pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / systemd-networkd.nix
at 22.05-pre 4.4 kB view raw
1let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: { 2 imports = [ common/user-account.nix ]; 3 systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; 4 networking.useNetworkd = true; 5 networking.useDHCP = false; 6 networking.firewall.enable = false; 7 virtualisation.vlans = [ 1 ]; 8 environment.systemPackages = with pkgs; [ wireguard-tools ]; 9 systemd.network = { 10 enable = true; 11 netdevs = { 12 "90-wg0" = { 13 netdevConfig = { Kind = "wireguard"; Name = "wg0"; }; 14 wireguardConfig = { 15 # NOTE: we're storing the wireguard private key in the 16 # store for this test. Do not do this in the real 17 # world. Keep in mind the nix store is 18 # world-readable. 19 PrivateKeyFile = pkgs.writeText "wg0-priv" privk; 20 ListenPort = 51820; 21 FirewallMark = 42; 22 }; 23 wireguardPeers = [ {wireguardPeerConfig={ 24 Endpoint = "192.168.1.${peerId}:51820"; 25 PublicKey = pubk; 26 PresharedKeyFile = pkgs.writeText "psk.key" "yTL3sCOL33Wzi6yCnf9uZQl/Z8laSE+zwpqOHC4HhFU="; 27 AllowedIPs = [ "10.0.0.${peerId}/32" ]; 28 PersistentKeepalive = 15; 29 };}]; 30 }; 31 }; 32 networks = { 33 "99-nope" = { 34 matchConfig.Name = "eth*"; 35 linkConfig.Unmanaged = true; 36 }; 37 "90-wg0" = { 38 matchConfig = { Name = "wg0"; }; 39 address = [ "10.0.0.${nodeId}/32" ]; 40 routes = [ 41 { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; } 42 ]; 43 }; 44 "30-eth1" = { 45 matchConfig = { Name = "eth1"; }; 46 address = [ 47 "192.168.1.${nodeId}/24" 48 "fe80::${nodeId}/64" 49 ]; 50 routingPolicyRules = [ 51 { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; };} 52 { routingPolicyRuleConfig = { Table = 20; OutgoingInterface = "eth1"; };} 53 { routingPolicyRuleConfig = { Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; };} 54 { routingPolicyRuleConfig = { Table = 40; IPProtocol = "tcp"; InvertRule = true; };} 55 { routingPolicyRuleConfig = { Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; };} 56 ]; 57 }; 58 }; 59 }; 60 }; 61in import ./make-test-python.nix ({pkgs, ... }: { 62 name = "networkd"; 63 meta = with pkgs.lib.maintainers; { 64 maintainers = [ ninjatrappeur ]; 65 }; 66 nodes = { 67 node1 = { pkgs, ... }@attrs: 68 let localConf = { 69 privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00="; 70 pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE="; 71 nodeId = "1"; 72 peerId = "2"; 73 }; 74 in generateNodeConf (attrs // localConf); 75 76 node2 = { pkgs, ... }@attrs: 77 let localConf = { 78 privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k="; 79 pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; 80 nodeId = "2"; 81 peerId = "1"; 82 }; 83 in generateNodeConf (attrs // localConf); 84 }; 85testScript = '' 86 start_all() 87 node1.wait_for_unit("systemd-networkd-wait-online.service") 88 node2.wait_for_unit("systemd-networkd-wait-online.service") 89 90 # ================================ 91 # Wireguard 92 # ================================ 93 node1.succeed("ping -c 5 10.0.0.2") 94 node2.succeed("ping -c 5 10.0.0.1") 95 # Is the fwmark set? 96 node2.succeed("wg | grep -q 42") 97 98 # ================================ 99 # Routing Policies 100 # ================================ 101 # Testing all the routingPolicyRuleConfig members: 102 # Table + IncomingInterface 103 node1.succeed("sudo ip rule | grep 'from all iif eth1 lookup 10'") 104 # OutgoingInterface 105 node1.succeed("sudo ip rule | grep 'from all oif eth1 lookup 20'") 106 # From + To + SourcePort + DestinationPort 107 node1.succeed( 108 "sudo ip rule | grep 'from 192.168.1.1 to 192.168.1.2 sport 666 dport 667 lookup 30'" 109 ) 110 # IPProtocol + InvertRule 111 node1.succeed("sudo ip rule | grep 'not from all ipproto tcp lookup 40'") 112''; 113})