From f5b085a074b2e3973ac644b182fe3ad31d142702 Mon Sep 17 00:00:00 2001
From: Max <max@privatevoid.net>
Date: Fri, 16 Aug 2024 02:16:28 +0200
Subject: [PATCH] cluster/services/dns: test in simulacrum

---
 cluster/services/dns/default.nix |  5 +++++
 cluster/services/dns/test.nix    | 35 ++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 cluster/services/dns/test.nix

diff --git a/cluster/services/dns/default.nix b/cluster/services/dns/default.nix
index fa75ceb..50be452 100644
--- a/cluster/services/dns/default.nix
+++ b/cluster/services/dns/default.nix
@@ -56,6 +56,11 @@ in
       coredns = ./coredns.nix;
       client = ./client.nix;
     };
+    simulacrum = {
+      enable = true;
+      deps = [ "consul" "acme-client" "patroni" ];
+      settings = ./test.nix;
+    };
   };
 
   patroni = {
diff --git a/cluster/services/dns/test.nix b/cluster/services/dns/test.nix
new file mode 100644
index 0000000..33dab32
--- /dev/null
+++ b/cluster/services/dns/test.nix
@@ -0,0 +1,35 @@
+{ cluster, ... }:
+
+let
+  inherit (cluster._module.specialArgs.depot.lib.meta) domain;
+in
+{
+  nodes.nowhere = { pkgs, ... }: {
+    passthru = cluster;
+    environment.systemPackages = [
+      pkgs.knot-dns
+      pkgs.openssl
+    ];
+  };
+
+  testScript = ''
+    import json
+    nodeNames = json.loads('${builtins.toJSON cluster.config.services.dns.nodes.authoritative}')
+    dotNames = json.loads('${builtins.toJSON cluster.config.services.dns.nodes.coredns}')
+    nodes = [ n for n in machines if n.name in nodeNames ]
+    dotServers = [ n for n in machines if n.name in dotNames ]
+
+    start_all()
+
+    with subtest("should allow external name resolution for own domain"):
+      for node in nodes:
+        node.wait_for_unit("coredns.service")
+      nowhere.wait_until_succeeds("[[ $(kdig +short securedns.${domain} | wc -l) -ne 0 ]]", timeout=60)
+      nowhere.fail("[[ $(kdig +short example.com | wc -l) -ne 0 ]]")
+
+    with subtest("should have valid certificate on DoT endpoint"):
+      for node in dotServers:
+        node.wait_for_unit("acme-finished-securedns.${domain}.target")
+      nowhere.wait_until_succeeds("openssl </dev/null s_client -connect securedns.${domain}:853 -verify_return_error -strict -verify_hostname securedns.${domain}", timeout=60)
+  '';
+}