nixos/tests/systemd-networkd.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-networkd.nix
at 23.11-pre 4.8 kB view raw
  1let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
  2      imports = [ common/user-account.nix ];
  3      systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
  4      networking.useNetworkd = true;
  5      networking.useDHCP = false;
  6      networking.firewall.enable = false;
  7      virtualisation.vlans = [ 1 ];
  8      environment.systemPackages = with pkgs; [ wireguard-tools ];
  9      systemd.network = {
 10        enable = true;
 11        config = {
 12          routeTables.custom = 23;
 13        };
 14        netdevs = {
 15          "90-wg0" = {
 16            netdevConfig = { Kind = "wireguard"; Name = "wg0"; };
 17            wireguardConfig = {
 18              # NOTE: we're storing the wireguard private key in the
 19              #       store for this test. Do not do this in the real
 20              #       world. Keep in mind the nix store is
 21              #       world-readable.
 22              PrivateKeyFile = pkgs.writeText "wg0-priv" privk;
 23              ListenPort = 51820;
 24              FirewallMark = 42;
 25            };
 26            wireguardPeers = [ {wireguardPeerConfig={
 27              Endpoint = "192.168.1.${peerId}:51820";
 28              PublicKey = pubk;
 29              PresharedKeyFile = pkgs.writeText "psk.key" "yTL3sCOL33Wzi6yCnf9uZQl/Z8laSE+zwpqOHC4HhFU=";
 30              AllowedIPs = [ "10.0.0.${peerId}/32" ];
 31              PersistentKeepalive = 15;
 32            };}];
 33          };
 34        };
 35        networks = {
 36          "99-nope" = {
 37            matchConfig.Name = "eth*";
 38            linkConfig.Unmanaged = true;
 39          };
 40          "90-wg0" = {
 41            matchConfig = { Name = "wg0"; };
 42            address = [ "10.0.0.${nodeId}/32" ];
 43            routes = [
 44              { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
 45              { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; Table = "custom"; }; }
 46            ];
 47          };
 48          "30-eth1" = {
 49            matchConfig = { Name = "eth1"; };
 50            address = [
 51              "192.168.1.${nodeId}/24"
 52              "fe80::${nodeId}/64"
 53            ];
 54            routingPolicyRules = [
 55              { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; };}
 56              { routingPolicyRuleConfig = { Table = 20; OutgoingInterface = "eth1"; };}
 57              { routingPolicyRuleConfig = { Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; };}
 58              { routingPolicyRuleConfig = { Table = 40; IPProtocol = "tcp"; InvertRule = true; };}
 59              { routingPolicyRuleConfig = { Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; };}
 60            ];
 61          };
 62        };
 63      };
 64    };
 65in import ./make-test-python.nix ({pkgs, ... }: {
 66  name = "networkd";
 67  meta = with pkgs.lib.maintainers; {
 68    maintainers = [ ninjatrappeur ];
 69  };
 70  nodes = {
 71    node1 = { pkgs, ... }@attrs:
 72    let localConf = {
 73        privk = "GDiXWlMQKb379XthwX0haAbK6hTdjblllpjGX0heP00=";
 74        pubk = "iRxpqj42nnY0Qz8MAQbSm7bXxXP5hkPqWYIULmvW+EE=";
 75        nodeId = "1";
 76        peerId = "2";
 77    };
 78    in generateNodeConf (attrs // localConf);
 79
 80    node2 = { pkgs, ... }@attrs:
 81    let localConf = {
 82        privk = "eHxSI2jwX/P4AOI0r8YppPw0+4NZnjOxfbS5mt06K2k=";
 83        pubk = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
 84        nodeId = "2";
 85        peerId = "1";
 86    };
 87    in generateNodeConf (attrs // localConf);
 88  };
 89testScript = ''
 90    start_all()
 91    node1.wait_for_unit("systemd-networkd-wait-online.service")
 92    node2.wait_for_unit("systemd-networkd-wait-online.service")
 93
 94    # ================================
 95    # Networkd Config
 96    # ================================
 97    node1.succeed("grep RouteTable=custom:23 /etc/systemd/networkd.conf")
 98    node1.succeed("sudo ip route show table custom | grep '10.0.0.0/24 via 10.0.0.1 dev wg0 proto static'")
 99
100    # ================================
101    # Wireguard
102    # ================================
103    node1.succeed("ping -c 5 10.0.0.2")
104    node2.succeed("ping -c 5 10.0.0.1")
105    # Is the fwmark set?
106    node2.succeed("wg | grep -q 42")
107
108    # ================================
109    # Routing Policies
110    # ================================
111    # Testing all the routingPolicyRuleConfig members:
112    # Table + IncomingInterface
113    node1.succeed("sudo ip rule | grep 'from all iif eth1 lookup 10'")
114    # OutgoingInterface
115    node1.succeed("sudo ip rule | grep 'from all oif eth1 lookup 20'")
116    # From + To + SourcePort + DestinationPort
117    node1.succeed(
118        "sudo ip rule | grep 'from 192.168.1.1 to 192.168.1.2 sport 666 dport 667 lookup 30'"
119    )
120    # IPProtocol + InvertRule
121    node1.succeed("sudo ip rule | grep 'not from all ipproto tcp lookup 40'")
122'';
123})