nix-super/tests/nixos/nss-preload.nix
ramboman b4950404ba
Honor the same set of proxy environment variables ()
Different parts of the project honor different sets of proxy environment
variables. With this commit all parts of the project will honor the same
set of proxy environment variables.

---------

Co-authored-by: Your Name <you@example.com>
Co-authored-by: John Ericson <John.Ericson@Obsidian.Systems>
2024-05-06 15:39:22 -04:00

122 lines
3.7 KiB
Nix

{ lib, config, nixpkgs, ... }:
let
pkgs = config.nodes.client.nixpkgs.pkgs;
nix-fetch = pkgs.writeText "fetch.nix" ''
derivation {
# This derivation is an copy from what is available over at
# nix.git:corepkgs/fetchurl.nix
builder = "builtin:fetchurl";
# We're going to fetch data from the http_dns instance created before
# we expect the content to be the same as the content available there.
# ```
# $ nix-hash --type sha256 --to-base32 $(echo "hello world" | sha256sum | cut -d " " -f 1)
# 0ix4jahrkll5zg01wandq78jw3ab30q4nscph67rniqg5x7r0j59
# ```
outputHash = "0ix4jahrkll5zg01wandq78jw3ab30q4nscph67rniqg5x7r0j59";
outputHashAlgo = "sha256";
outputHashMode = "flat";
name = "example.com";
url = "http://example.com";
unpack = false;
executable = false;
system = "builtin";
preferLocalBuild = true;
impureEnvVars = [
"http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy"
"HTTP_PROXY" "HTTPS_PROXY" "FTP_PROXY" "ALL_PROXY" "NO_PROXY"
];
urls = [ "http://example.com" ];
}
'';
in
{
name = "nss-preload";
nodes = {
http_dns = { lib, pkgs, config, ... }: {
networking.firewall.enable = false;
networking.interfaces.eth1.ipv6.addresses = lib.mkForce [
{ address = "fd21::1"; prefixLength = 64; }
];
networking.interfaces.eth1.ipv4.addresses = lib.mkForce [
{ address = "192.168.0.1"; prefixLength = 24; }
];
services.unbound = {
enable = true;
enableRootTrustAnchor = false;
settings = {
server = {
interface = [ "192.168.0.1" "fd21::1" "::1" "127.0.0.1" ];
access-control = [ "192.168.0.0/24 allow" "fd21::/64 allow" "::1 allow" "127.0.0.0/8 allow" ];
local-data = [
''"example.com. IN A 192.168.0.1"''
''"example.com. IN AAAA fd21::1"''
''"tarballs.nixos.org. IN A 192.168.0.1"''
''"tarballs.nixos.org. IN AAAA fd21::1"''
];
};
};
};
services.nginx = {
enable = true;
virtualHosts."example.com" = {
root = pkgs.runCommand "testdir" {} ''
mkdir "$out"
echo hello world > "$out/index.html"
'';
};
};
};
# client consumes a remote resolver
client = { lib, nodes, pkgs, ... }: {
networking.useDHCP = false;
networking.nameservers = [
(lib.head nodes.http_dns.networking.interfaces.eth1.ipv6.addresses).address
(lib.head nodes.http_dns.networking.interfaces.eth1.ipv4.addresses).address
];
networking.interfaces.eth1.ipv6.addresses = [
{ address = "fd21::10"; prefixLength = 64; }
];
networking.interfaces.eth1.ipv4.addresses = [
{ address = "192.168.0.10"; prefixLength = 24; }
];
nix.settings.extra-sandbox-paths = lib.mkForce [];
nix.settings.substituters = lib.mkForce [];
nix.settings.sandbox = lib.mkForce true;
};
};
testScript = { nodes, ... }: ''
http_dns.wait_for_unit("nginx")
http_dns.wait_for_open_port(80)
http_dns.wait_for_unit("unbound")
http_dns.wait_for_open_port(53)
client.start()
client.wait_for_unit('multi-user.target')
with subtest("can fetch data from a remote server outside sandbox"):
client.succeed("nix --version >&2")
client.succeed("curl -vvv http://example.com/index.html >&2")
with subtest("nix-build can lookup dns and fetch data"):
client.succeed("""
nix-build ${nix-fetch} >&2
""")
'';
}