+1

nixos/tests/all-tests.nix

··· 70 70 deluge = handleTest ./deluge.nix {}; 71 71 dhparams = handleTest ./dhparams.nix {}; 72 72 dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {}; 73 73 + dnscrypt-wrapper = handleTestOn ["x86_64-linux"] ./dnscrypt-wrapper {}; 73 74 doas = handleTest ./doas.nix {}; 74 75 docker = handleTestOn ["x86_64-linux"] ./docker.nix {}; 75 76 oci-containers = handleTestOn ["x86_64-linux"] ./oci-containers.nix {};

+71

nixos/tests/dnscrypt-wrapper/default.nix

··· 1 1 + import ../make-test-python.nix ({ pkgs, ... }: { 2 2 + name = "dnscrypt-wrapper"; 3 3 + meta = with pkgs.stdenv.lib.maintainers; { 4 4 + maintainers = [ rnhmjoj ]; 5 5 + }; 6 6 + 7 7 + nodes = { 8 8 + server = { lib, ... }: 9 9 + { services.dnscrypt-wrapper = with builtins; 10 10 + { enable = true; 11 11 + address = "192.168.1.1"; 12 12 + keys.expiration = 5; # days 13 13 + keys.checkInterval = 2; # min 14 14 + # The keypair was generated by the command: 15 15 + # dnscrypt-wrapper --gen-provider-keypair \ 16 16 + # --provider-name=2.dnscrypt-cert.server \ 17 17 + # --ext-address=192.168.1.1:5353 18 18 + providerKey.public = toFile "public.key" (readFile ./public.key); 19 19 + providerKey.secret = toFile "secret.key" (readFile ./secret.key); 20 20 + }; 21 21 + services.tinydns.enable = true; 22 22 + services.tinydns.data = '' 23 23 + ..:192.168.1.1:a 24 24 + +it.works:1.2.3.4 25 25 + ''; 26 26 + networking.firewall.allowedUDPPorts = [ 5353 ]; 27 27 + networking.firewall.allowedTCPPorts = [ 5353 ]; 28 28 + networking.interfaces.eth1.ipv4.addresses = lib.mkForce 29 29 + [ { address = "192.168.1.1"; prefixLength = 24; } ]; 30 30 + }; 31 31 + 32 32 + client = { lib, ... }: 33 33 + { services.dnscrypt-proxy2.enable = true; 34 34 + services.dnscrypt-proxy2.settings = { 35 35 + server_names = [ "server" ]; 36 36 + static.server.stamp = "sdns://AQAAAAAAAAAAEDE5Mi4xNjguMS4xOjUzNTMgFEHYOv0SCKSuqR5CDYa7-58cCBuXO2_5uTSVU9wNQF0WMi5kbnNjcnlwdC1jZXJ0LnNlcnZlcg"; 37 37 + }; 38 38 + networking.nameservers = [ "127.0.0.1" ]; 39 39 + networking.interfaces.eth1.ipv4.addresses = lib.mkForce 40 40 + [ { address = "192.168.1.2"; prefixLength = 24; } ]; 41 41 + }; 42 42 + 43 43 + }; 44 44 + 45 45 + testScript = '' 46 46 + start_all() 47 47 + 48 48 + with subtest("The server can generate the ephemeral keypair"): 49 49 + server.wait_for_unit("dnscrypt-wrapper") 50 50 + server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.key") 51 51 + server.wait_for_file("/var/lib/dnscrypt-wrapper/2.dnscrypt-cert.server.crt") 52 52 + 53 53 + with subtest("The client can connect to the server"): 54 54 + server.wait_for_unit("tinydns") 55 55 + client.wait_for_unit("dnscrypt-proxy2") 56 56 + assert "1.2.3.4" in client.succeed( 57 57 + "host it.works" 58 58 + ), "The IP address of 'it.works' does not match 1.2.3.4" 59 59 + 60 60 + with subtest("The server rotates the ephemeral keys"): 61 61 + # advance time by a little less than 5 days 62 62 + server.succeed("date -s \"$(date --date '4 days 6 hours')\"") 63 63 + client.succeed("date -s \"$(date --date '4 days 6 hours')\"") 64 64 + server.wait_for_file("/var/lib/dnscrypt-wrapper/oldkeys") 65 65 + 66 66 + with subtest("The client can still connect to the server"): 67 67 + server.wait_for_unit("dnscrypt-wrapper") 68 68 + client.succeed("host it.works") 69 69 + ''; 70 70 + }) 71 71 +

+1

nixos/tests/dnscrypt-wrapper/public.key

··· 1 1 + A�:����B �����;o��4�S� @]

+1

nixos/tests/dnscrypt-wrapper/secret.key

··· 1 1 + G�>Ʃ�
��>���(����J���=�����l�A�:����B �����;o��4�S� @]