nbtfZA";
|
|
|
|
package = self'.packages.webnsupdate;
|
|
|
|
extraArgs = [
|
|
|
|
"-vvv" # debug messages
|
|
|
|
"--ip-source=ConnectInfo"
|
|
|
|
];
|
|
|
|
records = ''
|
|
|
|
test1.${testDomain}.
|
|
|
|
test2.${testDomain}.
|
|
|
|
test3.${testDomain}.
|
|
|
|
'';
|
|
|
|
};
|
2024-12-29 17:41:25 +01:00
|
|
|
};
|
2024-10-26 13:23:22 +02:00
|
|
|
};
|
2024-12-29 17:41:25 +01:00
|
|
|
};
|
2024-10-26 13:23:22 +02:00
|
|
|
in
|
|
|
|
{
|
|
|
|
module-test = pkgs.testers.runNixOSTest {
|
|
|
|
name = "webnsupdate-module";
|
|
|
|
nodes.machine = webnsupdate-machine;
|
|
|
|
testScript = ''
|
|
|
|
machine.start(allow_reboot=True)
|
2024-12-29 17:41:25 +01:00
|
|
|
machine.wait_for_unit("bind.service")
|
2024-10-26 13:23:22 +02:00
|
|
|
machine.wait_for_unit("webnsupdate.service")
|
|
|
|
|
|
|
|
# ensure base DNS records area available
|
|
|
|
with subtest("query base DNS records"):
|
|
|
|
machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
|
|
|
|
|
|
|
|
# ensure webnsupdate managed records are missing
|
|
|
|
with subtest("query webnsupdate DNS records (fail)"):
|
|
|
|
machine.fail("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}")
|
|
|
|
machine.fail("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}")
|
|
|
|
machine.fail("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}")
|
|
|
|
|
|
|
|
with subtest("update webnsupdate DNS records (invalid auth)"):
|
|
|
|
machine.fail("curl --fail --silent -u test1:test1 -X GET http://localhost:5353/update")
|
|
|
|
machine.fail("cat /var/lib/webnsupdate/last-ip") # no last-ip set yet
|
|
|
|
|
|
|
|
# ensure webnsupdate managed records are missing
|
|
|
|
with subtest("query webnsupdate DNS records (fail)"):
|
|
|
|
machine.fail("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}")
|
|
|
|
machine.fail("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}")
|
|
|
|
machine.fail("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}")
|
|
|
|
|
|
|
|
with subtest("update webnsupdate DNS records (valid auth)"):
|
|
|
|
machine.succeed("curl --fail --silent -u test:test -X GET http://localhost:5353/update")
|
|
|
|
machine.succeed("cat /var/lib/webnsupdate/last-ip")
|
|
|
|
|
|
|
|
# ensure webnsupdate managed records are available
|
|
|
|
with subtest("query webnsupdate DNS records (succeed)"):
|
|
|
|
machine.succeed("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}")
|
|
|
|
|
|
|
|
machine.reboot()
|
|
|
|
machine.succeed("cat /var/lib/webnsupdate/last-ip")
|
|
|
|
machine.wait_for_unit("webnsupdate.service")
|
|
|
|
machine.succeed("cat /var/lib/webnsupdate/last-ip")
|
|
|
|
|
|
|
|
# ensure base DNS records area available after a reboot
|
|
|
|
with subtest("query base DNS records"):
|
|
|
|
machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}")
|
|
|
|
|
|
|
|
# ensure webnsupdate managed records are available after a reboot
|
|
|
|
with subtest("query webnsupdate DNS records (succeed)"):
|
|
|
|
machine.succeed("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}")
|
|
|
|
machine.succeed("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}")
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|