nixos/tests: Add common modules for letsencrypt
These modules implement a way to test ACME based on a test instance of
Letsencrypt's Boulder service. The service implementation is in
letsencrypt.nix and the second module (resolver.nix) is a support-module
for the former, but can also be used for tests not involving ACME.
The second module provides a DNS server which hosts a root zone
containing all the zones and /etc/hosts entries (except loopback) in the
entire test network, so this can be very useful for other modules that
need DNS resolution.
Originally, I wrote these modules for the Headcounter deployment, but
I've refactored them a bit to be generally useful to NixOS users. The
original implementation can be found here:
https://github.com/headcounter/deployment/tree/89e7feafb/modules/testing
Quoting parts from the commit message of the initial implementation of
the Letsencrypt module in headcounter/deployment@95dfb31110397567534f2:
This module is going to be used for tests where we need to
impersonate an ACME service such as the one from Letsencrypt within
VM tests, which is the reason why this module is a bit ugly (I only
care if it's working not if it's beautiful).
While the module isn't used anywhere, it will serve as a pluggable
module for testing whether ACME works properly to fetch certificates
and also as a replacement for our snakeoil certificate generator.
Also quoting parts of the commit where I have refactored the same module
in headcounter/deployment@85fa481b3431bbc450e8008fd25adc28ef0c6036:
Now we have a fully pluggable module which automatically discovers
in which network it's used via the nodes attribute.
The test environment of Boulder used "dns-test-srv", which is a fake
DNS server that's resolving almost everything to 127.0.0.1. On our
setup this is not useful, so instead we're now running a local BIND
name server which has a fake root zone and uses the mentioned node
attribute to automatically discover other zones in the network of
machines and generate delegations from the root zone to the
respective zones with the primaryIPAddress of the node.
...
We want to use real letsencrypt.org FQDNs here, so we can't get away
with the snakeoil test certificates from the upstream project but
now roll our own.
This not only has the benefit that we can easily pass the snakeoil
certificate to other nodes, but we can (and do) also use it for an
nginx proxy that's now serving HTTPS for the Boulder web front end.
The Headcounter deployment tests are simulating a production scenario
with real IPs and nameservers so it won't need to rely on
networking.extraHost. However in this implementation we don't
necessarily want to do that, so I've added auto-discovery of
networking.extraHosts in the resolver module.
Another change here is that the letsencrypt module now falls back to
using a local resolver, the Headcounter implementation on the other hand
always required to add an extra test node which serves as a resolver.
I could have squashed both modules into the final ACME test, but that
would make it not very reusable, so that's the main reason why I put
these modules in tests/common.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-07-27 10:16:29 +02:00
|
|
|
# This module automatically discovers zones in BIND and NSD NixOS
|
|
|
|
# configurations and creates zones for all definitions of networking.extraHosts
|
|
|
|
# (except those that point to 127.0.0.1 or ::1) within the current test network
|
|
|
|
# and delegates these zones using a fake root zone served by a BIND recursive
|
|
|
|
# name server.
|
|
|
|
{ config, nodes, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
{
|
|
|
|
options.test-support.resolver.enable = lib.mkOption {
|
|
|
|
type = lib.types.bool;
|
|
|
|
default = true;
|
|
|
|
internal = true;
|
|
|
|
description = ''
|
|
|
|
Whether to enable the resolver that automatically discovers zone in the
|
|
|
|
test network.
|
|
|
|
|
|
|
|
This option is <literal>true</literal> by default, because the module
|
|
|
|
defining this option needs to be explicitly imported.
|
|
|
|
|
|
|
|
The reason this option exists is for the
|
2018-07-12 00:56:48 +02:00
|
|
|
<filename>nixos/tests/common/letsencrypt</filename> module, which
|
nixos/tests: Add common modules for letsencrypt
These modules implement a way to test ACME based on a test instance of
Letsencrypt's Boulder service. The service implementation is in
letsencrypt.nix and the second module (resolver.nix) is a support-module
for the former, but can also be used for tests not involving ACME.
The second module provides a DNS server which hosts a root zone
containing all the zones and /etc/hosts entries (except loopback) in the
entire test network, so this can be very useful for other modules that
need DNS resolution.
Originally, I wrote these modules for the Headcounter deployment, but
I've refactored them a bit to be generally useful to NixOS users. The
original implementation can be found here:
https://github.com/headcounter/deployment/tree/89e7feafb/modules/testing
Quoting parts from the commit message of the initial implementation of
the Letsencrypt module in headcounter/deployment@95dfb31110397567534f2:
This module is going to be used for tests where we need to
impersonate an ACME service such as the one from Letsencrypt within
VM tests, which is the reason why this module is a bit ugly (I only
care if it's working not if it's beautiful).
While the module isn't used anywhere, it will serve as a pluggable
module for testing whether ACME works properly to fetch certificates
and also as a replacement for our snakeoil certificate generator.
Also quoting parts of the commit where I have refactored the same module
in headcounter/deployment@85fa481b3431bbc450e8008fd25adc28ef0c6036:
Now we have a fully pluggable module which automatically discovers
in which network it's used via the nodes attribute.
The test environment of Boulder used "dns-test-srv", which is a fake
DNS server that's resolving almost everything to 127.0.0.1. On our
setup this is not useful, so instead we're now running a local BIND
name server which has a fake root zone and uses the mentioned node
attribute to automatically discover other zones in the network of
machines and generate delegations from the root zone to the
respective zones with the primaryIPAddress of the node.
...
We want to use real letsencrypt.org FQDNs here, so we can't get away
with the snakeoil test certificates from the upstream project but
now roll our own.
This not only has the benefit that we can easily pass the snakeoil
certificate to other nodes, but we can (and do) also use it for an
nginx proxy that's now serving HTTPS for the Boulder web front end.
The Headcounter deployment tests are simulating a production scenario
with real IPs and nameservers so it won't need to rely on
networking.extraHost. However in this implementation we don't
necessarily want to do that, so I've added auto-discovery of
networking.extraHosts in the resolver module.
Another change here is that the letsencrypt module now falls back to
using a local resolver, the Headcounter implementation on the other hand
always required to add an extra test node which serves as a resolver.
I could have squashed both modules into the final ACME test, but that
would make it not very reusable, so that's the main reason why I put
these modules in tests/common.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2017-07-27 10:16:29 +02:00
|
|
|
needs that option to disable the resolver once the user has set its own
|
|
|
|
resolver.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
config = lib.mkIf config.test-support.resolver.enable {
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
services.bind.enable = true;
|
|
|
|
services.bind.cacheNetworks = lib.mkForce [ "any" ];
|
|
|
|
services.bind.forwarders = lib.mkForce [];
|
|
|
|
services.bind.zones = lib.singleton {
|
|
|
|
name = ".";
|
|
|
|
file = let
|
|
|
|
addDot = zone: zone + lib.optionalString (!lib.hasSuffix "." zone) ".";
|
|
|
|
mkNsdZoneNames = zones: map addDot (lib.attrNames zones);
|
|
|
|
mkBindZoneNames = zones: map (zone: addDot zone.name) zones;
|
|
|
|
getZones = cfg: mkNsdZoneNames cfg.services.nsd.zones
|
|
|
|
++ mkBindZoneNames cfg.services.bind.zones;
|
|
|
|
|
|
|
|
getZonesForNode = attrs: {
|
|
|
|
ip = attrs.config.networking.primaryIPAddress;
|
|
|
|
zones = lib.filter (zone: zone != ".") (getZones attrs.config);
|
|
|
|
};
|
|
|
|
|
|
|
|
zoneInfo = lib.mapAttrsToList (lib.const getZonesForNode) nodes;
|
|
|
|
|
|
|
|
# A and AAAA resource records for all the definitions of
|
|
|
|
# networking.extraHosts except those for 127.0.0.1 or ::1.
|
|
|
|
#
|
|
|
|
# The result is an attribute set with keys being the host name and the
|
|
|
|
# values are either { ipv4 = ADDR; } or { ipv6 = ADDR; } where ADDR is
|
|
|
|
# the IP address for the corresponding key.
|
|
|
|
recordsFromExtraHosts = let
|
|
|
|
getHostsForNode = lib.const (n: n.config.networking.extraHosts);
|
|
|
|
allHostsList = lib.mapAttrsToList getHostsForNode nodes;
|
|
|
|
allHosts = lib.concatStringsSep "\n" allHostsList;
|
|
|
|
|
|
|
|
reIp = "[a-fA-F0-9.:]+";
|
|
|
|
reHost = "[a-zA-Z0-9.-]+";
|
|
|
|
|
|
|
|
matchAliases = str: let
|
|
|
|
matched = builtins.match "[ \t]+(${reHost})(.*)" str;
|
|
|
|
continue = lib.singleton (lib.head matched)
|
|
|
|
++ matchAliases (lib.last matched);
|
|
|
|
in if matched == null then [] else continue;
|
|
|
|
|
|
|
|
matchLine = str: let
|
|
|
|
result = builtins.match "[ \t]*(${reIp})[ \t]+(${reHost})(.*)" str;
|
|
|
|
in if result == null then null else {
|
|
|
|
ipAddr = lib.head result;
|
|
|
|
hosts = lib.singleton (lib.elemAt result 1)
|
|
|
|
++ matchAliases (lib.last result);
|
|
|
|
};
|
|
|
|
|
|
|
|
skipLine = str: let
|
|
|
|
rest = builtins.match "[^\n]*\n(.*)" str;
|
|
|
|
in if rest == null then "" else lib.head rest;
|
|
|
|
|
|
|
|
getEntries = str: acc: let
|
|
|
|
result = matchLine str;
|
|
|
|
next = getEntries (skipLine str);
|
|
|
|
newEntry = acc ++ lib.singleton result;
|
|
|
|
continue = if result == null then next acc else next newEntry;
|
|
|
|
in if str == "" then acc else continue;
|
|
|
|
|
|
|
|
isIPv6 = str: builtins.match ".*:.*" str != null;
|
|
|
|
loopbackIps = [ "127.0.0.1" "::1" ];
|
|
|
|
filterLoopback = lib.filter (e: !lib.elem e.ipAddr loopbackIps);
|
|
|
|
|
|
|
|
allEntries = lib.concatMap (entry: map (host: {
|
|
|
|
inherit host;
|
|
|
|
${if isIPv6 entry.ipAddr then "ipv6" else "ipv4"} = entry.ipAddr;
|
|
|
|
}) entry.hosts) (filterLoopback (getEntries (allHosts + "\n") []));
|
|
|
|
|
|
|
|
mkRecords = entry: let
|
|
|
|
records = lib.optional (entry ? ipv6) "AAAA ${entry.ipv6}"
|
|
|
|
++ lib.optional (entry ? ipv4) "A ${entry.ipv4}";
|
|
|
|
mkRecord = typeAndData: "${entry.host}. IN ${typeAndData}";
|
|
|
|
in lib.concatMapStringsSep "\n" mkRecord records;
|
|
|
|
|
|
|
|
in lib.concatMapStringsSep "\n" mkRecords allEntries;
|
|
|
|
|
|
|
|
# All of the zones that are subdomains of existing zones.
|
|
|
|
# For example if there is only "example.com" the following zones would
|
|
|
|
# be 'subZones':
|
|
|
|
#
|
|
|
|
# * foo.example.com.
|
|
|
|
# * bar.example.com.
|
|
|
|
#
|
|
|
|
# While the following would *not* be 'subZones':
|
|
|
|
#
|
|
|
|
# * example.com.
|
|
|
|
# * com.
|
|
|
|
#
|
|
|
|
subZones = let
|
|
|
|
allZones = lib.concatMap (zi: zi.zones) zoneInfo;
|
|
|
|
isSubZoneOf = z1: z2: lib.hasSuffix z2 z1 && z1 != z2;
|
|
|
|
in lib.filter (z: lib.any (isSubZoneOf z) allZones) allZones;
|
|
|
|
|
|
|
|
# All the zones without 'subZones'.
|
|
|
|
filteredZoneInfo = map (zi: zi // {
|
|
|
|
zones = lib.filter (x: !lib.elem x subZones) zi.zones;
|
|
|
|
}) zoneInfo;
|
|
|
|
|
|
|
|
in pkgs.writeText "fake-root.zone" ''
|
|
|
|
$TTL 3600
|
|
|
|
. IN SOA ns.fakedns. admin.fakedns. ( 1 3h 1h 1w 1d )
|
|
|
|
ns.fakedns. IN A ${config.networking.primaryIPAddress}
|
|
|
|
. IN NS ns.fakedns.
|
|
|
|
${lib.concatImapStrings (num: { ip, zones }: ''
|
|
|
|
ns${toString num}.fakedns. IN A ${ip}
|
|
|
|
${lib.concatMapStrings (zone: ''
|
|
|
|
${zone} IN NS ns${toString num}.fakedns.
|
|
|
|
'') zones}
|
|
|
|
'') (lib.filter (zi: zi.zones != []) filteredZoneInfo)}
|
|
|
|
${recordsFromExtraHosts}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|