diff --git a/flake-modules/default.nix b/flake-modules/default.nix index 2b66fd5..7a60543 100644 --- a/flake-modules/default.nix +++ b/flake-modules/default.nix @@ -5,6 +5,7 @@ ./package.nix ./overlay.nix ./module.nix + ./tests.nix ]; perSystem = diff --git a/flake-modules/tests.nix b/flake-modules/tests.nix new file mode 100644 index 0000000..7ec61ab --- /dev/null +++ b/flake-modules/tests.nix @@ -0,0 +1,144 @@ +{ self, ... }: +{ + perSystem = + { pkgs, self', ... }: + { + checks = + let + testDomain = "webnstest.example"; + dynamicZonesDir = "/var/lib/named/zones"; + zoneFile = pkgs.writeText "${testDomain}.zoneinfo" '' + $ORIGIN . + $TTL 60 ; 1 minute + ${testDomain} IN SOA ns1.${testDomain}. admin.${testDomain}. ( + 1 ; serial + 21600 ; refresh (6 hours) + 3600 ; retry (1 hour) + 604800 ; expire (1 week) + 86400) ; negative caching TTL (1 day) + + IN NS ns1.${testDomain}. + $ORIGIN ${testDomain}. + ${testDomain}. IN A 127.0.0.1 + ${testDomain}. IN AAAA ::1 + ns1 IN A 127.0.0.1 + ns1 IN AAAA ::1 + nsupdate IN A 127.0.0.1 + nsupdate IN AAAA ::1 + ''; + + webnsupdate-machine = { + imports = [ self.nixosModules.webnsupdate ]; + + config = { + environment.systemPackages = [ + pkgs.dig + pkgs.curl + ]; + + services = { + webnsupdate = { + enable = true; + bindIp = "127.0.0.1"; + keyFile = "/etc/bind/rndc.key"; + # test:test (user:password) + passwordFile = pkgs.writeText "webnsupdate.pass" "FQoNmuU1BKfg8qsU96F6bK5ykp2b0SLe3ZpB3nbtfZA"; + package = self'.packages.webnsupdate; + extraArgs = [ + "-vvv" # debug messages + "--ip-source=ConnectInfo" + ]; + records = '' + test1.${testDomain}. + test2.${testDomain}. + test3.${testDomain}. + ''; + }; + + bind = { + enable = true; + zones.${testDomain} = { + master = true; + file = "${dynamicZonesDir}/${testDomain}"; + extraConfig = '' + allow-update { key rndc-key; }; + ''; + }; + }; + }; + + systemd.services.bind.preStart = '' + # shellcheck disable=SC2211,SC1127 + rm -f ${dynamicZonesDir}/* # reset dynamic zones + + ${pkgs.coreutils}/bin/mkdir -m 0755 -p ${dynamicZonesDir} + chown "named" ${dynamicZonesDir} + chown "named" /var/lib/named + + # copy dynamic zone's file to the dynamic zones dir + cp ${zoneFile} ${dynamicZonesDir}/${testDomain} + ''; + }; + }; + in + { + module-test = pkgs.testers.runNixOSTest { + name = "webnsupdate-module"; + nodes.machine = webnsupdate-machine; + testScript = '' + machine.start(allow_reboot=True) + machine.wait_for_unit("webnsupdate.service") + + # ensure base DNS records area available + with subtest("query base DNS records"): + machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}") + machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}") + machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}") + + # ensure webnsupdate managed records are missing + with subtest("query webnsupdate DNS records (fail)"): + machine.fail("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}") + machine.fail("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}") + machine.fail("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}") + + with subtest("update webnsupdate DNS records (invalid auth)"): + machine.fail("curl --fail --silent -u test1:test1 -X GET http://localhost:5353/update") + machine.fail("cat /var/lib/webnsupdate/last-ip") # no last-ip set yet + + # ensure webnsupdate managed records are missing + with subtest("query webnsupdate DNS records (fail)"): + machine.fail("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}") + machine.fail("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}") + machine.fail("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}") + + with subtest("update webnsupdate DNS records (valid auth)"): + machine.succeed("curl --fail --silent -u test:test -X GET http://localhost:5353/update") + machine.succeed("cat /var/lib/webnsupdate/last-ip") + + # ensure webnsupdate managed records are available + with subtest("query webnsupdate DNS records (succeed)"): + machine.succeed("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}") + machine.succeed("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}") + machine.succeed("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}") + + machine.reboot() + machine.succeed("cat /var/lib/webnsupdate/last-ip") + machine.wait_for_unit("webnsupdate.service") + machine.succeed("cat /var/lib/webnsupdate/last-ip") + + # ensure base DNS records area available after a reboot + with subtest("query base DNS records"): + machine.succeed("dig @127.0.0.1 ${testDomain} | grep ^${testDomain}") + machine.succeed("dig @127.0.0.1 ns1.${testDomain} | grep ^ns1.${testDomain}") + machine.succeed("dig @127.0.0.1 nsupdate.${testDomain} | grep ^nsupdate.${testDomain}") + + # ensure webnsupdate managed records are available after a reboot + with subtest("query webnsupdate DNS records (succeed)"): + machine.succeed("dig @127.0.0.1 test1.${testDomain} | grep ^test1.${testDomain}") + machine.succeed("dig @127.0.0.1 test2.${testDomain} | grep ^test2.${testDomain}") + machine.succeed("dig @127.0.0.1 test3.${testDomain} | grep ^test3.${testDomain}") + ''; + }; + }; + }; +}