cluster/services/dns: test in simulacrum

2024-08-16 02:16:28 +02:00 · 2024-08-16 02:16:28 +02:00 · f5b085a074
commit f5b085a074
parent e0d513be30
2 changed files with 40 additions and 0 deletions
--- a/cluster/services/dns/default.nix
+++ b/cluster/services/dns/default.nix
@ -56,6 +56,11 @@ in
      coredns = ./coredns.nix;
      client = ./client.nix;
    };
+    simulacrum = {
+      enable = true;
+      deps = [ "consul" "acme-client" "patroni" ];
+      settings = ./test.nix;
+    };
  };

  patroni = {
--- a/cluster/services/dns/test.nix
+++ b/cluster/services/dns/test.nix
@ -0,0 +1,35 @@
+{ cluster, ... }:
+
+let
+  inherit (cluster._module.specialArgs.depot.lib.meta) domain;
+in
+{
+  nodes.nowhere = { pkgs, ... }: {
+    passthru = cluster;
+    environment.systemPackages = [
+      pkgs.knot-dns
+      pkgs.openssl
+    ];
+  };
+
+  testScript = ''
+    import json
+    nodeNames = json.loads('${builtins.toJSON cluster.config.services.dns.nodes.authoritative}')
+    dotNames = json.loads('${builtins.toJSON cluster.config.services.dns.nodes.coredns}')
+    nodes = [ n for n in machines if n.name in nodeNames ]
+    dotServers = [ n for n in machines if n.name in dotNames ]
+
+    start_all()
+
+    with subtest("should allow external name resolution for own domain"):
+      for node in nodes:
+        node.wait_for_unit("coredns.service")
+      nowhere.wait_until_succeeds("[[ $(kdig +short securedns.${domain} | wc -l) -ne 0 ]]", timeout=60)
+      nowhere.fail("[[ $(kdig +short example.com | wc -l) -ne 0 ]]")
+
+    with subtest("should have valid certificate on DoT endpoint"):
+      for node in dotServers:
+        node.wait_for_unit("acme-finished-securedns.${domain}.target")
+      nowhere.wait_until_succeeds("openssl </dev/null s_client -connect securedns.${domain}:853 -verify_return_error -strict -verify_hostname securedns.${domain}", timeout=60)
+  '';
+}