nixos/tests/ifstate/initrd-wireguard.nix at 04f09a5ef73ca78dbf4fd6d161e4e91040e7abdd · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ifstate / initrd-wireguard.nix
at 04f09a5ef73ca78dbf4fd6d161e4e91040e7abdd 3.1 kB view raw
  1let
  2  mkNodeIfStateConfig =
  3    {
  4      pkgs,
  5      id,
  6      wgPriv,
  7      wgPeerPubKey,
  8      wgPeerId,
  9    }:
 10    {
 11      enable = true;
 12      settings = {
 13        namespaces.outside.interfaces.eth1 = {
 14          addresses = [ "2001:0db8:a::${builtins.toString id}/64" ];
 15          link = {
 16            state = "up";
 17            kind = "physical";
 18          };
 19        };
 20        interfaces = {
 21          wg0 = {
 22            addresses = [ "2001:0db8:b::${builtins.toString id}/64" ];
 23            link = {
 24              state = "up";
 25              kind = "wireguard";
 26              bind_netns = "outside";
 27            };
 28            wireguard = {
 29              private_key = "!include ${pkgs.writeText "wg_priv.key" wgPriv}";
 30              listen_port = 51820;
 31              peers."${wgPeerPubKey}" = {
 32                endpoint = "[2001:0db8:a::${builtins.toString wgPeerId}]:51820";
 33                allowedips = [ "::/0" ];
 34              };
 35            };
 36          };
 37        };
 38        routing.routes = [
 39          {
 40            to = "2001:0db8:b::/64";
 41            dev = "wg0";
 42          }
 43        ];
 44      };
 45    };
 46in
 47{
 48  name = "ifstate-initrd-wireguard";
 49
 50  nodes = {
 51    foo =
 52      { pkgs, ... }:
 53      {
 54        imports = [ ../../modules/profiles/minimal.nix ];
 55
 56        virtualisation.interfaces.eth1.vlan = 1;
 57
 58        # Initrd IfState enforces stage 2 ifstate using assertion.
 59        networking.ifstate = {
 60          enable = true;
 61          settings.interfaces = { };
 62        };
 63
 64        boot.initrd = {
 65          network = {
 66            enable = true;
 67            ifstate =
 68              mkNodeIfStateConfig {
 69                inherit pkgs;
 70                id = 1;
 71                wgPriv = "6KmLyTyrN9OZIOCkdpiAwoVoeSiwvyI+mtn1wooKSEU=";
 72                wgPeerPubKey = "olFuE7u5pVwSeWLFtrXSvD8+aCDBiKNKCLjLb/dgXiA=";
 73                wgPeerId = 2;
 74              }
 75              // {
 76                package = pkgs.ifstate.override {
 77                  withConfigValidation = false;
 78                };
 79                allowIfstateToDrasticlyIncreaseInitrdSize = true;
 80              };
 81          };
 82          systemd = {
 83            enable = true;
 84            network.enable = false;
 85            services.boot-blocker = {
 86              before = [ "initrd.target" ];
 87              wantedBy = [ "initrd.target" ];
 88              script = "sleep infinity";
 89              serviceConfig.Type = "oneshot";
 90            };
 91          };
 92        };
 93      };
 94
 95    bar =
 96      { pkgs, ... }:
 97      {
 98        imports = [ ../../modules/profiles/minimal.nix ];
 99
100        virtualisation.interfaces.eth1.vlan = 1;
101
102        networking = {
103          ifstate = mkNodeIfStateConfig {
104            inherit pkgs;
105            id = 2;
106            wgPriv = "QN89cvFD0C8z1MSpUaJa1YBXt2MaIQegVkEYROi71Fg=";
107            wgPeerPubKey = "5qeKbAGc7wh9Xg0MoMXqXCSmp9TawmtI1bVk/vp3Cn4=";
108            wgPeerId = 1;
109          };
110        };
111      };
112  };
113  testScript = # python
114    ''
115      start_all()
116
117      bar.wait_for_unit("default.target")
118
119      bar.wait_until_succeeds("ping -c 1 2001:0db8:b::1")
120    '';
121}