nixos/tests/wireguard/namespaces.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / wireguard / namespaces.nix
at 23.11-beta 2.6 kB view raw
 1let
 2  listenPort = 12345;
 3  socketNamespace = "foo";
 4  interfaceNamespace = "bar";
 5  node = {
 6    networking.wireguard.interfaces.wg0 = {
 7      listenPort = listenPort;
 8      ips = [ "10.10.10.1/24" ];
 9      privateKeyFile = "/etc/wireguard/private";
10      generatePrivateKeyFile = true;
11    };
12  };
13
14in
15
16import ../make-test-python.nix ({ pkgs, lib, kernelPackages ? null, ... } : {
17  name = "wireguard-with-namespaces";
18  meta = with pkgs.lib.maintainers; {
19    maintainers = [ asymmetric ];
20  };
21
22  nodes = {
23    # interface should be created in the socketNamespace
24    # and not moved from there
25    peer0 = pkgs.lib.attrsets.recursiveUpdate node {
26      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
27      networking.wireguard.interfaces.wg0 = {
28        preSetup = ''
29          ip netns add ${socketNamespace}
30        '';
31        inherit socketNamespace;
32      };
33    };
34    # interface should be created in the init namespace
35    # and moved to the interfaceNamespace
36    peer1 = pkgs.lib.attrsets.recursiveUpdate node {
37      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
38      networking.wireguard.interfaces.wg0 = {
39        preSetup = ''
40          ip netns add ${interfaceNamespace}
41        '';
42        mtu = 1280;
43        inherit interfaceNamespace;
44      };
45    };
46    # interface should be created in the socketNamespace
47    # and moved to the interfaceNamespace
48    peer2 = pkgs.lib.attrsets.recursiveUpdate node {
49      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
50      networking.wireguard.interfaces.wg0 = {
51        preSetup = ''
52          ip netns add ${socketNamespace}
53          ip netns add ${interfaceNamespace}
54        '';
55        inherit socketNamespace interfaceNamespace;
56      };
57    };
58    # interface should be created in the socketNamespace
59    # and moved to the init namespace
60    peer3 = pkgs.lib.attrsets.recursiveUpdate node {
61      boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; };
62      networking.wireguard.interfaces.wg0 = {
63        preSetup = ''
64          ip netns add ${socketNamespace}
65        '';
66        inherit socketNamespace;
67        interfaceNamespace = "init";
68      };
69    };
70  };
71
72  testScript = ''
73    start_all()
74
75    for machine in peer0, peer1, peer2, peer3:
76        machine.wait_for_unit("wireguard-wg0.service")
77
78    peer0.succeed("ip -n ${socketNamespace} link show wg0")
79    peer1.succeed("ip -n ${interfaceNamespace} link show wg0")
80    peer2.succeed("ip -n ${interfaceNamespace} link show wg0")
81    peer3.succeed("ip link show wg0")
82  '';
83})